[RADIATOR] command authorization on cisco ios

Hugh Irvine hugh at open.com.au
Wed Feb 16 23:41:26 CST 2011 

Hello James -

As is described in "goodies/tacplus.txt" and the manual, you tie things together with the "GroupMemberAttr …" parameter.

See section 5.86.9 in the manual.

With what you show below, you would specify this:

	
	GroupMemberAttr networkGroup


In other words, put the value of the "tacacsGroup" LDAP attribute into a RADIUS reply attribute called "networkGroup" and use that for the AuthorizeGroup.

Your configuration would have the value "showOnly" in the LDAP attribute "tacacsGroup", and it would be returned in a RADIUS attribute called "networkGroup". 

The example in "goodies/tacplus.cfg" uses a flat file rather than LDAP, but the principle is the same.

regards

Hugh



On 17 Feb 2011, at 15:54, James wrote:

> Thanks for the response, folks.
> 
> I've done some reading in both the sample configuration file located
> in the goodies folder, and a few threads online that point to some
> ideas on how to deal with this.
> 
> Ideally I would like to have a "group" value inside of the LDAP
> database that will directly associate with a AuthorizeGroup definition
> inside of the tacacs.cfg file.
> 
> For example: user "testuser" has an LDAP attribute that has the value
> "showOnly". Inside of the tacacs.cfg file, I would have something like
> this:
> 
> AuthorizeGroup showOnly permit service=shell cmd=show cmd-arg=.*
> AuthorizeGroup showOnly deny .*
> 
> My confusion is specifically *how* to associate the LDAP attribute to
> the AuthorizeGroup group.
> 
> The documentation points to AuthAttrDef; maybe something like this?
> 
> <AuthBy LDAP2>
> AuthAttrDef tacacsGroup,networkGroup,reply
> ...
> </AuthBy>
> 
> But how to tie this attribute into anything of value isn't jiving right now.
> 
> Any thoughts / ideas would be appreciated! :)
> 
> -james
> 
> 
> 
> On Wed, Feb 16, 2011 at 20:30, Hugh Irvine <hugh at open.com.au> wrote:
>> 
>> Hello James -
>> 
>> See "goodies/tacplus.txt" in the Radiator distribution.
>> 
>> regards
>> 
>> Hugh
>> 
>> 
>> On 17 Feb 2011, at 11:01, James wrote:
>> 
>>> Is it possible to perform command authorization on IOS with Radiator?
>>> If so, can anyone share any examples of how this is configure?
>>> 
>>> I don't see anything in the documentation indicating this is possible.
>>> 
>>> -james
>>> _______________________________________________
>>> radiator mailing list
>>> radiator at open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>> 
>>

More information about the radiator mailing list