[RADIATOR] Authorizing users via TACACS for Juniper Netscreens
Hugh Irvine
hugh at open.com.au
Tue Jun 24 20:49:12 CDT 2014
Hello Craig -
There are several steps:
1. define the AuthorizeGroup’s you require
2. specify the return attributes you need for each AuthorizeGroup (syntax will depend on the specific device)
3. perform the authentication and set which AuthorizeGroup the user belongs to
…..
See the examples in section 5.96.10 in the Radiator 4.13 reference manual (“doc/ref.pdf”).
See also the examples in “goodies/tacacsplusserver.cfg” and “goodies/tacplus.txt”.
regards
Hugh
On 25 Jun 2014, at 10:51, Craig Ayliffe <Craig.Ayliffe at brennanit.com.au> wrote:
> Hi Hugh,
>
> Actually I was looking for a way to set the vsys/privilege to restrict what a user can do.
>
> i.e. wanted to do something like this:
> AuthorizeGroup READ permit service=netscreen {vsys=root privilege=read-only}
> AuthorizeGroup WRITE permit service=netscreen {vsys=root privilege=root}
>
> Or do I need to use something like AuthorizeAdd/AuthorizeReplace to pass back attribute-value pairs?
>
> Regards,
>
> Craig
>
> -----Original Message-----
> From: Hugh Irvine [mailto:hugh at open.com.au]
> Sent: Wednesday, 25 June 2014 8:39 AM
> To: Craig Ayliffe
> Cc: radiator at open.com.au
> Subject: Re: [RADIATOR] Authorizing users via TACACS for Juniper Netscreens
>
>
> Hello Craig -
>
> The usual way to do this is with Identifiers in the Client clauses and Handlers to match.
>
> Something like this:
>
>
> .....
>
> <Client 1.1.1.1>
> Identifier JuniperNetscreen
> Secret .....
> .....
> </Client>
>
> <Client 2.2.2.2>
> Identifier JuniperNetscreen
> Secret .....
> .....
> </Client>
>
> <Client 3.3.3.3>
> Identifier JuniperNetscreen
> Secret .....
> .....
> </Client>
>
> .....
>
> <Handler Client-Identifier = JuniperNetscreen>
>
> <AuthBy .....>
> .....
> </AuthBy>
>
> </Handler>
>
> .....
>
> hope that helps
>
> regards
>
> Hugh
>
>
> On 24 Jun 2014, at 23:24, Craig Ayliffe <Craig.Ayliffe at brennanit.com.au> wrote:
>
>> Hi,
>>
>> I am looking for examples of Radiator configuration to restrict users logging into Juniper Netscreens running ScreenOS 6.3 and higher.
>>
>> Need to be able to specify the vsys to be Root and the privilege to be either 'root' or 'read-only' depending of their AuthorizeGroup configuration.
>>
>> Haven't been able to find any examples anywhere.
>> Would appreciate any assistance.
>>
>> Regards,
>>
>> Craig
>>
>> Craig Ayliffe | Brennan IT | Infrastructure Engineer
>>
>> T: 02 8235 3515 | M: 0410 400 546 | Craig.Ayliffe at brennanit.com.au | www.brennanit.com.au
>>
>> <image940dd2.jpg at f917d609.b99d4a76>
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>
>
> --
>
> Hugh Irvine
> hugh at open.com.au
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER, SIM, etc.
> Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.
>
--
Hugh Irvine
hugh at open.com.au
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc.
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.
More information about the radiator
mailing list