[RADIATOR] TACACS+

Chris Gravell cgravell at hotmail.com
Tue Mar 10 03:19:54 CST 2009 

Hello radiators,

I am trying to configure TACACS+ on RADIATOR to implement the following 
requirements using the configuration below with limited success:

1. Group ALL

Login to enable mode # directly with privilege level 15; permit all commands

2. Group SCRIPTS

Login to enable mode # directly with privilege level 2 (certain command have 
been reduced to this privilege on the client)
Access only device 1.1.1.1, 2.2.2.2
Permit only the commands given and deny everything else

3. Group DELIVERY

Login to enable mode # directly with privilege level 15
Access only device 1.1.1.1, 2.2.2.2
Permit all commands on these devices
Access all other network devices but deny configuration

4. Group READONLY

Login to enable mode # directly with privilege level 15
Access all devices
Permit all commands on these devices but any deny configuration



Here is my config / state of flux - can't seem to meet the above 
requirements!


Any assistance greatly appreciated.


Chris


<ServerTACACSPLUS>

        Key CKLSEFMORE#G[

        BindAddress Y.Y.Y.Y, 127.0.0.1

        AddToRequest NAS-Identifier=TACACS

        GroupMemberAttr XYZ-TACACS

        AuthorizeGroup all permit service=shell
        AuthorizeGroup all permit service=exec cmd=.* cmd-arg=.*

        AuthorizeGroup all permit service=shell {priv-lvl=15}
        AuthorizeGroup all permit service=exec cmd=.* cmd-arg=.* 
{priv-lvl=15}

        AuthorizeGroup scripts service=1.1.1.1
        AuthorizeGroup scripts service=2.2.2.2
        AuthorizeGroup scripts permit service=shell cmd=enable 2
        AuthorizeGroup scripts permit service=shell cmd=show caller 
{priv-lvl=2}
        AuthorizeGroup scripts permit service=shell cmd=clear interface 
Virtual-Access {priv-lvl=2}
        AuthorizeGroup scripts deny .*

         AuthorizeGroup delivery permit service=1.1.1.1
         AuthorizeGroup delivery permit service=2.2.2.2
         AuthorizeGroup delivery permit service=shell
         AuthorizeGroup delivery permit service=exec cmd=.* cmd-arg=.*

        AuthorizeGroup readonly permit service=shell cmd=enable cmd-args=.*
        AuthorizeGroup readonly permit service=shell cmd=exit cmd-args=.*
        AuthorizeGroup readonly deny service=shell cmd=show cmd-args=run.*
        AuthorizeGroup readonly deny service=shell cmd=show cmd-args=start.*
        AuthorizeGroup readonly permit service=shell cmd=show cmd-args=.*
        AuthorizeGroup readonly permit service=shell cmd=write

</ServerTACACSPLUS>

# This Realm shows you how to proxy requests to other Radius servers
# Requests from user at test will be forwarded to a different Radius server
# <Realm DEFAULT>
#       <AuthBy RADIUS>
#               Host 127.0.0.1
#               Secret local-radius-pass
#        </AuthBy>
#</Realm>

<Realm DEFAULT>
        <AuthBy FILE>
                Filename /etc/raddb/users_tacacs
        </AuthBy>
        AuthLog authlog
</Realm>

More information about the radiator mailing list