[RADIATOR] Changing TACACS AuthorizeGroup on the fly

Vangelis Kyriakakis vkyriak at forthnet.gr
Thu Mar 5 03:49:15 CST 2015


Hello Heikki,

       That did exactly what I wanted. Thanks for your valuable help.
       One more question. If I want to add more authorization lines can
I reuse the OSC-Authorize-Group attribute or I must use different
attributes, OSC-Authorize-Group1, OSC-Authorize-Group2 etc.?

               Kind Regards
                       Vangelis

On 4/3/2015 10:46 μμ, Heikki Vatiainen wrote:
> On 03/04/2015 05:01 PM, Vangelis Kyriakakis wrote:
>
>>        I have configured the following AuthorizeGroup command:
>>
>> AuthorizeGroup group permit service=shell cmd\* {task*#ADMIN-USER}
>>
>>        What I would like to do is to be able to change the ADMIN-USER
>> word on the fly.
>>        For example if User-Name is USER1 I would like the command to be
>>
>> AuthorizeGroup group permit service=shell cmd\* {task*#ADMIN-USER1}
>>  
>>        If User-Name is USER2 then it will be
>>
>> AuthorizeGroup group permit service=shell cmd\* {task*#ADMIN-USER2}
>>
>>        and so on. Is there a way to do variable substitution or change
>> the authorize rule on the fly (while the authorization request is being
>> processed)?
> See the reference manual section '5.96.11 AuthorizeGroupAttr'. Add
> something like this in the ServerTACACSS+ configuration:
>
>   AuthorizeGroupAttr OSC-Authorize-Group
>
> During the authentication, you can return 'group' as usually to set the
> authorisation group for the user. In addition to this, you can now
> return OSC-Authorize-Group with the user specific values.
>
> For example:
>
> <ServerTACACSPLUS>
>    GroupMemberAttr OSC-Group-Identifier
>    AuthorizeGroupAttr OSC-Authorize-Group
>    # Rest of the parameters
>    AuthorizeGroup group1 permit service=shell cmd=show cmd-arg=.*
>    AuthorizeGroup group1 deny .*
> </SeverTACACSPLUS>
>
> The attributes in Access-Accept for USER2 during the TACACS+
> authentication would then look like this:
>
>   OSC-Group-Identifier = "group1"
>   AuthorizeGroupAttr = "permit service=shell cmd\* {task*#ADMIN-USER2}"
>
> When the TACACS+ authorization requests are processed, this is the
> effective list they are evaluated against:
>
>    AuthorizeGroup group1 permit service=shell cmd\* {task*#ADMIN-USER2}
>    AuthorizeGroup group1 permit service=shell cmd=show cmd-arg=.*
>    AuthorizeGroup group1 deny .*
>
> In other words, the OSC-Authorize-Group attributes, there can be more
> than one, returned during the authentication are evaluated before the
> static configuration.
>
> Thanks,
> Heikki
>



More information about the radiator mailing list