Thanks for the response, folks. I've done some reading in both the sample configuration file located in the goodies folder, and a few threads online that point to some ideas on how to deal with this.
Ideally I would like to have a "group" value inside of the LDAP database that will directly associate with a AuthorizeGroup definition inside of the tacacs.cfg file. For example: user "testuser" has an LDAP attribute that has the value "showOnly". Inside of the tacacs.cfg file, I would have something like this: AuthorizeGroup showOnly permit service=shell cmd=show cmd-arg=.* AuthorizeGroup showOnly deny .* My confusion is specifically *how* to associate the LDAP attribute to the AuthorizeGroup group. The documentation points to AuthAttrDef; maybe something like this? <AuthBy LDAP2> AuthAttrDef tacacsGroup,networkGroup,reply ... </AuthBy> But how to tie this attribute into anything of value isn't jiving right now. Any thoughts / ideas would be appreciated! :) -james On Wed, Feb 16, 2011 at 20:30, Hugh Irvine <[email protected]> wrote: > > Hello James - > > See "goodies/tacplus.txt" in the Radiator distribution. > > regards > > Hugh > > > On 17 Feb 2011, at 11:01, James wrote: > >> Is it possible to perform command authorization on IOS with Radiator? >> If so, can anyone share any examples of how this is configure? >> >> I don't see anything in the documentation indicating this is possible. >> >> -james >> _______________________________________________ >> radiator mailing list >> [email protected] >> http://www.open.com.au/mailman/listinfo/radiator > > _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
