[RADIATOR] command authorization on cisco ios
James
jtp at nc.rr.com
Wed Feb 16 22:54:27 CST 2011
Thanks for the response, folks.
I've done some reading in both the sample configuration file located
in the goodies folder, and a few threads online that point to some
ideas on how to deal with this.
Ideally I would like to have a "group" value inside of the LDAP
database that will directly associate with a AuthorizeGroup definition
inside of the tacacs.cfg file.
For example: user "testuser" has an LDAP attribute that has the value
"showOnly". Inside of the tacacs.cfg file, I would have something like
this:
AuthorizeGroup showOnly permit service=shell cmd=show cmd-arg=.*
AuthorizeGroup showOnly deny .*
My confusion is specifically *how* to associate the LDAP attribute to
the AuthorizeGroup group.
The documentation points to AuthAttrDef; maybe something like this?
<AuthBy LDAP2>
AuthAttrDef tacacsGroup,networkGroup,reply
...
</AuthBy>
But how to tie this attribute into anything of value isn't jiving right now.
Any thoughts / ideas would be appreciated! :)
-james
On Wed, Feb 16, 2011 at 20:30, Hugh Irvine <hugh at open.com.au> wrote:
>
> Hello James -
>
> See "goodies/tacplus.txt" in the Radiator distribution.
>
> regards
>
> Hugh
>
>
> On 17 Feb 2011, at 11:01, James wrote:
>
>> Is it possible to perform command authorization on IOS with Radiator?
>> If so, can anyone share any examples of how this is configure?
>>
>> I don't see anything in the documentation indicating this is possible.
>>
>> -james
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>
>
More information about the radiator
mailing list