[RADIATOR] Question about TACACS group assignment based on AD groups

daniel.herrmann at zv.fraunhofer.de daniel.herrmann at zv.fraunhofer.de
Wed Sep 7 08:28:46 CDT 2016

Hi all,

I want to use Radiator both for RADIUS and for TACACS for Cisco devices, including command level authorization. Based on some posts on this list I got both the active directory and the TACACS server module up and running, but struggle with the configuration of both.

If I understand correctly, the TACACS module simply converts the TACACS authentication requests to radius requests and passes them to Radiator for ordinary execution. Authorization requests are handled within the TACACS module.

My configuration currently looks as follows:

--- begin ---
<AuthBy LDAP2>
         # Define DC to connect to 
         Host                    dc-b.ad.xxxxx.com

         # Identifier to use this AuthBy Clause later
         Identifier AuthByAD

         # Administrative user used to perform LDAP queries
         AuthDN                  cn=Administrator,cn=Users,DC=ad,DC=xxxxx,DC=xxxxxxx,DC=de
         AuthPassword            xxxxxxxx

         # Where to search for users
         BaseDN                  OU= User,DC=ad,DC=xxx,DC=xxxxxxx,DC=de

         # Add Check for group membership
         AuthAttrDef memberOf, ADGroup, check

         # Reply should include the group names for further processing
         AuthAttrDef memberOf, ADGroups, reply

         # There will be no default User

         # LDAP attribute to check the UserName on
         UsernameAttr            sAMAccountName

        Port 49
        AddToRequest NAS-Identifier=TACACS
        GroupMemberAttr tacacsgroup

        AuthorizeGroup network_ro deny service=shell cmd=show cmd-arh=tech-support
        AuthorizeGroup network_ro permit service=shell cmd=show cmd-arg=.*
        AuthorizeGroup network_ro deny .*

        # This is for authorized users for full access. Place in lvl 15 immediately, no restrictions apply
        AuthorizeGroup full_access permit service=shell cmd\* {priv-lvl=15}
        AuthorizeGroup full_access permit .*

        # Default deny to prevent accidents when something is misconfigured
        AuthorizeGroup DEFAULT deny .*


# Include client definition
include         %D/radius-clients.cfg
# Include Active Directory AuthBy Handler
include         %D/authby-ad.cfg
# Include configuration for the built-in TACACS server
include         %D/tacacs.cfg

# TACACS Handler
<Handler NAS-Identifier=TACACS>
        AddToRequest ADGroup="CN=netadmin,C=ad,DC=xxxx,DC=xxxxxxxx,DC=de"
        AuthBy AuthByAD

        # Try read-only access
        # AddToRequest ADGroup="CN=netadmin-readonly,C=ad,DC=xxxx,DC=xxxxxxx,DC=de"
        # AuthBy AuthByAD
--- end ---

My problem now is how to tie both clues together in the handler. Ideally I would also like to distinguish based on the TACACS client which is asking. If it is a firewall (IPs known), then use command sets full_access_fw and firewall_ro based on AD groups.

Basically I need something like this:

-	Firewall is TACACS client, and the user is member of group netadmin-security, return request with tacacsgroup=full_access_fw
-	Switch is TACACS client, and the user is member of group netadmin, return request with tacacsgroup=full_access
-	Firewall is TACACS client, and the user is member of group netadmin-security-ro, return request with tacacsgroup=firewall_ro
-	Switch is TACACS client, and the user is member of group netadmin-ro, return request with tacacsgroup=network_ro

How would I do this mapping?

Many thanks and best regards

More information about the radiator mailing list