[RADIATOR] TACACS Configuration to AuthorizeGroup
David Heinz
heinzdb at corp.earthlink.com
Tue Jun 21 12:49:48 CDT 2011
I've recently added some Juniper routers into the network that are authenticating against a legacy freeware tacacs server. I'm moving to the Radiator format but am not sure how to convert the configuration to an "AuthorizeGroup"... Below is the example config I'm wanting to convert.
service = arbor {
arbor_group = arbor_user
}
service = exec {
priv-lvl = 15
}
service = junos-exec {
local-user-name = noc-user
allow-commands = "configure private|clear interface"
allow-configuration = "routing-options static route .* next-hop ds.*"
deny-commands = "configure|ssh*|test*|request*|file*|mtrace*"
}
Would this look something like??
AuthorizeGroup ADMINTEST permit service=shell cmd\* {priv-lvl=15 idletime=45 timeout=600}
AuthorizeGroup ADMINTEST permit service=arbor cmd\* {arbor_group=arbor_user}
AuthorizeGroup ADMINTEST permit service=junos-exec cmd\* {local-user-name=noc-user allow-commands="configure private|clear interface" \
allow-configuration="routing-options static route .* next-hop ds.*" deny-commands="configure|ssh*|test*|request*|file*|mtrace*"}
AuthorizeGroup ADMINTEST permit .*
I wasn't sure if I needed a new "service=junos-exec" or if those commands could just go under the normal "service=shell cmd\*" section.
Thanks in advance
Dave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20110621/6ee7c255/attachment.html
More information about the radiator
mailing list