I've recently added some Juniper routers into the network that are
authenticating against a legacy freeware tacacs server. I'm moving to the
Radiator format but am not sure how to convert the configuration to an
"AuthorizeGroup"... Below is the example config I'm wanting to convert.
service = arbor {
arbor_group = arbor_user
}
service = exec {
priv-lvl = 15
}
service = junos-exec {
local-user-name = noc-user
allow-commands = "configure private|clear interface"
allow-configuration = "routing-options static route .* next-hop ds.*"
deny-commands = "configure|ssh*|test*|request*|file*|mtrace*"
}
Would this look something like??
AuthorizeGroup ADMINTEST permit service=shell cmd\* {priv-lvl=15 idletime=45
timeout=600}
AuthorizeGroup ADMINTEST permit service=arbor cmd\* {arbor_group=arbor_user}
AuthorizeGroup ADMINTEST permit service=junos-exec cmd\*
{local-user-name=noc-user allow-commands="configure private|clear interface" \
allow-configuration="routing-options static route .* next-hop ds.*"
deny-commands="configure|ssh*|test*|request*|file*|mtrace*"}
AuthorizeGroup ADMINTEST permit .*
I wasn't sure if I needed a new "service=junos-exec" or if those commands could
just go under the normal "service=shell cmd\*" section.
Thanks in advance
Dave
_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator
