[RADIATOR] Tacacs AuthorizeGroupAttr ?
Patrik Forsberg
patrik.forsberg at ip-only.se
Thu Mar 23 12:22:10 UTC 2017
So I got Juniper to function the way I wanted it but now I've moved on to a cisco alike device that require authorization per command .. how do I set that up in the AuthorizeGroup knob ?
I tried adding multiple "permit service=shell cmd=xxx" with comma between them but that didn't work.. and as expected multiple AuthorizeGroup statements were just ignored..
Current setup looks like this
"
<AuthBy GROUP>
Identifier AuthDemo1
AuthByPolicy ContinueWhileAccept
<AuthBy TEST>
NoEap
NoCheckPassword
IgnoreAccounting
AddToReplyIfNotExist Service-Type = "Administrative-User",\
OSC-Group-Identifier = "manager_new",\
OSC-Authorize-Group = "\
manager_new permit service=shell cmd= {priv_lvl=15},\
manager_new permit .*\
"
</AuthBy>
<AuthBy PAM>
NoEAP
Service radiusd
</AuthBy>
</AuthBy>
"
In server tacacs
"
GroupMemberAttr OSC-Group-Identifier
AuthorizeGroupAttr OSC-Authorize-Group
"
" manager_new permit service=shell cmd= {priv_lvl=15},\" this bit seems to be working but the following "permit .*" doesn't ?
Tried both with and without "manager_new" before the permit statements but that made no difference.
Regards,
Patrik Forsberg
> -----Original Message-----
> From: radiator [mailto:radiator-bounces at lists.open.com.au] On Behalf Of
> Patrik Forsberg
> Sent: den 14 mars 2017 14:58
> To: radiator at lists.open.com.au
> Subject: Re: [RADIATOR] Tacacs AuthorizeGroupAttr ?
>
> Hello,
>
> Yes thanks got that bit working.. but if we have multiple devices from
> different vendors and want to use the same "radius" reply to them all I want
> to be able to add multiple "rows" to the tacacs response .. I guess the
> resolution is to add them all in the same reply to the tacacs server.. just
> thought it might be a "cleaner" way to do it..
>
> Regards,
> Patrik Forsberg
>
> > -----Original Message-----
> > From: Sami Keski-Kasari [mailto:samikk at open.com.au]
> > Sent: den 14 mars 2017 10:06
> > To: Patrik Forsberg <patrik.forsberg at ip-only.se>;
> > radiator at lists.open.com.au
> > Subject: Re: [RADIATOR] Tacacs AuthorizeGroupAttr ?
> >
> > Hello Patrik,
> >
> > Juniper is working differently in authorization part than Cisco.
> > Juniper requires that all rules are sent to the device in the first
> > query and after that Juniper device will evaluate rules.
> >
> > In juniper, you can define multiple rules like this:
> > AuthorizeGroup view permit service=junos-exec {local-user-name=tacacs-
> > view \
> > allow-commands="^(exit|show (cli
> > authorization|vlans|interfaces|ethernet-switching).*)" \
> > deny-commands=".*"}
> >
> > Best Regards,
> > Sami
> >
> >
> > On 13.03.2017 14:10, Patrik Forsberg wrote:
> > > Ok so got this working for the junos stuff.. but still interested to know if
> > you can add multiple permit/deny attributes that is sent to tacacs for
> further
> > processing ?
> > >
> > >
> > > Mvh,
> > > Patrik Forsberg
> > >
> > >
> > >> -----Original Message-----
> > >> From: radiator [mailto:radiator-bounces at lists.open.com.au] On Behalf
> Of
> > >> Patrik Forsberg
> > >> Sent: den 13 mars 2017 11:15
> > >> To: radiator at lists.open.com.au
> > >> Subject: [RADIATOR] Tacacs AuthorizeGroupAttr ?
> > >>
> > >> Hello,
> > >>
> > >> So in my quest to make things more dynamic I've now come to the
> > >> authorization and figured I could use AuthorizeGroupAttr to setup the
> > user
> > >> credentials, but ran into somewhat of a issue.
> > >>
> > >> When I specify AuthorizeGroupAttr to for example OSC-Authorize-
> Group
> > >> and GroupMemberAttr to OSC-Group-Identifier and use for example
> this
> > in
> > >> the "authby" clause
> > >> "
> > >> OSC-Group-Identifier = "group1",\
> > >> OSC-Authorize-Group = "permit service=junos-exec {local-user-
> > name=grp1}"
> > >> "
> > >>
> > >> This seems to be working as intended but if I want to add more to the
> > OSC-
> > >> Authorize-Group it seems to fail.. I can't add multiple attributes .. it'll
> > simply
> > >> use the first .. and if I just add more attributes comma separated the
> box
> > >> doesn't seem to receive it..
> > >>
> > >> Examples
> > >> "
> > >> OSC-Group-Identifier = "group1",\
> > >> OSC-Authorize-Group = "permit service=junos-exec {local-user-
> > >> name=grp1}",\
> > >> OSC-Authorize-Group = "deny-commands=\".*\""
> > >> "
> > >> Or
> > >> "
> > >> OSC-Group-Identifier = "group1",\
> > >> OSC-Authorize-Group = "permit service=junos-exec {local-user-
> > >> name=grp1},deny-commands=\".*\""
> > >> "
> > >>
> > >> From what I can understand from the equipment both seem to fail and
> > only
> > >> the first "permit service=junos-exec {local-user-name=grp1}" work..
> > >>
> > >> Is there a trick to get multiple attributes to move into the tacacs server
> for
> > >> the GroupMemberAttr ?
> > >>
> > >> Any help is, as always, appriciated!
> > >>
> > >> Regards,
> > >> Patrik Forsberg
> > >>
> > >> _______________________________________________
> > >> radiator mailing list
> > >> radiator at lists.open.com.au
> > >> http://lists.open.com.au/mailman/listinfo/radiator
> > > _______________________________________________
> > > radiator mailing list
> > > radiator at lists.open.com.au
> > > http://lists.open.com.au/mailman/listinfo/radiator
> > >
> >
> > --
> > Sami Keski-Kasari <samikk at open.com.au>
> >
> > Radiator: the most portable, flexible and configurable RADIUS server
> > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> > DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
> > NetWare etc.
> _______________________________________________
> radiator mailing list
> radiator at lists.open.com.au
> http://lists.open.com.au/mailman/listinfo/radiator
More information about the radiator
mailing list