[RADIATOR] Tacacsplus and OSC-Authorize-Group
Heikki Vatiainen
hvn at open.com.au
Thu Apr 29 16:30:15 UTC 2021
On 29.4.2021 10.31, Patrik Forsberg wrote:
> I used AddToReplyIfNotExist and that seems to only use the first OSC-Authorize-Group option it reaches and just ignores the rest.. a AddToReply fixed that ..
> AddToReplyIfNotExist \
> Service-Type = "Administrative-User",\
> OSC-Group-Identifier = "%N",\
> OSC-Authorize-Group = "permit service=shell cmd=show cmd-arg=running-config",\
> OSC-Authorize-Group = "deny service=shell cmd=*",\
> OSC-Authorize-Group = "permit .* {priv-lvl=15}"
Good to hear it works now. However, I'd say it would make more sense
that AddToReplyIfNotExist didn't work like that. What happens with
multi-instance attributes is exactly what you say: it adds the first and
then determines for the second instance that NotExists no longer holds :(
This is fine with typical single-instance attributes but I think the
expectation is that all of the above would have been added.
Thanks for letting us know about this,
Heikki
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.
More information about the radiator
mailing list