On 11/28/2012 11:16 PM, Murat Bilal wrote:
> In <ServerTACACSPlus> clause I have rules for command auth such as below:
> AuthorizeGroup DDAP6 permit service=shell cmd\* {priv-lvl=6}
> AuthorizeGroup DDAP6 deny service=shell cmd=show cmd-arg=.*
> AuthorizeGroup DDAP6 deny service=shell cmd=ping cmd-arg=.*
> AuthorizeGroup DDAP6 permit .* {}
> Is it possible to write these rules from Radmin Web interface?If so in
> which table .I am using the latest Radmin and Radiator version
Hello Murat,
yes, this is possible. Just add each line as e.g., OSC-Authorize-Group
with Radmin. That is, the user should have four OSC-Authorize-Group
reply attributes.
Then configure your <ServerTACACSPLUS> with
AuthorizeGroupAttr OSC-Authorize-Group
When you authenticate, the Access-Accept should have:
OSC-Authorize-Group = "permit service=shell cmd\* {priv-lvl=6}"
OSC-Authorize-Group = "deny service=shell cmd=show cmd-arg=.*"
OSC-Authorize-Group = "deny service=shell cmd=ping cmd-arg=.*"
OSC-Authorize-Group = "permit .* {}"
OSC-Group-Identifier = "group1"
Here OSC-Group-Identifier is configured as GroupMemberAttr. This will
set 'group1' as the authorization group for the user. During the
authorization the OSC-Authorize-Group attribute values are processed
first followed by group1 values as defined by AuthorizeGroup
configuration options.
Thanks,
Heikki
--
Heikki Vatiainen <h...@open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
