[RADIATOR] Radmin Web interface
Heikki Vatiainen
hvn at open.com.au
Mon Dec 3 07:13:35 CST 2012
On 12/03/2012 11:32 AM, Murat Bilal wrote:
> mysql> select * from RADGROUPAUTH;
Hello Murat,
having a number of rows works with AuthBy RADMIN since this module knows
the user or service profile can have multiple check and reply
attributes. This is one of the differences between AuthBy RADMIN and
plain AuthBy SQL.
The reason you get only one return attribute with AuthColumnDef is when
the user information is looked up from the SQL, only the first returned
row is used. If there are multiple rows, the values for those rows are
not processed at all.
This is also why type GENERIC is there. You should be able to specify
all return attributes on one row by putting the attributes into on
column with name1=val1,name2=val2,... syntax.
If you want to use AuthSelect, then type GENERIC is they way to return
all attributes.
> +-----------+-----------------------------------------+--------------+----------+----------+------+-----------+-------+
> | ATTRIBUTE | AUTHRULE | DEVICEGROUP | PRIORITY | PROTOCOL | TYPE | USERGROUP | VALUE |
> +-----------+-----------------------------------------+--------------+----------+----------+------+-----------+-------+
> | NULL | NULL | x.x.x.x | NULL | NULL | NULL | test | NULL |
> | NULL | permit service=shell cmd\* {priv-lvl=6} | x.x.x.x | NULL | NULL | NULL | DDAP6 | NULL |
> | NULL | NULL | x.x.x.x | NULL | NULL | NULL | DDAP15 | NULL |
> | NULL | NULL | x.x.x.x | NULL | NULL | NULL | gm | NULL |
> | NULL | deny service=shell cmd=show cmd-arg=.* | x.x.x.x | NULL | NULL | NULL | test1 | NULL |
> | NULL | permit .* {} | x.x.x.x | NULL | NULL | NULL | DDAP6 | NULL |
> | NULL | permit service=shell cmd\* {priv-lvl=6} | x.x.x.x | NULL | NULL | NULL | test1 | NULL |
> | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL |
> | NULL | NULL | x.x.x.x | NULL | NULL | NULL | AADP15 | NULL |
> | NULL | NULL | x.x.x.x | NULL | NULL | NULL | DDAP6 | NULL |
> | NULL | deny service=shell cmd=show cmd-arg=.* | x.x.x.x | NULL | NULL | NULL | DDAP6 | NULL |
> | NULL | deny service=shell cmd=ping cmd-arg=.* | x.x.x.x | NULL | NULL | NULL | DDAP6 | NULL |
> | NULL | deny service=shell cmd=ping cmd-arg=.* | x.x.x.x | NULL | NULL | NULL | test1 | NULL |
> | NULL | permit .* {} | x.x.x.x | NULL | NULL | NULL | test1 | NULL |
> +-----------+-----------------------------------------+--------------+----------+----------+------+-----------+-------+
>
> I have 4 rules in AUTHRULE column.This is the debug log for Access-Accept
>
> *** Reply to TACACSPLUS request:
> Code: Access-Accept
> Identifier: UNDEF
> Authentic: ~<244>'Z<160>cB<211><31><171><171>ze<132><178><151>
> Attributes:
> OSC-Group-Identifier = "DDAP6"
> OSC-Authorize-Group = "permit service=shell cmd\* {priv-lvl=6}"
>
> I cannot get other attributes.It returns only 1 one row How can I get the other Attributes?
>
> Here is my radmin config
>
> AuthSelect select na.PASS_WORD,na.STATICADDRESS,na.TIMELEFT,\
> na.MAXLOGINS, na.SERVICENAME, na.BADLOGINS, na.VALIDFROM, na.VALIDTO,\
> na.TACACSGROUPID,ga.DEVICEGROUP, ga.AUTHRULE\
> from RADUSERS as na,RADGROUPAUTH as ga where\
> na.USERNAME='%n' and na.BADLOGINS < 5 and \
> na.VALIDFROM < %t and na.VALIDTO > %t and na.TACACSGROUPID=ga.USERGROUP
>
>
> AuthColumnDef 0, OSC-Group-Identifier, reply
> AuthColumnDef 2,OSC-Authorize-Group,reply
>
> I also try GENERIC but no luck
>
> Thanks
> -----Original Message-----
> From: radiator-bounces at open.com.au [mailto:radiator-bounces at open.com.au] On Behalf Of Heikki Vatiainen
> Sent: 30 Kasım 2012 Cuma 12:24
> To: radiator at open.com.au
> Subject: Re: [RADIATOR] Radmin Web interface
>
> On 11/30/2012 01:07 AM, Murat Bilal wrote:
>
>> I do not understand.i want to edit those commands from Radmin Web
>> Interface, not in /etc/radiator/radiator.cfg
>
> Hello Murat,
>
> please see below, I was describing doing this with Radmin. With Radmin you need to add each line as a reply attribute. The attribute name (such as OSC-Authorize-Group) is then configured as AuthorizeGroupAttr in <ServerTACACSPLUS>.
>
> Thanks,
> Heikki
>
>> -----Original Message-----
>> From: radiator-bounces at open.com.au
>> [mailto:radiator-bounces at open.com.au] On Behalf Of Heikki Vatiainen
>> Sent: 29 Kasım 2012 Perşembe 14:58
>> To: radiator at open.com.au
>> Subject: Re: [RADIATOR] Radmin Web interface
>>
>> On 11/28/2012 11:16 PM, Murat Bilal wrote:
>>
>>> In <ServerTACACSPlus> clause I have rules for command auth such as below:
>>> AuthorizeGroup DDAP6 permit service=shell cmd\* {priv-lvl=6}
>>> AuthorizeGroup DDAP6 deny service=shell cmd=show cmd-arg=.*
>>> AuthorizeGroup DDAP6 deny service=shell cmd=ping cmd-arg=.*
>>> AuthorizeGroup DDAP6 permit .* {}
>>
>>> Is it possible to write these rules from Radmin Web interface?If so
>>> in which table .I am using the latest Radmin and Radiator version
>>
>> Hello Murat,
>>
>> yes, this is possible. Just add each line as e.g., OSC-Authorize-Group with Radmin. That is, the user should have four OSC-Authorize-Group reply attributes.
>>
>> Then configure your <ServerTACACSPLUS> with
>> AuthorizeGroupAttr OSC-Authorize-Group
>>
>> When you authenticate, the Access-Accept should have:
>> OSC-Authorize-Group = "permit service=shell cmd\* {priv-lvl=6}"
>> OSC-Authorize-Group = "deny service=shell cmd=show cmd-arg=.*"
>> OSC-Authorize-Group = "deny service=shell cmd=ping cmd-arg=.*"
>> OSC-Authorize-Group = "permit .* {}"
>> OSC-Group-Identifier = "group1"
>>
>> Here OSC-Group-Identifier is configured as GroupMemberAttr. This will set 'group1' as the authorization group for the user. During the authorization the OSC-Authorize-Group attribute values are processed first followed by group1 values as defined by AuthorizeGroup configuration options.
>>
>> Thanks,
>> Heikki
>>
>>
>> --
>> Heikki Vatiainen <hvn at open.com.au>
>>
>> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>>
>
>
> --
> Heikki Vatiainen <hvn at open.com.au>
>
> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list