Hello Patrik,

Juniper is working differently in authorization part than Cisco.
Juniper requires that all rules are sent to the device in the first query and after that Juniper device will evaluate rules.

In juniper, you can define multiple rules like this:
AuthorizeGroup view permit service=junos-exec {local-user-name=tacacs-view \
allow-commands="^(exit|show (cli authorization|vlans|interfaces|ethernet-switching).*)" \
    deny-commands=".*"}

Best Regards,
 Sami


On 13.03.2017 14:10, Patrik Forsberg wrote:
Ok so got this working for the junos stuff.. but still interested to know if 
you can add multiple permit/deny attributes that is sent to tacacs for further 
processing ?


Mvh,
Patrik Forsberg


-----Original Message-----
From: radiator [mailto:radiator-boun...@lists.open.com.au] On Behalf Of
Patrik Forsberg
Sent: den 13 mars 2017 11:15
To: radiator@lists.open.com.au
Subject: [RADIATOR] Tacacs AuthorizeGroupAttr ?

Hello,

So in my quest to make things more dynamic I've now come to the
authorization and figured I could use AuthorizeGroupAttr to setup the user
credentials, but ran into somewhat of a issue.

When I specify AuthorizeGroupAttr to for example OSC-Authorize-Group
and GroupMemberAttr to OSC-Group-Identifier and use for example this in
the "authby" clause
"
OSC-Group-Identifier = "group1",\
OSC-Authorize-Group = "permit service=junos-exec {local-user-name=grp1}"
"

This seems to be working as intended but if I want to add more to the OSC-
Authorize-Group it seems to fail.. I can't add multiple attributes .. it'll 
simply
use the first .. and if I just add more attributes comma separated the box
doesn't seem to receive it..

Examples
"
OSC-Group-Identifier = "group1",\
OSC-Authorize-Group = "permit service=junos-exec {local-user-
name=grp1}",\
OSC-Authorize-Group = "deny-commands=\".*\""
"
Or
"
OSC-Group-Identifier = "group1",\
OSC-Authorize-Group = "permit service=junos-exec {local-user-
name=grp1},deny-commands=\".*\""
"

From what I can understand from the equipment both seem to fail and only
the first "permit service=junos-exec {local-user-name=grp1}" work..

Is there a trick to get multiple attributes to move into the tacacs server for
the GroupMemberAttr ?

Any help is, as always, appriciated!

Regards,
Patrik Forsberg

_______________________________________________
radiator mailing list
radiator@lists.open.com.au
http://lists.open.com.au/mailman/listinfo/radiator
_______________________________________________
radiator mailing list
radiator@lists.open.com.au
http://lists.open.com.au/mailman/listinfo/radiator


--
Sami Keski-Kasari <sam...@open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
_______________________________________________
radiator mailing list
radiator@lists.open.com.au
http://lists.open.com.au/mailman/listinfo/radiator

Reply via email to