[RADIATOR] tacacsgroup nesting
Hugh Irvine
hugh at open.com.au
Fri Oct 29 03:36:08 CDT 2010
Hello Waldemar -
You will need to set up nested authentication to match your requirements, using the AuthBy GROUP to match what you need to do.
For example:
…..
<Handler …..>
AuthByPolicy ContinueUntilAccept
<AuthBy GROUP>
AuthByPolicy ContinueWhileAccept
AuthBy ASA_RO
AuthBy ASA_BU
</AuthBy>
<AuthBy GROUP>
AuthByPolicy ContinueWhileAccept
……
</AuthBy>
…..
</Handler>
…..
hope that helps
regards
Hugh
On 29 Oct 2010, at 07:54, <W.Siebert at t-systems.com> <W.Siebert at t-systems.com> wrote:
> Hello,
>
> it's possible to implement the tacacsgroup nesting?
>
> My aproach:
>
> We have 3 AD-groups: ASA_RO, ASA_BU, ASA_RW,
>
> and we have 3 tacacsgroups: ASA_RO, ASA_BU, ASA_RW
>
> If an user is member from ASA_RO and ASA_BU, how can I take it sure, he will get an authorisation combination of both tacacs groups?
>
> E.g.:
>
> AuthorizeGroup ASA_RO permit service=shell cmd=show cmd-arg=.*
> AuthorizeGroup ASA_RO deny .*
>
> AuthorizeGroup ASA_RW permit service=shell cmd\* {priv-lvl=15}
> AuthorizeGroup ASA_RW deny .*
>
> AuthorizeGroup ASA_BU permit service=shell cmd\* {autocmd="telnet 169.163.226.81"}
> AuthorizeGroup ASA_BU permit service=ppp protocol=ip {inacl=101 outacl=102}
> AuthorizeGroup ASA_BU deny .*
>
>
> AuthorizeGroup ASA_COMB01 permit ASA_RO & ASA_BU
>
>
> I read manual and mailinlist diligently, but was not clever.
>
> Thanks for your help
>
>
>
> Here an extract of my config:
> ###############################################
> <AuthBy LDAP2>
> Identifier ASA_RO
> Host w3kvm.adwal.corporate.net
> HoldServerConnection
> Port 3268
> AuthDN cn=radiator,cn=Users,dc=adwal,dc=corporate,dc=net
> AuthPassword Makaka77
> BaseDN dc=adwal,dc=corporate,dc=net
> ServerChecksPassword
> UsernameAttr sAMAccountName
> SearchFilter (&(%0=%1)(memberOf=CN=ASA_RO,DC=adwal,DC=corporate,DC=net))
> AuthAttrDef logonHours,MS-Login-Hours,check
> AddToReply tacacsgroup = ASA_RO
> Debug 255
> </AuthBy>
> ###############################################
> <AuthBy LDAP2>
> Identifier ASA_BU
> Host w3kvm.adwal.corporate.net
> HoldServerConnection
> Port 3268
> AuthDN cn=radiator,cn=Users,dc=adwal,dc=corporate,dc=net
> AuthPassword Makaka77
> BaseDN dc=adwal,dc=corporate,dc=net
> ServerChecksPassword
> UsernameAttr sAMAccountName
> SearchFilter (&(%0=%1)(memberOf=CN=ASA_BU,DC=adwal,DC=corporate,DC=net))
> AuthAttrDef logonHours,MS-Login-Hours,check
> AddToReply tacacsgroup = ASA_BU
> Debug 255
> </AuthBy>
> ###############################################
> <AuthBy LDAP2>
> Identifier ASA_RW
> Host w3kvm.adwal.corporate.net
> HoldServerConnection
> Port 3268
> AuthDN cn=radiator,cn=Users,dc=adwal,dc=corporate,dc=net
> AuthPassword Makaka77
> BaseDN dc=adwal,dc=corporate,dc=net
> ServerChecksPassword
> UsernameAttr sAMAccountName
> SearchFilter (&(%0=%1)(memberOf=CN=ASA_RW,DC=adwal,DC=corporate,DC=net))
> AuthAttrDef logonHours,MS-Login-Hours,check
> AddToReply tacacsgroup = ASA_RW
> Debug 255
> </AuthBy>
> ###############################################
> <AuthBy FILE>
> Identifier FileAuth
> Filename %D/taki
> </AuthBy>
> ###############################################
> <AuthLog FILE>
> Identifier authlogger
> Filename %L/authlog
> LogSuccess 1
> LogFailure 1
> </AuthLog>
> ###############################################
> # This clause handles all users with realm admins.realm. The user name coming from the NAS
> # must match the sAMAccountName attribute of a user in that OU.
> #<Handler Called-Station-Id=662543,Service-Type=Framed-User>
> <Handler Realm=admins.realm>
> RewriteUsername s/^([^@]+).*/$1/
> AuthByPolicy ContinueUntilAccept
> AuthBy ASA_RW
> AuthBy ASA_BU
> AuthBy ASA_RO
> # AuthBy FileAuth
> AcctLogFileName %L/accdetail
> AuthLog authlogger
> </Handler>
> ###############################################
> <ServerTACACSPLUS>
> GroupCacheFile %D/group-cache.dat
> IdleTimeout 180
> GroupMemberAttr tacacsgroup
>
> AuthorizeGroup ASA_RO permit service=shell cmd=show cmd-arg=.*
> AuthorizeGroup ASA_RO deny .*
>
> AuthorizeGroup ASA_RW permit service=shell cmd\* {priv-lvl=15}
> AuthorizeGroup ASA_RW deny .*
>
> AuthorizeGroup ASA_BU permit service=shell cmd\* {autocmd="telnet 169.163.226.81"}
> AuthorizeGroup ASA_BU permit service=ppp protocol=ip {inacl=101 outacl=102}
> AuthorizeGroup ASA_BU deny .*
>
> </ServerTACACSPLUS>
> ###############################################
>
>
>
> Kind regards
> Waldemar Siebert
>
> T-Systems International GmbH
> Corporate Customers
> Telecommunications Services & Solutions (TSS)
> Technical Engineering (TSS TE) - Security, Production Engineering & Lab
> Dipl.-Ing. Waldemar Siebert
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
More information about the radiator
mailing list