On 11/28/2012 11:16 PM, Murat Bilal wrote: > In <ServerTACACSPlus> clause I have rules for command auth such as below: > AuthorizeGroup DDAP6 permit service=shell cmd\* {priv-lvl=6} > AuthorizeGroup DDAP6 deny service=shell cmd=show cmd-arg=.* > AuthorizeGroup DDAP6 deny service=shell cmd=ping cmd-arg=.* > AuthorizeGroup DDAP6 permit .* {}
> Is it possible to write these rules from Radmin Web interface?If so in > which table .I am using the latest Radmin and Radiator version Hello Murat, yes, this is possible. Just add each line as e.g., OSC-Authorize-Group with Radmin. That is, the user should have four OSC-Authorize-Group reply attributes. Then configure your <ServerTACACSPLUS> with AuthorizeGroupAttr OSC-Authorize-Group When you authenticate, the Access-Accept should have: OSC-Authorize-Group = "permit service=shell cmd\* {priv-lvl=6}" OSC-Authorize-Group = "deny service=shell cmd=show cmd-arg=.*" OSC-Authorize-Group = "deny service=shell cmd=ping cmd-arg=.*" OSC-Authorize-Group = "permit .* {}" OSC-Group-Identifier = "group1" Here OSC-Group-Identifier is configured as GroupMemberAttr. This will set 'group1' as the authorization group for the user. During the authorization the OSC-Authorize-Group attribute values are processed first followed by group1 values as defined by AuthorizeGroup configuration options. Thanks, Heikki -- Heikki Vatiainen <h...@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator