Re: [RADIATOR] command authorization on cisco ios

Wed, 16 Feb 2011 21:41:45 -0800 

Hello James -

As is described in "goodies/tacplus.txt" and the manual, you tie things 
together with the "GroupMemberAttr …" parameter.

See section 5.86.9 in the manual.

With what you show below, you would specify this:

        
        GroupMemberAttr networkGroup


In other words, put the value of the "tacacsGroup" LDAP attribute into a RADIUS 
reply attribute called "networkGroup" and use that for the AuthorizeGroup.

Your configuration would have the value "showOnly" in the LDAP attribute 
"tacacsGroup", and it would be returned in a RADIUS attribute called 
"networkGroup". 

The example in "goodies/tacplus.cfg" uses a flat file rather than LDAP, but the 
principle is the same.

regards

Hugh



On 17 Feb 2011, at 15:54, James wrote:

> Thanks for the response, folks.
> 
> I've done some reading in both the sample configuration file located
> in the goodies folder, and a few threads online that point to some
> ideas on how to deal with this.
> 
> Ideally I would like to have a "group" value inside of the LDAP
> database that will directly associate with a AuthorizeGroup definition
> inside of the tacacs.cfg file.
> 
> For example: user "testuser" has an LDAP attribute that has the value
> "showOnly". Inside of the tacacs.cfg file, I would have something like
> this:
> 
> AuthorizeGroup showOnly permit service=shell cmd=show cmd-arg=.*
> AuthorizeGroup showOnly deny .*
> 
> My confusion is specifically *how* to associate the LDAP attribute to
> the AuthorizeGroup group.
> 
> The documentation points to AuthAttrDef; maybe something like this?
> 
> <AuthBy LDAP2>
> AuthAttrDef tacacsGroup,networkGroup,reply
> ...
> </AuthBy>
> 
> But how to tie this attribute into anything of value isn't jiving right now.
> 
> Any thoughts / ideas would be appreciated! :)
> 
> -james
> 
> 
> 
> On Wed, Feb 16, 2011 at 20:30, Hugh Irvine <[email protected]> wrote:
>> 
>> Hello James -
>> 
>> See "goodies/tacplus.txt" in the Radiator distribution.
>> 
>> regards
>> 
>> Hugh
>> 
>> 
>> On 17 Feb 2011, at 11:01, James wrote:
>> 
>>> Is it possible to perform command authorization on IOS with Radiator?
>>> If so, can anyone share any examples of how this is configure?
>>> 
>>> I don't see anything in the documentation indicating this is possible.
>>> 
>>> -james
>>> _______________________________________________
>>> radiator mailing list
>>> [email protected]
>>> http://www.open.com.au/mailman/listinfo/radiator
>> 
>> 

_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator

Reply via email to