[RADIATOR] TACACS: context & Calling-Station-Id

Heikki Vatiainen hvn at open.com.au
Fri Mar 15 01:04:54 CDT 2013


On 03/14/2013 06:18 PM, Fabio Prina wrote:

> I'm developing a hook to return different  "GroupMemberAttr" based on the Calling-Station-Id and NAS-IP-Address of the request.
> The same user from 2 different clients can has different permissions but; "the context" is based only on NAS-IP-Address and this cause me permissions override between sessions 

Hello Fabio,

NAS-IP-Address gets its value from the TACACS+ TCP connection's peer IP
address. Calling-Station-Id is an ascii string, possibly empty, that
should describe where the user is coming from.

See http://tools.ietf.org/html/draft-grant-tacacs-02

> So I patched the ServerTACACSPLUS.pm to be able to use also Calling-Station-Id in the "context"

This makes authorization different based on where the user is logging in
from. Can you tell why you could not use two different user (role) names
for different authorization rules. This would help to better understand
the implications of this patch.

> If needed in attach you can find my horrible patch
> I've added a Parameter (flag) "RemoteInContext" to enable/disable the option

Thanks,
Heikki


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list