[RADIATOR] Different systems assigned to different groups

Andrew D. Clark adc at umn.edu
Wed Jul 15 16:29:52 CDT 2009 

I accomplished something similar that might meet your needs with a small 
PreHandlerHook.  It lets me use handlers for TACACS+ clients in the same sort 
of way I might use them for RADIUS clients.  You can slap arbitrary identifiers 
on groups of clients and then use that identifier to switch between different 
handler behaviors.

Here's the <Server TACACSPLUS> section:

<ServerTACACSPLUS>
        Key blah
        AddToRequest NAS-Identifier=TACACS

        # PreHandlerHook to get client identifier
        # (in <Client..> clause)
        # so we can use it as 'OSC-Client-Identifier' in handling
        # TACACS+ requests

        PreHandlerHook file:"%D/hooks/tacacs_client_identifier"
</ServerTACACSPLUS>

Here's the hook:

# PreHandlerHook to pull the Identifier out of the client clause
# for TACACS+ clients.  The Identifier is then added to the request
# in the 'OSC-Client-Identifier' VSA

sub {
        my $p = ${$_[0]};
        my $hook_name = 'tacacs_client_identifier';

        &main::log($main::LOG_DEBUG, "Hook $hook_name called");

        my $client_addr = $p->get_attr('NAS-IP-Address');
        my $client = Radius::Client::findAddress($client_addr);

        &main::log($main::LOG_DEBUG, "Hook $hook_name searching for client 
<$client_addr>");
        &main::log($main::LOG_DEBUG, "Hook $hook_name got client ident 
<$client->{'Identifier'}>");

        $p->add_attr('OSC-Client-Identifier', $client->{'Identifier'});

        return;
}

Here's it in use in a <Client> stanza:


<Client 192.168.1.1>
        Identifier flaming_skull
...
</Client>

and then using it in a handler:

<Handler NAS-Identifier=TACACS, OSC-Client-Identifier = flaming_skull>
...
</Handler>


-- 
Andrew D. Clark
Network Operations Engineer
University of Minnesota, Networking/Telecom Services
2218 University Ave SE
Minneapolis, MN 55414-3029
Phone: 612-626-4880


On Wednesday 15 July 2009 11:06:21 Alexander Hartmaier wrote:
> You can either use multiple <ServerTACACSPLUS> sections with tacacs+
> configured on different ports which match the tacacs+ client groups or
> maybe code a hook which does the checking based on a client text file or
> the like.
> Remember, it's Perl!
>
> Am Mittwoch, den 15.07.2009, 16:48 +0200 schrieb kspen:
> > Hello, i have just installed radiator and im trying to configure it. Im
> > using flat files for the users, etc. I have a question to ask, is it
> > possible to assign different ip's at different groups using radiator??
> > Let's say for example that i have group1 and group2, and i have 3
> > different routers (R1:1.2.3.4, R2:5.6.7.8 and R3 1.3.5.7).
> > I want  group1 to have access at R1 and R3 and group2 to R2 and R3.
> > I was able to do that on tacacs+(using acl that was assigned in each
> > group) but unfortunately im not getting anywhere with radiator. I've
> > tried some tricks with NAS-IP-Address but i didnt have the desired
> > result!
> > Can anyone help please? If you need any more details do not hesitate to
> > ask me.
> > Thank you
>
> --
> BR Alex
>
>
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>"* T-Systems Austria GesmbH   Rennweg 97-99, 1030 Wien
> Handelsgericht Wien, FN 79340b
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>"* Notice: This e-mail contains information that is confidential and may be
> privileged. If you are not the intended recipient, please notify the sender
> and then delete this e-mail immediately.
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>"* _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator

More information about the radiator mailing list