[RADIATOR] Changing TACACS AuthorizeGroup on the fly

Heikki Vatiainen hvn at open.com.au
Wed Mar 4 14:46:45 CST 2015


On 03/04/2015 05:01 PM, Vangelis Kyriakakis wrote:

>        I have configured the following AuthorizeGroup command:
> 
> AuthorizeGroup group permit service=shell cmd\* {task*#ADMIN-USER}
> 
>        What I would like to do is to be able to change the ADMIN-USER
> word on the fly.
>        For example if User-Name is USER1 I would like the command to be
> 
> AuthorizeGroup group permit service=shell cmd\* {task*#ADMIN-USER1}
>  
>        If User-Name is USER2 then it will be
> 
> AuthorizeGroup group permit service=shell cmd\* {task*#ADMIN-USER2}
> 
>        and so on. Is there a way to do variable substitution or change
> the authorize rule on the fly (while the authorization request is being
> processed)?

See the reference manual section '5.96.11 AuthorizeGroupAttr'. Add
something like this in the ServerTACACSS+ configuration:

  AuthorizeGroupAttr OSC-Authorize-Group

During the authentication, you can return 'group' as usually to set the
authorisation group for the user. In addition to this, you can now
return OSC-Authorize-Group with the user specific values.

For example:

<ServerTACACSPLUS>
   GroupMemberAttr OSC-Group-Identifier
   AuthorizeGroupAttr OSC-Authorize-Group
   # Rest of the parameters
   AuthorizeGroup group1 permit service=shell cmd=show cmd-arg=.*
   AuthorizeGroup group1 deny .*
</SeverTACACSPLUS>

The attributes in Access-Accept for USER2 during the TACACS+
authentication would then look like this:

  OSC-Group-Identifier = "group1"
  AuthorizeGroupAttr = "permit service=shell cmd\* {task*#ADMIN-USER2}"

When the TACACS+ authorization requests are processed, this is the
effective list they are evaluated against:

   AuthorizeGroup group1 permit service=shell cmd\* {task*#ADMIN-USER2}
   AuthorizeGroup group1 permit service=shell cmd=show cmd-arg=.*
   AuthorizeGroup group1 deny .*

In other words, the OSC-Authorize-Group attributes, there can be more
than one, returned during the authentication are evaluated before the
static configuration.

Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list