[RADIATOR] Tacacs AuthorizeGroupAttr ?

Sami Keski-Kasari samikk at open.com.au
Mon Mar 27 06:17:19 UTC 2017 

Hello Patrik,

You should not include group name if you are specifying rules with  
AuthorizeGroupAttr.

Please see example at

https://www.open.com.au/radiator/ref/AuthorizeGroupAttr_ServerTACACSPLUS.html#Key_ServerTACACSPLUS-11

And to add multiple entries, you need to add multiple AuthorizeGroupAttr 
attributes. Example config below should be something like this:

AddToReplyIfNotExist    Service-Type = "Administrative-User",\
                                         OSC-Group-Identifier = 
"manager_new",\
                                         OSC-Authorize-Group = "permit 
service=shell cmd= {priv_lvl=15}",\
                                         OSC-Authorize-Group = "permit .*"


Best Regards,

  Sami


On 23/03/2017 14.22, Patrik Forsberg wrote:
> So I got Juniper to function the way I wanted it but now I've moved on to a cisco alike device that require authorization per command .. how do I set that up in the AuthorizeGroup knob ?
> I tried adding multiple "permit service=shell cmd=xxx" with comma between them but that didn't work.. and as expected multiple AuthorizeGroup statements were just ignored..
>
>
> Current setup looks like this
> "
> <AuthBy GROUP>
>          Identifier              AuthDemo1
>          AuthByPolicy            ContinueWhileAccept
>          <AuthBy TEST>
>                  NoEap
>                  NoCheckPassword
>                  IgnoreAccounting
>                  AddToReplyIfNotExist    Service-Type = "Administrative-User",\
>                                          OSC-Group-Identifier = "manager_new",\
>                                          OSC-Authorize-Group = "\
> manager_new permit service=shell cmd= {priv_lvl=15},\
> manager_new permit .*\
> "
>          </AuthBy>
>          <AuthBy PAM>
>                  NoEAP
>                  Service                 radiusd
>          </AuthBy>
> </AuthBy>
> "
>
> In server tacacs
> "
>          GroupMemberAttr         OSC-Group-Identifier
>          AuthorizeGroupAttr      OSC-Authorize-Group
> "
>
> " manager_new permit service=shell cmd= {priv_lvl=15},\" this bit seems to be working but the following "permit .*" doesn't ?
>
> Tried both with and without "manager_new" before the permit statements but that made no difference.
>
> Regards,
> Patrik Forsberg
>
>> -----Original Message-----
>> From: radiator [mailto:radiator-bounces at lists.open.com.au] On Behalf Of
>> Patrik Forsberg
>> Sent: den 14 mars 2017 14:58
>> To: radiator at lists.open.com.au
>> Subject: Re: [RADIATOR] Tacacs AuthorizeGroupAttr ?
>>
>> Hello,
>>
>> Yes thanks got that bit working.. but if we have multiple devices from
>> different vendors and want to use the same "radius" reply to them all I want
>> to be able to add multiple "rows" to the tacacs response .. I guess the
>> resolution is to add them all in the same reply to the tacacs server.. just
>> thought it might be a "cleaner" way to do it..
>>
>> Regards,
>> Patrik Forsberg
>>
>>> -----Original Message-----
>>> From: Sami Keski-Kasari [mailto:samikk at open.com.au]
>>> Sent: den 14 mars 2017 10:06
>>> To: Patrik Forsberg <patrik.forsberg at ip-only.se>;
>>> radiator at lists.open.com.au
>>> Subject: Re: [RADIATOR] Tacacs AuthorizeGroupAttr ?
>>>
>>> Hello Patrik,
>>>
>>> Juniper is working differently in authorization part than Cisco.
>>> Juniper requires that all rules are sent to the device in the first
>>> query and after that Juniper device will evaluate rules.
