[RADIATOR] tacacsgroup nesting

W.Siebert at t-systems.com W.Siebert at t-systems.com
Thu Oct 28 15:54:59 CDT 2010 

Hello,

it's possible to implement the tacacsgroup nesting?

My aproach:

We have 3 AD-groups: ASA_RO, ASA_BU, ASA_RW,

and we have 3 tacacsgroups: ASA_RO, ASA_BU, ASA_RW

If an user is member from ASA_RO and ASA_BU, how can I take it sure, he will get an authorisation combination of both tacacs groups?

E.g.:

   AuthorizeGroup ASA_RO permit service=shell cmd=show cmd-arg=.*
   AuthorizeGroup ASA_RO deny .*

   AuthorizeGroup ASA_RW permit service=shell cmd\* {priv-lvl=15}
   AuthorizeGroup ASA_RW deny .*

   AuthorizeGroup ASA_BU permit service=shell cmd\* {autocmd="telnet  169.163.226.81"}
   AuthorizeGroup ASA_BU permit service=ppp protocol=ip {inacl=101 outacl=102}
   AuthorizeGroup ASA_BU deny .*


   AuthorizeGroup ASA_COMB01 permit ASA_RO & ASA_BU


I read manual and mailinlist diligently, but was not clever.

Thanks for your help



Here an extract of my config:
###############################################
<AuthBy LDAP2>
   Identifier ASA_RO
   Host         w3kvm.adwal.corporate.net
   HoldServerConnection
   Port                 3268
   AuthDN               cn=radiator,cn=Users,dc=adwal,dc=corporate,dc=net
   AuthPassword Makaka77
   BaseDN               dc=adwal,dc=corporate,dc=net
   ServerChecksPassword
   UsernameAttr         sAMAccountName
   SearchFilter (&(%0=%1)(memberOf=CN=ASA_RO,DC=adwal,DC=corporate,DC=net))
   AuthAttrDef  logonHours,MS-Login-Hours,check
   AddToReply           tacacsgroup = ASA_RO
   Debug 255
</AuthBy>
###############################################
<AuthBy LDAP2>
   Identifier ASA_BU
   Host         w3kvm.adwal.corporate.net
   HoldServerConnection
   Port                 3268
   AuthDN               cn=radiator,cn=Users,dc=adwal,dc=corporate,dc=net
   AuthPassword Makaka77
   BaseDN               dc=adwal,dc=corporate,dc=net
   ServerChecksPassword
   UsernameAttr         sAMAccountName
   SearchFilter (&(%0=%1)(memberOf=CN=ASA_BU,DC=adwal,DC=corporate,DC=net))
   AuthAttrDef  logonHours,MS-Login-Hours,check
   AddToReply           tacacsgroup = ASA_BU
   Debug 255
</AuthBy>
###############################################
<AuthBy LDAP2>
   Identifier ASA_RW
   Host         w3kvm.adwal.corporate.net
   HoldServerConnection
   Port                 3268
   AuthDN               cn=radiator,cn=Users,dc=adwal,dc=corporate,dc=net
   AuthPassword Makaka77
   BaseDN               dc=adwal,dc=corporate,dc=net
   ServerChecksPassword
   UsernameAttr         sAMAccountName
   SearchFilter (&(%0=%1)(memberOf=CN=ASA_RW,DC=adwal,DC=corporate,DC=net))
   AuthAttrDef  logonHours,MS-Login-Hours,check
   AddToReply           tacacsgroup = ASA_RW
   Debug 255
</AuthBy>
###############################################
<AuthBy FILE>
   Identifier FileAuth
   Filename %D/taki
</AuthBy>
###############################################
<AuthLog FILE>
   Identifier authlogger
   Filename %L/authlog
   LogSuccess 1
   LogFailure 1
</AuthLog>
###############################################
# This clause handles all users with realm admins.realm. The user name coming from the NAS
# must match the sAMAccountName attribute of a user in that OU.
#<Handler Called-Station-Id=662543,Service-Type=Framed-User>
<Handler Realm=admins.realm>
   RewriteUsername s/^([^@]+).*/$1/
   AuthByPolicy ContinueUntilAccept
   AuthBy ASA_RW
   AuthBy ASA_BU
   AuthBy ASA_RO
#   AuthBy FileAuth
   AcctLogFileName   %L/accdetail
   AuthLog authlogger
</Handler>
###############################################
<ServerTACACSPLUS>
   GroupCacheFile %D/group-cache.dat
   IdleTimeout 180
   GroupMemberAttr tacacsgroup

   AuthorizeGroup ASA_RO permit service=shell cmd=show cmd-arg=.*
   AuthorizeGroup ASA_RO deny .*

   AuthorizeGroup ASA_RW permit service=shell cmd\* {priv-lvl=15}
   AuthorizeGroup ASA_RW deny .*

   AuthorizeGroup ASA_BU permit service=shell cmd\* {autocmd="telnet  169.163.226.81"}
   AuthorizeGroup ASA_BU permit service=ppp protocol=ip {inacl=101 outacl=102}
   AuthorizeGroup ASA_BU deny .*

</ServerTACACSPLUS>
###############################################



Kind regards
Waldemar Siebert

T-Systems International GmbH
Corporate Customers
Telecommunications Services & Solutions (TSS)
Technical Engineering (TSS TE) - Security, Production Engineering & Lab
Dipl.-Ing. Waldemar Siebert


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20101028/0a5ecbec/attachment.html

More information about the radiator mailing list