[RADIATOR] Radiator Authorization Cisco ASA

[Hartmaier Alexander]

You need to specify the cmd-arg multiple times, one for each space
separated argument:

authorizedgroup <readonly group> deny service=shell cmd=changeto cmd-arg=context cmd-arg=system
authorizedgroup <readonly group> permit service=shell cmd=changeto cmd-arg=context cmd-arg=<other context name>
authorizedgroup <readonly group> deny .*

BR Alex

On 2015-01-05 15:25, Heikki Vatiainen wrote:
> On 5.1.2015 15.34, Steve Normoyle wrote:
>
>> I have a Cisco ASA with multiple context.  I am trying to deny the use
>> of the command "changeto context system", but allow authorized group to
>> be able to change to any of the other context.  When user types in the
>> command they get denied.
> Hello Steve,
>
> does it work if you reorder the first two lines? That is, deny the more
> specific first and allow the less specific then.
>
> If this does not help, please reply with more debug logs that shows the
> authorization request from ASA with the processing Radiator does.
>
>> I have entered
>> "authorizedgroup <readonly group> permit service=shell cmd=changeto
>> cmd-arg="context <other context name>"
>> "authorizedgroup <readonly group> deny service=shell cmd=changeto
>> cmd-arg="context system"
>> "authorizedgroup <readonly group> deny .*"
> Just to make sure: the configuration parameter is AuthorizeGroup (no d
> and with capital A and G). There should especially be no d.
>
> Thanks,
> Heikki
>



*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*