[RADIATOR] IPv6 TACACS+

Hugh Irvine hugh at open.com.au
Tue May 25 18:58:59 CDT 2010


Hello Alex -

Part of the incoming TACACS+ request (and the derived RADIUS request) is the IP address of the originating NAS.

Therefore you can make decisions on which group to put users into based on the source of the request.

An easy way to do this is to add Identifier's to Client clauses in the configuration file and refer to them when processing the requests.

hope that helps

regards

Hugh


On 26 May 2010, at 03:19, Alexander Hartmaier wrote:

> Hi Hugh,
> 
> can you please explain 'put the users in the respective groups according
> to the device they log in from'?
> 
> Afaik a user is in a specific AuhorizeGroup, independent of the device
> he's logging into.
> 
> -- 
> Best regards, Alex
> 
> 
> Am Montag, den 24.05.2010, 12:08 +0200 schrieb Hugh Irvine:
>> Hello Alex -
>> 
>> You would typically define different groups in the ServerTACACSPLUS AuthorizeGroup lines:
>> 
>> 
>> 	.....
>> 
>> 	AuthorizeGroup ThisGroup ....
>> 	AuthorizeGroup ThisGroup .....
>> 
>> 	.....
>> 
>> 	AuthorizeGroup ThatGroup .....
>> 	AuthorizeGroup ThatGroup .....
>> 
>> 	.....
>> 
>> 	AuthorizeGroup SomeOtherGroup .....
>> 	AuthorizeGroup SomeOtherGroup .....
>> 
>> 	.....
>> 
>> 
>> and then put the users in the respective groups according to the device they log in from.
>> 
>> regards
>> 
>> Hugh
>> 	
>> 
>> 
>> On 21 May 2010, at 03:41, Alexander Hartmaier wrote:
>> 
>>> Hi,
>>> 
>>> we're looking for a way to not only limit what a user of a group is
>>> allowed to to (=authorization) but also on which devices.
>>> 
>>> Is there a recommended way of grouping tacacs+ clients so the groupname
>>> can be used as e.g. check attribute for the tacacsgroup?
>>> 
>>> --
>>> Best regards, Alex
>>> 
>>> 
>>> Am Mittwoch, den 12.05.2010, 11:02 +0200 schrieb Hugh Irvine:
>>>> Hello Subash -
>>>> 
>>>> See "goodies/tacplus.txt" (I have included it in this email for your convenience).
>>>> 
>>>> regards
>>>> 
>>>> Hugh
>>>> 
>>>> 
>>> 
>>> 
>>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>>> T-Systems Austria GesmbH   Rennweg 97-99, 1030 Wien
>>> Handelsgericht Wien, FN 79340b
>>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>>> Notice: This e-mail contains information that is confidential and may be privileged.
>>> If you are not the intended recipient, please notify the sender and then
>>> delete this e-mail immediately.
>>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>>> _______________________________________________
>>> radiator mailing list
>>> radiator at open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>> 
>> 
>> 
>> NB: 
>> 
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets), 
>> together with a trace 4 debug showing what is happening?
>> 
> 
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB: 

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets), 
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.





More information about the radiator mailing list