[RADIATOR] Tacacs AuthorizeGroupAttr ?
Sami Keski-Kasari
samikk at open.com.au
Tue Mar 14 09:06:04 UTC 2017
Hello Patrik,
Juniper is working differently in authorization part than Cisco.
Juniper requires that all rules are sent to the device in the first
query and after that Juniper device will evaluate rules.
In juniper, you can define multiple rules like this:
AuthorizeGroup view permit service=junos-exec {local-user-name=tacacs-view \
allow-commands="^(exit|show (cli
authorization|vlans|interfaces|ethernet-switching).*)" \
deny-commands=".*"}
Best Regards,
Sami
On 13.03.2017 14:10, Patrik Forsberg wrote:
> Ok so got this working for the junos stuff.. but still interested to know if you can add multiple permit/deny attributes that is sent to tacacs for further processing ?
>
>
> Mvh,
> Patrik Forsberg
>
>
>> -----Original Message-----
>> From: radiator [mailto:radiator-bounces at lists.open.com.au] On Behalf Of
>> Patrik Forsberg
>> Sent: den 13 mars 2017 11:15
>> To: radiator at lists.open.com.au
>> Subject: [RADIATOR] Tacacs AuthorizeGroupAttr ?
>>
>> Hello,
>>
>> So in my quest to make things more dynamic I've now come to the
>> authorization and figured I could use AuthorizeGroupAttr to setup the user
>> credentials, but ran into somewhat of a issue.
>>
>> When I specify AuthorizeGroupAttr to for example OSC-Authorize-Group
>> and GroupMemberAttr to OSC-Group-Identifier and use for example this in
>> the "authby" clause
>> "
>> OSC-Group-Identifier = "group1",\
>> OSC-Authorize-Group = "permit service=junos-exec {local-user-name=grp1}"
>> "
>>
>> This seems to be working as intended but if I want to add more to the OSC-
>> Authorize-Group it seems to fail.. I can't add multiple attributes .. it'll simply
>> use the first .. and if I just add more attributes comma separated the box
>> doesn't seem to receive it..
>>
>> Examples
>> "
>> OSC-Group-Identifier = "group1",\
>> OSC-Authorize-Group = "permit service=junos-exec {local-user-
>> name=grp1}",\
>> OSC-Authorize-Group = "deny-commands=\".*\""
>> "
>> Or
>> "
>> OSC-Group-Identifier = "group1",\
>> OSC-Authorize-Group = "permit service=junos-exec {local-user-
>> name=grp1},deny-commands=\".*\""
>> "
>>
>> From what I can understand from the equipment both seem to fail and only
>> the first "permit service=junos-exec {local-user-name=grp1}" work..
>>
>> Is there a trick to get multiple attributes to move into the tacacs server for
>> the GroupMemberAttr ?
>>
>> Any help is, as always, appriciated!
>>
>> Regards,
>> Patrik Forsberg
>>
>> _______________________________________________
>> radiator mailing list
>> radiator at lists.open.com.au
>> http://lists.open.com.au/mailman/listinfo/radiator
> _______________________________________________
> radiator mailing list
> radiator at lists.open.com.au
> http://lists.open.com.au/mailman/listinfo/radiator
>
--
Sami Keski-Kasari <samikk at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list