[RADIATOR] Mapping AD groups to TACAS+ groups

W.Siebert at t-systems.com W.Siebert at t-systems.com
Mon Sep 27 03:40:46 CDT 2010 

Hello,

I try to implement the mapping of AD groups to TACAS+ groups.

Witch AuthAttrDef memberOf,tacacsgroup,reply will be the complete LDAP string delivered:
tacacsgroup = CN=ASAADMINS,DC=adtest,DC=corporate,DC=net

My question: it is possible to strip all the unnecessary parts to deliver "ASAADMINS" only to tacacsgroup?

I read manual and mailinlist diligently, but was not clever.

Thanks for your help



Here an extract of my config:
###############################################
        <AuthBy LDAP2>
                Identifier ASA-Admin

                Host            w3kvm.adtest.corporate.net
                HoldServerConnection

                AuthDN cn=radiator,cn=Users,dc=adtest,dc=corporate,dc=net
                AuthPassword    XXXXX
                BaseDN          dc=adtest,dc=corporate,dc=net
                ServerChecksPassword
                UsernameAttr sAMAccountName

                SearchFilter (&(%0=%1)(memberOf=CN=ASAADMINS,DC=adtest,DC=corporate,DC=net))

                AuthAttrDef memberOf,tacacsgroup,reply

                Debug 255
        </AuthBy>
###############################################
<ServerTACACSPLUS>
                GroupMemberAttr tacacsgroup

                AuthorizeGroup ASAADMINS permit service=shell cmd=show cmd-arg=.*
                AuthorizeGroup group1 deny .*
.....................
</ServerTACACSPLUS>
###############################################

Here an extract of my Log:


Sun Sep 26 19:27:09 2010: DEBUG: AuthBy LDAP2 result: ACCEPT,
Sun Sep 26 19:27:09 2010: DEBUG: Access accepted for aduser01
Sun Sep 26 19:27:09 2010: DEBUG: Packet dump:
*** Reply to TACACSPLUS request:
Code:       Access-Accept
Identifier: UNDEF
Authentic:  ,|C<229><152><134><142>p? U<154>qSk<191>
Attributes:
        tacacsgroup = CN=ASAADMINS,DC=adtest,DC=corporate,DC=net

Sun Sep 26 19:27:09 2010: DEBUG: TacacsplusConnection result Access-Accept
Sun Sep 26 19:27:09 2010: DEBUG: TacacsplusConnection Authentication REPLY 1, 0, ,
Sun Sep 26 19:27:09 2010: DEBUG: TacacsplusConnection request 193, 2, 2, 0, 1234, 79
Sun Sep 26 19:27:09 2010: DEBUG: TacacsPlus request packet dump: c1020200000004d20000004f0e63dedad6576899fad69068509e9bc4dd7fe3edaab83f773ddf0d4679cdadcbca8cd54899138d3cf493fc776e476146108586b5ff3052adcca129fb3fc2b59ca16a8ef718f1f2753f2c136795f90b
Sun Sep 26 19:27:09 2010: DEBUG: Decrypting TacacsPlus request
Sun Sep 26 19:27:09 2010: DEBUG: TacacsPlus request decrypted body: 0600020015030a030d080d61647573657230314061646d696e732e7265616c6d31323374657374636c69656e74736572766963653d7368656c6c636d643d73686f77636d642d6172673d686f737431
Sun Sep 26 19:27:09 2010: DEBUG: TacacsplusConnection Authorization REQUEST 6, 0, 2, 0, aduser01 at admins.realm, 123, testclient, 3, service=shell cmd=show cmd-arg=host1
Sun Sep 26 19:27:09 2010: INFO: Authorization denied for aduser01 at admins.realm, group CN=ASAADMINS,DC=adtest,DC=corporate,DC=net. No matching AuthorizeGroup rule for args service=shell cmd=show cmd-arg=host1
Sun Sep 26 19:27:09 2010: DEBUG: TacacsplusConnection Authorization RESPONSE 16, denied, ,
Sun Sep 26 19:27:09 2010: DEBUG: TacacsplusConnection disconnected from 10.11.11.2:1786


Kind regards
Waldemar Siebert

T-Systems International GmbH
Corporate Customers
Telecommunications Services & Solutions (TSS)
Technical Engineering (TSS TE) - Security, Production Engineering & Lab
Dipl.-Ing. Waldemar Siebert


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20100927/a5b28ed3/attachment.html

More information about the radiator mailing list