[RADIATOR] Multiple user groups for tacacs authorization possible

Mike McCauley mikem at open.com.au
Fri Jul 8 18:02:13 CDT 2011


Hi Heikki,

I did something similar to this at NBNCo (you have the configs I think).
In that one we used the LDAP to get the groups the users is a member of, and 
used the device group the request cam from to to do a lookup in SQL, From 
there we get AuthorizeGroupAttr rules.

Cheers.

On Friday 08 July 2011 09:51:08 pm Heikki Vatiainen wrote:
> On 07/07/2011 01:26 PM, Alexander Hartmaier wrote:
> > we have the need to map users with membership in multiple groups into
> > tacacs groups to decide if the user is allowed to login (authentication)
> > and what the user is allowed to do (authorization).
> > We solved the authentication by multiple authby ldap2's  for the
> > different ldap groups in an authby group.
> > The first matched group populates the OSC-Group-Identifier attribute
> > which is used for the GroupMemberAttr.
> > Because some users are in multiple groups we're looking for a way to add
> > all of them to the GroupMemberAttr, is this possible?
>
> This does not sound possible. Please see this example. Is this what you
> are looking for?
>
> <Server TACACSPLUS>
>   GroupMemberAttr OSC-Group-Identifier
>   AuthorizeGroup group1 ...
>   # more rules for group1
>   AuthorizeGroup group2 ...
>   # more rules for group2
>
> And the Access-Reply messages would look like these
>
> User a:
>   OSC-Group-Identifier = group1
> User b:
>   OSC-Group-Identifier = group2
> User c:
>   OSC-Group-Identifier = group1
>   OSC-Group-Identifier = group2
>
> The user c would be allowed (group1 + group2).
>
> The above is not currently possible since Radiator currently only picks
> up one attribute and uses its value. The second will not be used.
>
> Also, there's the question if both group1 and group2 contain permit and
> deny rules how they would relate to each other.
>
> If the above is not what you are after, please tell us more.
>
> Thanks!



-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.


More information about the radiator mailing list