[RADIATOR] TACACS Configuration to AuthorizeGroup

Heikki Vatiainen hvn at open.com.au
Wed Jun 22 09:38:57 CDT 2011 

On 06/21/2011 08:49 PM, David Heinz wrote:

> I've recently added some Juniper routers into the network that are authenticating against a legacy freeware tacacs server. I'm moving to the Radiator format but am not sure how to convert the configuration to an "AuthorizeGroup"... Below is the example config I'm wanting to convert.
> 
> service = arbor {
>    arbor_group = arbor_user
> }
> service = exec {
>    priv-lvl = 15
> }
> service = junos-exec {
>    local-user-name = noc-user
>    allow-commands = "configure private|clear interface"
>    allow-configuration = "routing-options static route .* next-hop ds.*"
>    deny-commands = "configure|ssh*|test*|request*|file*|mtrace*"
> }
> 
> Would this look something like??

The syntax looks correct, but you should do testing to see what Radiator
actually receives.

Also, have you noticed goodies/tacacsplustest? Using your configure as
an example (note: mail client wraps long lines):

% perl goodies/tacacsplustest -trace 4 -port 4949 -noacct \
  -author_args service=junos-exec,cmd'*'

Connecting to TACACS+ server localhost:4949
sending Authentication request...
authentication response: 193, 1, 2, 0, 1234, 1, 0, ,
Disconnect from localhost:4949
OK
sending Authorization request...

authorization response: 192, 2, 2, 0, 1234, 1, , ,
local-user-name=noc-user allow-commands=configure private|clear
interface allow-configuration=routing-options static route .* next-hop
ds.* deny-commands=configure|ssh*|test*|request*|file*|mtrace*

Disconnect from localhost:4949
OK


tacacsplustest can be very useful for testing the configuration.

> AuthorizeGroup ADMINTEST permit service=shell cmd\* {priv-lvl=15 idletime=45 timeout=600}
> AuthorizeGroup ADMINTEST permit service=arbor cmd\* {arbor_group=arbor_user}
> AuthorizeGroup ADMINTEST permit service=junos-exec cmd\* {local-user-name=noc-user allow-commands="configure private|clear interface" \
>      allow-configuration="routing-options static route .* next-hop ds.*" deny-commands="configure|ssh*|test*|request*|file*|mtrace*"}
> AuthorizeGroup ADMINTEST permit .*
> 
> I wasn't sure if I needed a new "service=junos-exec" or if those commands could just go under the normal "service=shell cmd\*" section.

I would not move the commands if JunOS uses junos-exec as service name
instead of shell. Note that permit .* as the last action and pattern can
easily grant too much access if the matching rules are incorrect.


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list