(RADIATOR) enable privilege levels for TACACS+ server

Tue Jan 29 17:01:32 CST 2008

Markus,

One of my techie's solved this a few months ago, but he's left now. I'll
try and explain it as best I can.

We use LDAP auth off our Active directory. We have static entries in a
MYSQL database that correspond to the usernames. It means we have to
maintain the database with the priv levels once (when a new staff member
starts) but not passwords etc.

In the config file:

<ServerTACACSPLUS>

        Key YOURKEY

        AddToRequest NAS-Identifier=TACACS

        DefaultRealm our.ad.realm or domain

        GroupMemberAttr tacacsgroup

        AuthorizeGroup admin permit service=shell cmd\* {priv-lvl=15}

        AuthorizeGroup power permit service=shell cmd\* {priv-lvl=14}

</ServerTACACSPLUS>

<Handler NAS-Identifier=TACACS,Realm=my.ad.realm>

        Description IT Admin Accounts

        RewriteUsername s/\@my\.ad\.realm//

        <AuthBy GROUP>

                AuthByPolicy ContinueUntilReject

                AuthBy AuthByLDAP

                <AuthBy SQL>

                        DBSource        dbi:mysql:radius

                        DBUsername      dbusername

                        DBAuth          dbpassword

                        AuthSelect select PRIV_LVL from TACACS where
USERNAME = "%U"

                        AuthColumnDef 0, tacacsgroup, reply

                </AuthBy>

        </AuthBy>

This should be able to be done by any SQL database that radius supports,
or even just with a flatfile.

We have a database "TACACS" with 2 columns. The first column is
"USERNAME", second "PRIV_LVL". These are self explanatory. 

Chris Rosan

________________________________

From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au] On
Behalf Of Markus Moeller
Sent: Wednesday, 30 January 2008 9:18 AM
To: radiator at open.com.au
Subject: (RADIATOR) enable privilege levels for TACACS+ server

I try to run in addition to the Radius server the TACACS+ server.  On
cisco router you can get into different privilege leves by using enable
# where # is a number between 1 and 15.  On a normal TACACS+ server this
corresponds to users enable#  e.g. 15 different users and passwords. 

The Tacacs+ client sends among others the following AV pairs

Service = ENABLE

Privilege Level = #

User-name = fred

User-password = fred

In the Radiator log  I can only see among others the following
attributes:

Service-Type = Administrative-Login

User-name = fred

User-password = fred

The Service Type changes from User-Login to Administrative-Login but I
can't identify the privilege level attribute ? 

How can I get access to the privilege level attribute from TACACS+ ?

Thank you

Markus 

This e-mail and any files attached to it are confidential and 
intended solely for the use of the individual or entity to 
whom they are addressed. If you have received this e-mail 
inadvertently or you are not the intended recipient, you may 
not distribute, copy or in any way rely on it. Further, you 
should notify the sender immediately and delete the e-mail 
from your computer. The contents and opinions contained in 
this e-mail are those of the individual sender unless they 
are expressly stated to be those of Europcar. Whilst we have 
taken precautions to alert us to the presence of computer 
viruses, we cannot and do not guarantee that this email and 
any files transmitted with it are free from such viruses.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20080130/bed5baab/attachment.html>