[RADIATOR] Tacacs AuthorizeGroupAttr ?

Patrik Forsberg patrik.forsberg at ip-only.se
Tue Mar 14 13:57:45 UTC 2017


Hello,

Yes thanks got that bit working.. but if we have multiple devices from different vendors and want to use the same "radius" reply to them all I want to be able to add multiple "rows" to the tacacs response .. I guess the resolution is to add them all in the same reply to the tacacs server.. just thought it might be a "cleaner" way to do it..

Regards,
Patrik Forsberg

> -----Original Message-----
> From: Sami Keski-Kasari [mailto:samikk at open.com.au]
> Sent: den 14 mars 2017 10:06
> To: Patrik Forsberg <patrik.forsberg at ip-only.se>;
> radiator at lists.open.com.au
> Subject: Re: [RADIATOR] Tacacs AuthorizeGroupAttr ?
> 
> Hello Patrik,
> 
> Juniper is working differently in authorization part than Cisco.
> Juniper requires that all rules are sent to the device in the first
> query and after that Juniper device will evaluate rules.
> 
> In juniper, you can define multiple rules like this:
> AuthorizeGroup view permit service=junos-exec {local-user-name=tacacs-
> view \
>      allow-commands="^(exit|show (cli
> authorization|vlans|interfaces|ethernet-switching).*)" \
>      deny-commands=".*"}
> 
> Best Regards,
>   Sami
> 
> 
> On 13.03.2017 14:10, Patrik Forsberg wrote:
> > Ok so got this working for the junos stuff.. but still interested to know if
> you can add multiple permit/deny attributes that is sent to tacacs for further
> processing ?
> >
> >
> > Mvh,
> > Patrik Forsberg
> >
> >
> >> -----Original Message-----
> >> From: radiator [mailto:radiator-bounces at lists.open.com.au] On Behalf Of
> >> Patrik Forsberg
> >> Sent: den 13 mars 2017 11:15
> >> To: radiator at lists.open.com.au
> >> Subject: [RADIATOR] Tacacs AuthorizeGroupAttr ?
> >>
> >> Hello,
> >>
> >> So in my quest to make things more dynamic I've now come to the
> >> authorization and figured I could use AuthorizeGroupAttr to setup the
> user
> >> credentials, but ran into somewhat of a issue.
> >>
> >> When I specify AuthorizeGroupAttr to for example OSC-Authorize-Group
> >> and GroupMemberAttr to OSC-Group-Identifier and use for example this
> in
> >> the "authby" clause
> >> "
> >> OSC-Group-Identifier = "group1",\
> >> OSC-Authorize-Group = "permit service=junos-exec {local-user-
> name=grp1}"
> >> "
> >>
> >> This seems to be working as intended but if I want to add more to the
> OSC-
> >> Authorize-Group it seems to fail.. I can't add multiple attributes .. it'll
> simply
> >> use the first .. and if I just add more attributes comma separated the box
> >> doesn't seem to receive it..
> >>
> >> Examples
> >> "
> >> OSC-Group-Identifier = "group1",\
> >> OSC-Authorize-Group = "permit service=junos-exec {local-user-
> >> name=grp1}",\
> >> OSC-Authorize-Group = "deny-commands=\".*\""
> >> "
> >> Or
> >> "
> >> OSC-Group-Identifier = "group1",\
> >> OSC-Authorize-Group = "permit service=junos-exec {local-user-
> >> name=grp1},deny-commands=\".*\""
> >> "
> >>
> >> From what I can understand from the equipment both seem to fail and
> only
> >> the first "permit service=junos-exec {local-user-name=grp1}" work..
> >>
> >> Is there a trick to get multiple attributes to move into the tacacs server for
> >> the GroupMemberAttr ?
> >>
> >> Any help is, as always, appriciated!
> >>
> >> Regards,
> >> Patrik Forsberg
> >>
> >> _______________________________________________
> >> radiator mailing list
> >> radiator at lists.open.com.au
> >> http://lists.open.com.au/mailman/listinfo/radiator
> > _______________________________________________
> > radiator mailing list
> > radiator at lists.open.com.au
> > http://lists.open.com.au/mailman/listinfo/radiator
> >
> 
> --
> Sami Keski-Kasari <samikk at open.com.au>
> 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
> NetWare etc.


More information about the radiator mailing list