[RADIATOR] TACACS Configuration to AuthorizeGroup

Patrik Forsberg patrik.forsberg at ip-only.se
Wed Jun 22 09:44:30 CDT 2011 

This is a working example of how I've set it up.. it doesn't restrict the use of commands on juniper tho.

AuthorizeGroup <GROUP> permit service=shell cmd\* {priv-lvl=15}
AuthorizeGroup <GROUP> permit service=shell cmd= {priv-lvl=15}
AuthorizeGroup <GROUP> permit service=junos-exec {local-user-name=<TEMPLATE_USER>}
AuthorizeGroup <GROUP> permit service=arbor {arbor_group=system_admin}
AuthorizeGroup <GROUP> permit .*

it might help.. or might not ;)


Regards,
Patrik Forsberg

From: radiator-bounces at open.com.au [mailto:radiator-bounces at open.com.au] On Behalf Of David Heinz
Sent: Tuesday, June 21, 2011 7:50 PM
To: radiator at open.com.au
Subject: [RADIATOR] TACACS Configuration to AuthorizeGroup

I've recently added some Juniper routers into the network that are authenticating against a legacy freeware tacacs server. I'm moving to the Radiator format but am not sure how to convert the configuration to an "AuthorizeGroup"... Below is the example config I'm wanting to convert.

service = arbor {
   arbor_group = arbor_user
}
service = exec {
   priv-lvl = 15
}
service = junos-exec {
   local-user-name = noc-user
   allow-commands = "configure private|clear interface"
   allow-configuration = "routing-options static route .* next-hop ds.*"
   deny-commands = "configure|ssh*|test*|request*|file*|mtrace*"
}

Would this look something like??

AuthorizeGroup ADMINTEST permit service=shell cmd\* {priv-lvl=15 idletime=45 timeout=600}
AuthorizeGroup ADMINTEST permit service=arbor cmd\* {arbor_group=arbor_user}
AuthorizeGroup ADMINTEST permit service=junos-exec cmd\* {local-user-name=noc-user allow-commands="configure private|clear interface" \
     allow-configuration="routing-options static route .* next-hop ds.*" deny-commands="configure|ssh*|test*|request*|file*|mtrace*"}
AuthorizeGroup ADMINTEST permit .*

I wasn't sure if I needed a new "service=junos-exec" or if those commands could just go under the normal "service=shell cmd\*" section.

Thanks in advance
Dave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20110622/d2964109/attachment.html

More information about the radiator mailing list