[RADIATOR] Multiple user groups for tacacs authorization possible
Heikki Vatiainen
hvn at open.com.au
Fri Jul 8 06:51:08 CDT 2011
On 07/07/2011 01:26 PM, Alexander Hartmaier wrote:
> we have the need to map users with membership in multiple groups into
> tacacs groups to decide if the user is allowed to login (authentication)
> and what the user is allowed to do (authorization).
> We solved the authentication by multiple authby ldap2's for the
> different ldap groups in an authby group.
> The first matched group populates the OSC-Group-Identifier attribute
> which is used for the GroupMemberAttr.
> Because some users are in multiple groups we're looking for a way to add
> all of them to the GroupMemberAttr, is this possible?
This does not sound possible. Please see this example. Is this what you
are looking for?
<Server TACACSPLUS>
GroupMemberAttr OSC-Group-Identifier
AuthorizeGroup group1 ...
# more rules for group1
AuthorizeGroup group2 ...
# more rules for group2
And the Access-Reply messages would look like these
User a:
OSC-Group-Identifier = group1
User b:
OSC-Group-Identifier = group2
User c:
OSC-Group-Identifier = group1
OSC-Group-Identifier = group2
The user c would be allowed (group1 + group2).
The above is not currently possible since Radiator currently only picks
up one attribute and uses its value. The second will not be used.
Also, there's the question if both group1 and group2 contain permit and
deny rules how they would relate to each other.
If the above is not what you are after, please tell us more.
Thanks!
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list