[RADIATOR] Tacacs role reply.
Heikki Vatiainen
hvn at archred.com
Thu Feb 24 15:56:07 CST 2011
On 02/24/2011 10:09 PM, Mark Bassett wrote:
> Hi guys, I’m using tacacs+ on some cisco SanOS fiber switches. I am
> able to authenticate and log in properly, but I am not being assigned
> the proper tacacs role
>
> “network-admin”
> I need to add this pair
>
> cisco-av-pair=shell:roles="network-admin"
> but I am not sure where to add it.
If you want to add it per use, you should arrange the avpair to be
returned during the authentication. For example, if I authenticated
against a file, the file could contain this:
hvn User-Password = "password"
tacacsgroup = group1
cisco-avpair = shell:roles="network-admin"
The reference manual and goodies/tacacsplusserver.cfg, say this:
Any cisco-avpair reply items that result from the Radius
authentication will be used for TACACS+ authorization.
Just noticed you posted your configuration. If you can arrange your LDAP
server to return an attribute that contains the avpair value, you can do
this within AuthBy LDAP2:
AuthAttrDef ciscoAvPair,cisco-avpair,reply
where ciscoAvPair is the LDAP attribute that contains the desired avpair
value.
An alternative and possibly a way to test the above is to add this into
your <ServerTACACSPLUS>:
AuthorizationAdd shell:roles="network-admin"
The above will add the avpair to all authorization requests. That's why
you may want to consider if it is ok to allow the attribute for all
tacacs users.
Please see doc/ref.pdf section 5.86 <ServerTACACSPLUS> and
goodies/tacacsplusserver.cfg for more information.
Thanks,
Heikki
--
Heikki Vatiainen, Arch Red Oy
+358 44 087 6547
More information about the radiator
mailing list