[RADIATOR] group DEFAULT. No matching AuthorizeGroup rule
Murat Bilal
murat.bilal at ericsson.com
Mon Nov 19 02:13:19 CST 2012
Hi all,
I have very simple conf as below:
<ServerTACACSPLUS>
Key somekey
AddToRequest NAS-Identifier=TACACS
GroupMemberAttr OSC-AVPAIR
AuthorizeGroup group1 permit service=shell cmd=show cmd-arg=.*
AuthorizeGroup group1 permit service=shell cmd\* {autocmd="telnet 169.163.226.81"}
AuthorizeGroup group1 permit service=ppp protocol=ip {inacl=101 outacl=102}
AuthorizeGroupAttr permit service=shell cmd\* {priv-lvl=15}
AuthorizeGroupAttr permit service=shell cmd\* {priv-lvl=1}
AuthorizeGroupAttr permit .* {}
</ServerTACACSPLUS>
<Handler>
<AuthBy SQL>
Identifier SQLTAC
# See the reference manual. You will also have to
# change the one in <SessionDatabse SQL> below
# so its the same
DBSource dbi:mysql:radius:localhost
DBUsername raduser
DBAuth raduser
# AuthSelect select PASSWORD 'Auth-Type=AuthSQL from SUBSCRIBERS where USERNAME=%0 in 'GroupList="group1 group2 group3 group8"'
# AuthSelect select PASSWORD 'Auth-Type=AuthSQL from SUBSCRIBERS where USERNAME=%0 in ($GroupMembershipQuery)
# You can customise the SQL query used to get user details with the
# AuthSelect parameter:
# AuthSelect select PASSWORD from SUBSCRIBERS where USERNAME=%0
# You can use statement caching and bound variables with AuthSelectParam:
# AuthSelect select PASSWORD from SUBSCRIBERS where USERNAME=?
# AuthSelectParam %u
# You can control what is done with each field returned from the
# AuthSelect query with the AuthColumnDef parameter:
AuthColumnDef 1, OSC-Group-Identifier, reply
# You may want to tailor these for your ACCOUNTING table
# You can add your own columns to store whatever you like
AccountingTable ACCOUNTING
AcctColumnDef USERNAME,User-Name
AcctColumnDef TIME_STAMP,Timestamp,integer
AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
AcctColumnDef NASIDENTIFIER,NAS-Identifier
AcctColumnDef NASPORT,NAS-Port,integer
AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
GroupMembershipQuery select GROUPNAME from GROUPS where USERNAME=%0 and GROUPNAME=%1
# GroupMembershipQueryParam %0
# GroupMembershipQueryParam %1
</AuthBy>
</Handler>
This conf works very well with AuthBy FILE.When I try AuthBy SQL I got the group DEFAULT. No matching AuthorizeGroup rule error,and cannot make TACACS authorization.
In the reference manual it says GroupMembershipQuery checks to validate both the username and appropriate group membership. But as I can see it cannot do that and cannot return a reply for group identifier.
Please help.I check the refence manuel but nothing to find.
MURAT BİLAL
Services Engineer
Ericsson Turkey
CU Customer Support
Cyber Plaza C Blok Kat:1 No:146
Cyberpark 6800 Bilkent/Ankara
Mobile +90 554 898 98 43
murat.bilal at ericsson.com<mailto:murat.bilal at ericsson.com>
www.ericsson.com
[cid:image001.png at 01CDC63D.7B2BB8A0]<http://www.ericsson.com/>
This Communication is Confidential. We only send and receive email on the basis of the terms set out at www.ericsson.com/email_disclaimer<http://www.ericsson.com/email_disclaimer>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20121119/419dae2c/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 2127 bytes
Desc: image001.png
Url : http://www.open.com.au/pipermail/radiator/attachments/20121119/419dae2c/attachment.png
More information about the radiator
mailing list