[RADIATOR] Tacacs AuthorizeGroupAttr ?
Patrik Forsberg
patrik.forsberg at ip-only.se
Mon Mar 13 12:10:07 UTC 2017
Ok so got this working for the junos stuff.. but still interested to know if you can add multiple permit/deny attributes that is sent to tacacs for further processing ?
Mvh,
Patrik Forsberg
> -----Original Message-----
> From: radiator [mailto:radiator-bounces at lists.open.com.au] On Behalf Of
> Patrik Forsberg
> Sent: den 13 mars 2017 11:15
> To: radiator at lists.open.com.au
> Subject: [RADIATOR] Tacacs AuthorizeGroupAttr ?
>
> Hello,
>
> So in my quest to make things more dynamic I've now come to the
> authorization and figured I could use AuthorizeGroupAttr to setup the user
> credentials, but ran into somewhat of a issue.
>
> When I specify AuthorizeGroupAttr to for example OSC-Authorize-Group
> and GroupMemberAttr to OSC-Group-Identifier and use for example this in
> the "authby" clause
> "
> OSC-Group-Identifier = "group1",\
> OSC-Authorize-Group = "permit service=junos-exec {local-user-name=grp1}"
> "
>
> This seems to be working as intended but if I want to add more to the OSC-
> Authorize-Group it seems to fail.. I can't add multiple attributes .. it'll simply
> use the first .. and if I just add more attributes comma separated the box
> doesn't seem to receive it..
>
> Examples
> "
> OSC-Group-Identifier = "group1",\
> OSC-Authorize-Group = "permit service=junos-exec {local-user-
> name=grp1}",\
> OSC-Authorize-Group = "deny-commands=\".*\""
> "
> Or
> "
> OSC-Group-Identifier = "group1",\
> OSC-Authorize-Group = "permit service=junos-exec {local-user-
> name=grp1},deny-commands=\".*\""
> "
>
> From what I can understand from the equipment both seem to fail and only
> the first "permit service=junos-exec {local-user-name=grp1}" work..
>
> Is there a trick to get multiple attributes to move into the tacacs server for
> the GroupMemberAttr ?
>
> Any help is, as always, appriciated!
>
> Regards,
> Patrik Forsberg
>
> _______________________________________________
> radiator mailing list
> radiator at lists.open.com.au
> http://lists.open.com.au/mailman/listinfo/radiator
More information about the radiator
mailing list