[RADIATOR] tacacs+ ldap ad group setup

Hugh Irvine hugh at open.com.au
Mon Jul 27 19:12:16 CDT 2009 

Hello Mark -

The answer to this depends on whether or not you can retrieve the  
group membership directly or not.

If yes, you can add the group to the AuthBy LDAP2 reply and map it in  
the ServerTACACSPLUS clause using something like "tacacsgroup" as  
described in "goodies/tacacsplusserver.cfg".


	<AuthBy LDAP2>
		.....
		AuthAttrDef ....., tacacsgroup, reply
		.....
	</AuthBy>


If not, you can use multiple AuthBy LDAP 2 clauses, each of which  
tests a different group and uses "AddToReply tacacsgroup = whatever".


	AuthByPolicy ContinueUntilAccept

	<AuthBy LDAP2>
		.....
		SearchFilter (&(%0=%1)(whaterver group check))
		.....
		AddToReply tacacsgroup = whatever
	</AuthBy>

	<AuthBy LDAP2>
		.....
		SearchFilter (&(%0=%1)(something group check))
		.....
		AddToReply tacacsgroup = something
	</AuthBy>

	.....


hope that helps

regards

Hugh


On 28 Jul 2009, at 10:00, Mark Bassett wrote:

> Hi List,
>
> I’m trying to figure out how to set up the groups for tacacs when  
> using authbyLDAP2?
>
> What I’m trying to do is use ldap as the authenticator (so passwords  
> are centralized) and give out tacacs command authorization levels  
> based on their AD groupings.
>
> I’ve been looking at section 5.83.10 AuthorizeGroup   in the  
> ref.pdf,  but It’s not really clear to me how to achieve this.
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

More information about the radiator mailing list