[RADIATOR] Tacacs AuthorizeGroupAttr ?
Patrik Forsberg
patrik.forsberg at ip-only.se
Mon Mar 27 08:06:03 UTC 2017
Hello,
Thanks..
I actually tried that earlier and it didn't work.. now when I try it works perfectly.. must have done something else that made it go bazooka..
Thanks,
Patrik Forsberg
> -----Original Message-----
> From: Sami Keski-Kasari [mailto:samikk at open.com.au]
> Sent: den 27 mars 2017 08:17
> To: radiator at lists.open.com.au; Patrik Forsberg <patrik.forsberg at ip-
> only.se>
> Subject: Re: [RADIATOR] Tacacs AuthorizeGroupAttr ?
>
> Hello Patrik,
>
> You should not include group name if you are specifying rules with
> AuthorizeGroupAttr.
>
> Please see example at
>
> https://www.open.com.au/radiator/ref/AuthorizeGroupAttr_ServerTACACS
> PLUS.html#Key_ServerTACACSPLUS-11
>
> And to add multiple entries, you need to add multiple AuthorizeGroupAttr
> attributes. Example config below should be something like this:
>
> AddToReplyIfNotExist Service-Type = "Administrative-User",\
> OSC-Group-Identifier =
> "manager_new",\
> OSC-Authorize-Group = "permit
> service=shell cmd= {priv_lvl=15}",\
> OSC-Authorize-Group = "permit .*"
>
>
> Best Regards,
>
> Sami
>
>
> On 23/03/2017 14.22, Patrik Forsberg wrote:
> > So I got Juniper to function the way I wanted it but now I've moved on to a
> cisco alike device that require authorization per command .. how do I set that
> up in the AuthorizeGroup knob ?
> > I tried adding multiple "permit service=shell cmd=xxx" with comma
> between them but that didn't work.. and as expected multiple
> AuthorizeGroup statements were just ignored..
> >
> >
> > Current setup looks like this
> > "
> > <AuthBy GROUP>
> > Identifier AuthDemo1
> > AuthByPolicy ContinueWhileAccept
> > <AuthBy TEST>
> > NoEap
> > NoCheckPassword
> > IgnoreAccounting
> > AddToReplyIfNotExist Service-Type = "Administrative-User",\
> > OSC-Group-Identifier = "manager_new",\
> > OSC-Authorize-Group = "\
> > manager_new permit service=shell cmd= {priv_lvl=15},\
> > manager_new permit .*\
> > "
> > </AuthBy>
> > <AuthBy PAM>
> > NoEAP
> > Service radiusd
> > </AuthBy>
> > </AuthBy>
> > "
> >
> > In server tacacs
> > "
> > GroupMemberAttr OSC-Group-Identifier
> > AuthorizeGroupAttr OSC-Authorize-Group
> > "
> >
> > " manager_new permit service=shell cmd= {priv_lvl=15},\" this bit seems to
> be working but the following "permit .*" doesn't ?
> >
> > Tried both with and without "manager_new" before the permit
> statements but that made no difference.
> >
> > Regards,
> > Patrik Forsberg
> >
> >> -----Original Message-----
> >> From: radiator [mailto:radiator-bounces at lists.open.com.au] On Behalf Of
> >> Patrik Forsberg
> >> Sent: den 14 mars 2017 14:58
> >> To: radiator at lists.open.com.au
> >> Subject: Re: [RADIATOR] Tacacs AuthorizeGroupAttr ?
> >>
> >> Hello,
> >>
> >> Yes thanks got that bit working.. but if we have multiple devices from
> >> different vendors and want to use the same "radius" reply to them all I
> want
> >> to be able to add multiple "rows" to the tacacs response .. I guess the
> >> resolution is to add them all in the same reply to the tacacs server.. just
> >> thought it might be a "cleaner" way to do it..
> >>
> >> Regards,
> >> Patrik Forsberg
> >>
> >>> -----Original Message-----
> >>> From: Sami Keski-Kasari [mailto:samikk at open.com.au]
> >>> Sent: den 14 mars 2017 10:06
> >>> To: Patrik Forsberg <patrik.forsberg at ip-only.se>;
> >>> radiator at lists.open.com.au
> >>> Subject: Re: [RADIATOR] Tacacs AuthorizeGroupAttr ?
> >>>
> >>> Hello Patrik,
> >>>
> >>> Juniper is working differently in authorization part than Cisco.
> >>> Juniper requires that all rules are sent to the device in the first
> >>> query and after that Juniper device will evaluate rules.
