[RADIATOR] Radmin Web interface
Murat Bilal
murat.bilal at ericsson.com
Mon Dec 3 03:32:24 CST 2012
Hi all,
mysql> select * from RADGROUPAUTH;
+-----------+-----------------------------------------+--------------+----------+----------+------+-----------+-------+
| ATTRIBUTE | AUTHRULE | DEVICEGROUP | PRIORITY | PROTOCOL | TYPE | USERGROUP | VALUE |
+-----------+-----------------------------------------+--------------+----------+----------+------+-----------+-------+
| NULL | NULL | x.x.x.x | NULL | NULL | NULL | test | NULL |
| NULL | permit service=shell cmd\* {priv-lvl=6} | x.x.x.x | NULL | NULL | NULL | DDAP6 | NULL |
| NULL | NULL | x.x.x.x | NULL | NULL | NULL | DDAP15 | NULL |
| NULL | NULL | x.x.x.x | NULL | NULL | NULL | gm | NULL |
| NULL | deny service=shell cmd=show cmd-arg=.* | x.x.x.x | NULL | NULL | NULL | test1 | NULL |
| NULL | permit .* {} | x.x.x.x | NULL | NULL | NULL | DDAP6 | NULL |
| NULL | permit service=shell cmd\* {priv-lvl=6} | x.x.x.x | NULL | NULL | NULL | test1 | NULL |
| NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL |
| NULL | NULL | x.x.x.x | NULL | NULL | NULL | AADP15 | NULL |
| NULL | NULL | x.x.x.x | NULL | NULL | NULL | DDAP6 | NULL |
| NULL | deny service=shell cmd=show cmd-arg=.* | x.x.x.x | NULL | NULL | NULL | DDAP6 | NULL |
| NULL | deny service=shell cmd=ping cmd-arg=.* | x.x.x.x | NULL | NULL | NULL | DDAP6 | NULL |
| NULL | deny service=shell cmd=ping cmd-arg=.* | x.x.x.x | NULL | NULL | NULL | test1 | NULL |
| NULL | permit .* {} | x.x.x.x | NULL | NULL | NULL | test1 | NULL |
+-----------+-----------------------------------------+--------------+----------+----------+------+-----------+-------+
I have 4 rules in AUTHRULE column.This is the debug log for Access-Accept
*** Reply to TACACSPLUS request:
Code: Access-Accept
Identifier: UNDEF
Authentic: ~<244>'Z<160>cB<211><31><171><171>ze<132><178><151>
Attributes:
OSC-Group-Identifier = "DDAP6"
OSC-Authorize-Group = "permit service=shell cmd\* {priv-lvl=6}"
I cannot get other attributes.It returns only 1 one row How can I get the other Attributes?
Here is my radmin config
AuthSelect select na.PASS_WORD,na.STATICADDRESS,na.TIMELEFT,\
na.MAXLOGINS, na.SERVICENAME, na.BADLOGINS, na.VALIDFROM, na.VALIDTO,\
na.TACACSGROUPID,ga.DEVICEGROUP, ga.AUTHRULE\
from RADUSERS as na,RADGROUPAUTH as ga where\
na.USERNAME='%n' and na.BADLOGINS < 5 and \
na.VALIDFROM < %t and na.VALIDTO > %t and na.TACACSGROUPID=ga.USERGROUP
AuthColumnDef 0, OSC-Group-Identifier, reply
AuthColumnDef 2,OSC-Authorize-Group,reply
I also try GENERIC but no luck
Thanks
-----Original Message-----
From: radiator-bounces at open.com.au [mailto:radiator-bounces at open.com.au] On Behalf Of Heikki Vatiainen
Sent: 30 Kasım 2012 Cuma 12:24
To: radiator at open.com.au
Subject: Re: [RADIATOR] Radmin Web interface
On 11/30/2012 01:07 AM, Murat Bilal wrote:
> I do not understand.i want to edit those commands from Radmin Web
> Interface, not in /etc/radiator/radiator.cfg
Hello Murat,
please see below, I was describing doing this with Radmin. With Radmin you need to add each line as a reply attribute. The attribute name (such as OSC-Authorize-Group) is then configured as AuthorizeGroupAttr in <ServerTACACSPLUS>.
Thanks,
Heikki
> -----Original Message-----
> From: radiator-bounces at open.com.au
> [mailto:radiator-bounces at open.com.au] On Behalf Of Heikki Vatiainen
> Sent: 29 Kasım 2012 Perşembe 14:58
> To: radiator at open.com.au
> Subject: Re: [RADIATOR] Radmin Web interface
>
> On 11/28/2012 11:16 PM, Murat Bilal wrote:
>
>> In <ServerTACACSPlus> clause I have rules for command auth such as below:
>> AuthorizeGroup DDAP6 permit service=shell cmd\* {priv-lvl=6}
>> AuthorizeGroup DDAP6 deny service=shell cmd=show cmd-arg=.*
>> AuthorizeGroup DDAP6 deny service=shell cmd=ping cmd-arg=.*
>> AuthorizeGroup DDAP6 permit .* {}
>
>> Is it possible to write these rules from Radmin Web interface?If so
>> in which table .I am using the latest Radmin and Radiator version
>
> Hello Murat,
>
> yes, this is possible. Just add each line as e.g., OSC-Authorize-Group with Radmin. That is, the user should have four OSC-Authorize-Group reply attributes.
>
> Then configure your <ServerTACACSPLUS> with
> AuthorizeGroupAttr OSC-Authorize-Group
>
> When you authenticate, the Access-Accept should have:
> OSC-Authorize-Group = "permit service=shell cmd\* {priv-lvl=6}"
> OSC-Authorize-Group = "deny service=shell cmd=show cmd-arg=.*"
> OSC-Authorize-Group = "deny service=shell cmd=ping cmd-arg=.*"
> OSC-Authorize-Group = "permit .* {}"
> OSC-Group-Identifier = "group1"
>
> Here OSC-Group-Identifier is configured as GroupMemberAttr. This will set 'group1' as the authorization group for the user. During the authorization the OSC-Authorize-Group attribute values are processed first followed by group1 values as defined by AuthorizeGroup configuration options.
>
> Thanks,
> Heikki
>
>
> --
> Heikki Vatiainen <hvn at open.com.au>
>
> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
_______________________________________________
radiator mailing list
radiator at open.com.au
http://www.open.com.au/mailman/listinfo/radiator
More information about the radiator
mailing list