[RADIATOR] Tacacs AuthorizeGroupAttr ?
Patrik Forsberg
patrik.forsberg at ip-only.se
Mon Mar 13 10:14:48 UTC 2017
Hello,
So in my quest to make things more dynamic I've now come to the authorization and figured I could use AuthorizeGroupAttr to setup the user credentials, but ran into somewhat of a issue.
When I specify AuthorizeGroupAttr to for example OSC-Authorize-Group and GroupMemberAttr to OSC-Group-Identifier and use for example this in the "authby" clause
"
OSC-Group-Identifier = "group1",\
OSC-Authorize-Group = "permit service=junos-exec {local-user-name=grp1}"
"
This seems to be working as intended but if I want to add more to the OSC-Authorize-Group it seems to fail.. I can't add multiple attributes .. it'll simply use the first .. and if I just add more attributes comma separated the box doesn't seem to receive it..
Examples
"
OSC-Group-Identifier = "group1",\
OSC-Authorize-Group = "permit service=junos-exec {local-user-name=grp1}",\
OSC-Authorize-Group = "deny-commands=\".*\""
"
Or
"
OSC-Group-Identifier = "group1",\
OSC-Authorize-Group = "permit service=junos-exec {local-user-name=grp1},deny-commands=\".*\""
"
>From what I can understand from the equipment both seem to fail and only the first "permit service=junos-exec {local-user-name=grp1}" work..
Is there a trick to get multiple attributes to move into the tacacs server for the GroupMemberAttr ?
Any help is, as always, appriciated!
Regards,
Patrik Forsberg
More information about the radiator
mailing list