[RADIATOR] TACACS+

Hugh Irvine hugh at open.com.au
Tue Mar 10 16:08:52 CST 2009 

Hello Chris -

It would be most useful to see a trace 4 debug showing what is  
happening with your configuration, and a description of what is  
working and what is not.

In the interim I have included in this mail a copy of my recent post  
on this topic.

regards

Hugh


-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: tacplus.txt
URL: <http://www.open.com.au/pipermail/radiator/attachments/20090311/3d4d4e9a/attachment.txt>
-------------- next part --------------





On 10 Mar 2009, at 20:19, Chris Gravell wrote:

> Hello radiators,
>
> I am trying to configure TACACS+ on RADIATOR to implement the  
> following requirements using the configuration below with limited  
> success:
>
> 1. Group ALL
>
> Login to enable mode # directly with privilege level 15; permit all  
> commands
>
> 2. Group SCRIPTS
>
> Login to enable mode # directly with privilege level 2 (certain  
> command have been reduced to this privilege on the client)
> Access only device 1.1.1.1, 2.2.2.2
> Permit only the commands given and deny everything else
>
> 3. Group DELIVERY
>
> Login to enable mode # directly with privilege level 15
> Access only device 1.1.1.1, 2.2.2.2
> Permit all commands on these devices
> Access all other network devices but deny configuration
>
> 4. Group READONLY
>
> Login to enable mode # directly with privilege level 15
> Access all devices
> Permit all commands on these devices but any deny configuration
>
>
>
> Here is my config / state of flux - can't seem to meet the above  
> requirements!
>
>
> Any assistance greatly appreciated.
>
>
> Chris
>
>
> <ServerTACACSPLUS>
>
>       Key CKLSEFMORE#G[
>
>       BindAddress Y.Y.Y.Y, 127.0.0.1
>
>       AddToRequest NAS-Identifier=TACACS
>
>       GroupMemberAttr XYZ-TACACS
>
>       AuthorizeGroup all permit service=shell
>       AuthorizeGroup all permit service=exec cmd=.* cmd-arg=.*
>
>       AuthorizeGroup all permit service=shell {priv-lvl=15}
>       AuthorizeGroup all permit service=exec cmd=.* cmd-arg=.* {priv- 
> lvl=15}
>
>       AuthorizeGroup scripts service=1.1.1.1
>       AuthorizeGroup scripts service=2.2.2.2
>       AuthorizeGroup scripts permit service=shell cmd=enable 2
>       AuthorizeGroup scripts permit service=shell cmd=show caller  
> {priv-lvl=2}
>       AuthorizeGroup scripts permit service=shell cmd=clear  
> interface Virtual-Access {priv-lvl=2}
>       AuthorizeGroup scripts deny .*
>
>        AuthorizeGroup delivery permit service=1.1.1.1
>        AuthorizeGroup delivery permit service=2.2.2.2
>        AuthorizeGroup delivery permit service=shell
>        AuthorizeGroup delivery permit service=exec cmd=.* cmd-arg=.*
>
>       AuthorizeGroup readonly permit service=shell cmd=enable cmd- 
> args=.*
>       AuthorizeGroup readonly permit service=shell cmd=exit cmd- 
> args=.*
>       AuthorizeGroup readonly deny service=shell cmd=show cmd- 
> args=run.*
>       AuthorizeGroup readonly deny service=shell cmd=show cmd- 
> args=start.*
>       AuthorizeGroup readonly permit service=shell cmd=show cmd- 
> args=.*
>       AuthorizeGroup readonly permit service=shell cmd=write
>
> </ServerTACACSPLUS>
>
> # This Realm shows you how to proxy requests to other Radius servers
> # Requests from user at test will be forwarded to a different Radius  
> server
> # <Realm DEFAULT>
> #       <AuthBy RADIUS>
> #               Host 127.0.0.1
> #               Secret local-radius-pass
> #        </AuthBy>
> #</Realm>
>
> <Realm DEFAULT>
>       <AuthBy FILE>
>               Filename /etc/raddb/users_tacacs
>       </AuthBy>
>       AuthLog authlog
> </Realm>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

More information about the radiator mailing list