[RADIATOR] Mapping AD groups to TACAS+ groups

Hugh Irvine hugh at open.com.au
Mon Sep 27 19:00:46 CDT 2010 

Hello Waldemar -

If you already know the group from the SearchFilter query, you can just use an AddToReply like this:


###############################################
        <AuthBy LDAP2>
                Identifier ASA-Admin
 
                Host            w3kvm.adtest.corporate.net
                HoldServerConnection
               
                AuthDN cn=radiator,cn=Users,dc=adtest,dc=corporate,dc=net
                AuthPassword    XXXXX
                BaseDN          dc=adtest,dc=corporate,dc=net
                ServerChecksPassword
                UsernameAttr sAMAccountName
 
                SearchFilter (&(%0=%1)(memberOf=CN=ASAADMINS,DC=adtest,DC=corporate,DC=net))
 
                AddToReply tacacsgroup = ASAADMINS
 
                Debug 255
        </AuthBy>
###############################################
<ServerTACACSPLUS>


regards

Hugh


On 27 Sep 2010, at 18:40, <W.Siebert at t-systems.com> <W.Siebert at t-systems.com> wrote:

> Hello,
>  
> I try to implement the mapping of AD groups to TACAS+ groups.
>  
> Witch AuthAttrDef memberOf,tacacsgroup,reply will be the complete LDAP string delivered:
> tacacsgroup = CN=ASAADMINS,DC=adtest,DC=corporate,DC=net
>  
> My question: it is possible to strip all the unnecessary parts to deliver "ASAADMINS" only to tacacsgroup?
>  
> I read manual and mailinlist diligently, but was not clever.
>  
> Thanks for your help
>  
>  
>  
> Here an extract of my config:
> ###############################################
>         <AuthBy LDAP2>
>                 Identifier ASA-Admin
>  
>                 Host            w3kvm.adtest.corporate.net
>                 HoldServerConnection
>                
>                 AuthDN cn=radiator,cn=Users,dc=adtest,dc=corporate,dc=net
>                 AuthPassword    XXXXX
>                 BaseDN          dc=adtest,dc=corporate,dc=net
>                 ServerChecksPassword
>                 UsernameAttr sAMAccountName
>  
>                 SearchFilter (&(%0=%1)(memberOf=CN=ASAADMINS,DC=adtest,DC=corporate,DC=net))
>  
>                 AuthAttrDef memberOf,tacacsgroup,reply
>  
>                 Debug 255
>         </AuthBy>
> ###############################################
> <ServerTACACSPLUS>
>          GroupMemberAttr tacacsgroup
>  
>                 AuthorizeGroup ASAADMINS permit service=shell cmd=show cmd-arg=.*
>                 AuthorizeGroup group1 deny .*
> .....................
> </ServerTACACSPLUS>
> ###############################################
>  
> Here an extract of my Log:
>  
>  
> Sun Sep 26 19:27:09 2010: DEBUG: AuthBy LDAP2 result: ACCEPT,
> Sun Sep 26 19:27:09 2010: DEBUG: Access accepted for aduser01
> Sun Sep 26 19:27:09 2010: DEBUG: Packet dump:
> *** Reply to TACACSPLUS request:
> Code:       Access-Accept
> Identifier: UNDEF
> Authentic:  ,|C<229><152><134><142>p? U<154>qSk<191>
> Attributes:
>         tacacsgroup = CN=ASAADMINS,DC=adtest,DC=corporate,DC=net
>  
> Sun Sep 26 19:27:09 2010: DEBUG: TacacsplusConnection result Access-Accept
> Sun Sep 26 19:27:09 2010: DEBUG: TacacsplusConnection Authentication REPLY 1, 0, , 
> Sun Sep 26 19:27:09 2010: DEBUG: TacacsplusConnection request 193, 2, 2, 0, 1234, 79
> Sun Sep 26 19:27:09 2010: DEBUG: TacacsPlus request packet dump: c1020200000004d20000004f0e63dedad6576899fad69068509e9bc4dd7fe3edaab83f773ddf0d4679cdadcbca8cd54899138d3cf493fc776e476146108586b5ff3052adcca129fb3fc2b59ca16a8ef718f1f2753f2c136795f90b
> Sun Sep 26 19:27:09 2010: DEBUG: Decrypting TacacsPlus request
> Sun Sep 26 19:27:09 2010: DEBUG: TacacsPlus request decrypted body: 0600020015030a030d080d61647573657230314061646d696e732e7265616c6d31323374657374636c69656e74736572766963653d7368656c6c636d643d73686f77636d642d6172673d686f737431
> Sun Sep 26 19:27:09 2010: DEBUG: TacacsplusConnection Authorization REQUEST 6, 0, 2, 0, aduser01 at admins.realm, 123, testclient, 3, service=shell cmd=show cmd-arg=host1
> Sun Sep 26 19:27:09 2010: INFO: Authorization denied for aduser01 at admins.realm, group CN=ASAADMINS,DC=adtest,DC=corporate,DC=net. No matching AuthorizeGroup rule for args service=shell cmd=show cmd-arg=host1
> Sun Sep 26 19:27:09 2010: DEBUG: TacacsplusConnection Authorization RESPONSE 16, denied, ,
> Sun Sep 26 19:27:09 2010: DEBUG: TacacsplusConnection disconnected from 10.11.11.2:1786
>  
>  
> Kind regards
> Waldemar Siebert
>  
> T-Systems International GmbH
> Corporate Customers
> Telecommunications Services & Solutions (TSS)
> Technical Engineering (TSS TE) - Security, Production Engineering & Lab
> Dipl.-Ing. Waldemar Siebert
>  
>  
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB: 

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets), 
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

More information about the radiator mailing list