> >>>
> >>> In juniper, you can define multiple rules like this:
> >>> AuthorizeGroup view permit service=junos-exec {local-user-
> name=tacacs-
> >>> view \
> >>> allow-commands="^(exit|show (cli
> >>> authorization|vlans|interfaces|ethernet-switching).*)" \
> >>> deny-commands=".*"}
> >>>
> >>> Best Regards,
> >>> Sami
> >>>
> >>>
> >>> On 13.03.2017 14:10, Patrik Forsberg wrote:
> >>>> Ok so got this working for the junos stuff.. but still interested to know if
> >>> you can add multiple permit/deny attributes that is sent to tacacs for
> >> further
> >>> processing ?
> >>>>
> >>>> Mvh,
> >>>> Patrik Forsberg
> >>>>
> >>>>
> >>>>> -----Original Message-----
> >>>>> From: radiator [mailto:radiator-bounces at lists.open.com.au] On
> Behalf
> >> Of
> >>>>> Patrik Forsberg
> >>>>> Sent: den 13 mars 2017 11:15
> >>>>> To: radiator at lists.open.com.au
> >>>>> Subject: [RADIATOR] Tacacs AuthorizeGroupAttr ?
> >>>>>
> >>>>> Hello,
> >>>>>
> >>>>> So in my quest to make things more dynamic I've now come to the
> >>>>> authorization and figured I could use AuthorizeGroupAttr to setup the
> >>> user
> >>>>> credentials, but ran into somewhat of a issue.
> >>>>>
> >>>>> When I specify AuthorizeGroupAttr to for example OSC-Authorize-
> >> Group
> >>>>> and GroupMemberAttr to OSC-Group-Identifier and use for example
> >> this
> >>> in
> >>>>> the "authby" clause
> >>>>> "
> >>>>> OSC-Group-Identifier = "group1",\
> >>>>> OSC-Authorize-Group = "permit service=junos-exec {local-user-
> >>> name=grp1}"
> >>>>> "
> >>>>>
> >>>>> This seems to be working as intended but if I want to add more to the
> >>> OSC-
> >>>>> Authorize-Group it seems to fail.. I can't add multiple attributes .. it'll
> >>> simply
> >>>>> use the first .. and if I just add more attributes comma separated the
> >> box
> >>>>> doesn't seem to receive it..
> >>>>>
> >>>>> Examples
> >>>>> "
> >>>>> OSC-Group-Identifier = "group1",\
> >>>>> OSC-Authorize-Group = "permit service=junos-exec {local-user-
> >>>>> name=grp1}",\
> >>>>> OSC-Authorize-Group = "deny-commands=\".*\""
> >>>>> "
> >>>>> Or
> >>>>> "
> >>>>> OSC-Group-Identifier = "group1",\
> >>>>> OSC-Authorize-Group = "permit service=junos-exec {local-user-
> >>>>> name=grp1},deny-commands=\".*\""
> >>>>> "
> >>>>>
> >>>>> From what I can understand from the equipment both seem to fail
> and
> >>> only
> >>>>> the first "permit service=junos-exec {local-user-name=grp1}" work..
> >>>>>
> >>>>> Is there a trick to get multiple attributes to move into the tacacs
> server
> >> for
> >>>>> the GroupMemberAttr ?
> >>>>>
> >>>>> Any help is, as always, appriciated!
> >>>>>
> >>>>> Regards,
> >>>>> Patrik Forsberg
> >>>>>
> >>>>> _______________________________________________
> >>>>> radiator mailing list
> >>>>> radiator at lists.open.com.au
> >>>>> http://lists.open.com.au/mailman/listinfo/radiator
> >>>> _______________________________________________
> >>>> radiator mailing list
> >>>> radiator at lists.open.com.au
> >>>> http://lists.open.com.au/mailman/listinfo/radiator
> >>>>
> >>> --
> >>> Sami Keski-Kasari <samikk at open.com.au>
> >>>
> >>> Radiator: the most portable, flexible and configurable RADIUS server
> >>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> >>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> >>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> >>> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
> >>> NetWare etc.
> >> _______________________________________________
> >> radiator mailing list
> >> radiator at lists.open.com.au
> >> http://lists.open.com.au/mailman/listinfo/radiator
> > _______________________________________________
> > radiator mailing list
> > radiator at lists.open.com.au
> > http://lists.open.com.au/mailman/listinfo/radiator
>
> --
> Sami Keski-Kasari <samikk at open.com.au>
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
> NetWare etc.
More information about the radiator
mailing list