[RADIATOR] Question about TACACS group assignment based on AD groups

Hugh Irvine hugh at open.com.au
Thu Sep 8 00:12:44 CDT 2016 

Hello Daniel -

You can use Identifiers in your Client clauses to indicate what sort of device they are, then use those identifiers in your Handlers.

Something like this:

……

<Client 1.1.1.1>
	Identifier Firewall
	…..
</Client>

<Client 2.2.2.2>
	Identifier Firewall
	…..
</Client>

<Client 3.3.3.3>
	Identifier Switch
	…..
</Client>

<Client 4.4.4.4>
	Identifier Switch
	…..
</Client>

…..

<Handler Client-Identifier = Firewall, NAS-Identifier = TACACS>
	AuthByPolicy ContinueUntilAccept
	AuthBy CheckReadOnlyAccessForFirewall
	AuthBy CheckFullAccessForFirewall
</Handler>

<Handler Client-Identifier = Switch, NAS-Identifier = TACACS>
	AuthByPolicy ContinueUntilAccept
	AuthBy CheckReadOnlyAccessForSwitch
	AuthBy CheckFullAccessForSwitch
</Handler>


hope that helps

regards

Hugh



> On 7 Sep 2016, at 23:28, daniel.herrmann at zv.fraunhofer.de wrote:
> 
> Hi all,
> 
> I want to use Radiator both for RADIUS and for TACACS for Cisco devices, including command level authorization. Based on some posts on this list I got both the active directory and the TACACS server module up and running, but struggle with the configuration of both.
> 
> If I understand correctly, the TACACS module simply converts the TACACS authentication requests to radius requests and passes them to Radiator for ordinary execution. Authorization requests are handled within the TACACS module.
> 
> My configuration currently looks as follows:
> 
> --- begin ---
> <AuthBy LDAP2>
>         # Define DC to connect to 
>         Host                    dc-b.ad.xxxxx.com
> 
>         # Identifier to use this AuthBy Clause later
>         Identifier AuthByAD
> 
>         # Administrative user used to perform LDAP queries
>         AuthDN                  cn=Administrator,cn=Users,DC=ad,DC=xxxxx,DC=xxxxxxx,DC=de
>         AuthPassword            xxxxxxxx
> 
>         # Where to search for users
>         BaseDN                  OU= User,DC=ad,DC=xxx,DC=xxxxxxx,DC=de
>         ServerChecksPassword
> 
>         # Add Check for group membership
>         AuthAttrDef memberOf, ADGroup, check
> 
>         # Reply should include the group names for further processing
>         AuthAttrDef memberOf, ADGroups, reply
> 
>         # There will be no default User
>         NoDefault
> 
>         # LDAP attribute to check the UserName on
>         UsernameAttr            sAMAccountName
> </AuthBy>
> 
> <ServerTACACSPLUS>
>        Port 49
>        AddToRequest NAS-Identifier=TACACS
>        GroupMemberAttr tacacsgroup
> 
>        AuthorizeGroup network_ro deny service=shell cmd=show cmd-arh=tech-support
>        AuthorizeGroup network_ro permit service=shell cmd=show cmd-arg=.*
>        AuthorizeGroup network_ro deny .*
> 
>        # This is for authorized users for full access. Place in lvl 15 immediately, no restrictions apply
>        AuthorizeGroup full_access permit service=shell cmd\* {priv-lvl=15}
>        AuthorizeGroup full_access permit .*
> 
>        # Default deny to prevent accidents when something is misconfigured
>        AuthorizeGroup DEFAULT deny .*
> 
> </ServerTACACSPLUS>
> 
> # Include client definition
> include         %D/radius-clients.cfg
> # Include Active Directory AuthBy Handler
> include         %D/authby-ad.cfg
> # Include configuration for the built-in TACACS server
> include         %D/tacacs.cfg
> 
> # TACACS Handler
> <Handler NAS-Identifier=TACACS>
>        AddToRequest ADGroup="CN=netadmin,C=ad,DC=xxxx,DC=xxxxxxxx,DC=de"
>        AuthBy AuthByAD
> 
>        # Try read-only access
>        # AddToRequest ADGroup="CN=netadmin-readonly,C=ad,DC=xxxx,DC=xxxxxxx,DC=de"
>        # AuthBy AuthByAD
> </Handler>
> --- end ---
> 
> My problem now is how to tie both clues together in the handler. Ideally I would also like to distinguish based on the TACACS client which is asking. If it is a firewall (IPs known), then use command sets full_access_fw and firewall_ro based on AD groups.
> 
> Basically I need something like this:
> 
> -	Firewall is TACACS client, and the user is member of group netadmin-security, return request with tacacsgroup=full_access_fw
> -	Switch is TACACS client, and the user is member of group netadmin, return request with tacacsgroup=full_access
> -	Firewall is TACACS client, and the user is member of group netadmin-security-ro, return request with tacacsgroup=firewall_ro
> -	Switch is TACACS client, and the user is member of group netadmin-ro, return request with tacacsgroup=network_ro
> 
> How would I do this mapping?
> 
> Many thanks and best regards
> Daniel
> 
> 
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
hugh at open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

More information about the radiator mailing list