[RADIATOR] Radiator Authorization Cisco ASA

Heikki Vatiainen hvn at open.com.au
Mon Jan 5 08:25:57 CST 2015


On 5.1.2015 15.34, Steve Normoyle wrote:

> I have a Cisco ASA with multiple context.  I am trying to deny the use
> of the command "changeto context system", but allow authorized group to
> be able to change to any of the other context.  When user types in the
> command they get denied.

Hello Steve,

does it work if you reorder the first two lines? That is, deny the more 
specific first and allow the less specific then.

If this does not help, please reply with more debug logs that shows the 
authorization request from ASA with the processing Radiator does.

> I have entered
> "authorizedgroup <readonly group> permit service=shell cmd=changeto
> cmd-arg="context <other context name>"
> "authorizedgroup <readonly group> deny service=shell cmd=changeto
> cmd-arg="context system"
> "authorizedgroup <readonly group> deny .*"

Just to make sure: the configuration parameter is AuthorizeGroup (no d 
and with capital A and G). There should especially be no d.

Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, 
NetWare etc.


More information about the radiator mailing list