>>>
>>> In juniper, you can define multiple rules like this:
>>> AuthorizeGroup view permit service=junos-exec {local-user-name=tacacs-
>>> view \
>>>       allow-commands="^(exit|show (cli
>>> authorization|vlans|interfaces|ethernet-switching).*)" \
>>>       deny-commands=".*"}
>>>
>>> Best Regards,
>>>    Sami
>>>
>>>
>>> On 13.03.2017 14:10, Patrik Forsberg wrote:
>>>> Ok so got this working for the junos stuff.. but still interested to know if
>>> you can add multiple permit/deny attributes that is sent to tacacs for
>> further
>>> processing ?
>>>>
>>>> Mvh,
>>>> Patrik Forsberg
>>>>
>>>>
>>>>> -----Original Message-----
>>>>> From: radiator [mailto:radiator-bounces at lists.open.com.au] On Behalf
>> Of
>>>>> Patrik Forsberg
>>>>> Sent: den 13 mars 2017 11:15
>>>>> To: radiator at lists.open.com.au
>>>>> Subject: [RADIATOR] Tacacs AuthorizeGroupAttr ?
>>>>>
>>>>> Hello,
>>>>>
>>>>> So in my quest to make things more dynamic I've now come to the
>>>>> authorization and figured I could use AuthorizeGroupAttr to setup the
>>> user
>>>>> credentials, but ran into somewhat of a issue.
>>>>>
>>>>> When I specify AuthorizeGroupAttr to for example OSC-Authorize-
>> Group
>>>>> and GroupMemberAttr to OSC-Group-Identifier and use for example
>> this
>>> in
>>>>> the "authby" clause
>>>>> "
>>>>> OSC-Group-Identifier = "group1",\
>>>>> OSC-Authorize-Group = "permit service=junos-exec {local-user-
>>> name=grp1}"
>>>>> "
>>>>>
>>>>> This seems to be working as intended but if I want to add more to the
>>> OSC-
>>>>> Authorize-Group it seems to fail.. I can't add multiple attributes .. it'll
>>> simply
>>>>> use the first .. and if I just add more attributes comma separated the
>> box
>>>>> doesn't seem to receive it..
>>>>>
>>>>> Examples
>>>>> "
>>>>> OSC-Group-Identifier = "group1",\
>>>>> OSC-Authorize-Group = "permit service=junos-exec {local-user-
>>>>> name=grp1}",\
>>>>> OSC-Authorize-Group = "deny-commands=\".*\""
>>>>> "
>>>>> Or
>>>>> "
>>>>> OSC-Group-Identifier = "group1",\
>>>>> OSC-Authorize-Group = "permit service=junos-exec {local-user-
>>>>> name=grp1},deny-commands=\".*\""
>>>>> "
>>>>>
>>>>>  From what I can understand from the equipment both seem to fail and
>>> only
>>>>> the first "permit service=junos-exec {local-user-name=grp1}" work..
>>>>>
>>>>> Is there a trick to get multiple attributes to move into the tacacs server
>> for
>>>>> the GroupMemberAttr ?
>>>>>
>>>>> Any help is, as always, appriciated!
>>>>>
>>>>> Regards,
>>>>> Patrik Forsberg
>>>>>
>>>>> _______________________________________________
>>>>> radiator mailing list
>>>>> radiator at lists.open.com.au
>>>>> http://lists.open.com.au/mailman/listinfo/radiator
>>>> _______________________________________________
>>>> radiator mailing list
>>>> radiator at lists.open.com.au
>>>> http://lists.open.com.au/mailman/listinfo/radiator
>>>>
>>> --
>>> Sami Keski-Kasari <samikk at open.com.au>
>>>
>>> Radiator: the most portable, flexible and configurable RADIUS server
>>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>>> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
>>> NetWare etc.
>> _______________________________________________
>> radiator mailing list
>> radiator at lists.open.com.au
>> http://lists.open.com.au/mailman/listinfo/radiator
> _______________________________________________
> radiator mailing list
> radiator at lists.open.com.au
> http://lists.open.com.au/mailman/listinfo/radiator

-- 
Sami Keski-Kasari <samikk at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list