[RADIATOR] group DEFAULT. No matching AuthorizeGroup

Heikki Vatiainen hvn at open.com.au
Fri Nov 9 09:15:50 CST 2012


On 11/09/2012 02:40 PM, Murat Bilal wrote:

> INFO: Authorization denied for tacuser7, group DEFAULT. No matching
> AuthorizeGroup rule for args service=shell cmd=show cmd-arg=version

Hello Murat, please review doc/ref.pdf and documentation for
GroupMemberAttr.

> My Config is below. I give the name of the group to group 1 but still
> shows group name DEFAULT when debugging.When I change the group name to
> DEFAULT it is ok.Why can I not use the group name as group 1.

GroupMemberAttr should be set to the name of attribute in the
Access-Accept. For example OSC-Group-Identifier. The value of attribute
(e.g., value of OSC-Group-Identifier) should be e.g., 'group1' or 'group3'.

I noticed you have tried for example this in ServerTACACSPLUS clause:

  AddToRequest OSC-Group-Identifier = tacuser3*

What you should have is 'AddToReply OSC-Group-Identifier=...' in AuthBy
clause that authenticates the TACACS+ user. The value in place of '...'
should be 'group1', 'group3', or what ever groups you have in
AuthorizeGroup options.

Thanks,
Heikki


> *<ServerTACACSPLUS>*
> 
> *#       AddToRequest OSC-Environment-Identifier=Tacacs*
> 
> *         AddToRequest NAS-Identifier=TACACS*
> 
> *#         AuthorizeGroup tacuser3 permit service=shell cmd\* {priv-lvl=15}*
> 
> *         GroupMemberAttr group1*
> 
> *          AuthorizeGroupAttr group1  permit service=shell cmd=show
> cmd-args=.**
> 
> *#         AddToRequest OSC-Group-Identifier = tacuser3*
> 
> *#         AddToRequest OSC-Group-Identifier = tac*
> 
> *         AuthorizeGroup group1  permit service=shell cmd=show cmd-args=.**
> 
> *         AuthorizeGroup group1 permit .**
> 
> * *
> 
> *</ServerTACACSPLUS>*
> 
> *                      *
> 
> * *
> 
> * *
> 
> * *
> 
> * *
> 
> *MURAT BİLAL * 
> *Services Engineer*
> 
> 
> Ericsson Turkey
> CU Customer Support
> Cyber Plaza C Blok Kat:1 No:146
> Cyberpark 6800 Bilkent/Ankara
> Mobile +90 554 898 98 43
> murat.bilal at ericsson.com <mailto:murat.bilal at ericsson.com>
> www.ericsson.com  
> 
> 
> 
> <http://www.ericsson.com/>  
> 
> 
> This Communication is Confidential. We only send and receive email on
> the basis of the terms set out at www.ericsson.com/email_disclaimer
> <http://www.ericsson.com/email_disclaimer>  
> 
>  
> 
> 
> 
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
> 


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list