[RADIATOR] tacacs+ ldap ad group setup

Mark Bassett mbassett at intelius.com
Mon Jul 27 19:25:22 CDT 2009


Hugh,

I'm not sure if I can retrieve the membership directly.  All the users
in a specific group should have memberOf=groupname, but they may have
multiple memberof= lines.  

Like so:

memberOf: CN=Engineering
Operations,CN=Users,DC=intelius1,DC=intelius,DC=com
memberOf: CN=Network
Engineers,OU=ExternalEmailGroups,DC=intelius1,DC=intelius
 ,DC=com
memberOf: CN=Network-Security,CN=Users,DC=intelius1,DC=intelius,DC=com

Right now I'm using 
SearchFilter
(&(%0=%1)(memberOf=CN=Network-Security,CN=Users,DC=intelius1,DC=intelius
,DC=com))

Because I only wanted users in that group to be able to authenticate for
radius against the devices, but tacacs will have other group access as
well.

The searchfilter option you mentioned below may work for me, although
I'm not sure how it will function while using
Identifier CheckLDAP

Can you have multiple Identifier lines?


-----Original Message-----
From: Hugh Irvine [mailto:hugh at open.com.au] 
Sent: Monday, July 27, 2009 5:12 PM
To: Mark Bassett
Cc: radiator at open.com.au
Subject: Re: [RADIATOR] tacacs+ ldap ad group setup


Hello Mark -

The answer to this depends on whether or not you can retrieve the  
group membership directly or not.

If yes, you can add the group to the AuthBy LDAP2 reply and map it in  
the ServerTACACSPLUS clause using something like "tacacsgroup" as  
described in "goodies/tacacsplusserver.cfg".


	<AuthBy LDAP2>
		.....
		AuthAttrDef ....., tacacsgroup, reply
		.....
	</AuthBy>


If not, you can use multiple AuthBy LDAP 2 clauses, each of which  
tests a different group and uses "AddToReply tacacsgroup = whatever".


	AuthByPolicy ContinueUntilAccept

	<AuthBy LDAP2>
		.....
		SearchFilter (&(%0=%1)(whaterver group check))
		.....
		AddToReply tacacsgroup = whatever
	</AuthBy>

	<AuthBy LDAP2>
		.....
		SearchFilter (&(%0=%1)(something group check))
		.....
		AddToReply tacacsgroup = something
	</AuthBy>

	.....


hope that helps

regards

Hugh


On 28 Jul 2009, at 10:00, Mark Bassett wrote:

> Hi List,
>
> I'm trying to figure out how to set up the groups for tacacs when  
> using authbyLDAP2?
>
> What I'm trying to do is use ldap as the authenticator (so passwords  
> are centralized) and give out tacacs command authorization levels  
> based on their AD groupings.
>
> I've been looking at section 5.83.10 AuthorizeGroup   in the  
> ref.pdf,  but It's not really clear to me how to achieve this.
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive
(www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.




More information about the radiator mailing list