On 06/21/2011 08:49 PM, David Heinz wrote:
> I've recently added some Juniper routers into the network that are
> authenticating against a legacy freeware tacacs server. I'm moving to the
> Radiator format but am not sure how to convert the configuration to an
> "AuthorizeGroup"... Below is the example config I'm wanting to convert.
>
> service = arbor {
> arbor_group = arbor_user
> }
> service = exec {
> priv-lvl = 15
> }
> service = junos-exec {
> local-user-name = noc-user
> allow-commands = "configure private|clear interface"
> allow-configuration = "routing-options static route .* next-hop ds.*"
> deny-commands = "configure|ssh*|test*|request*|file*|mtrace*"
> }
>
> Would this look something like??
The syntax looks correct, but you should do testing to see what Radiator
actually receives.
Also, have you noticed goodies/tacacsplustest? Using your configure as
an example (note: mail client wraps long lines):
% perl goodies/tacacsplustest -trace 4 -port 4949 -noacct \
-author_args service=junos-exec,cmd'*'
Connecting to TACACS+ server localhost:4949
sending Authentication request...
authentication response: 193, 1, 2, 0, 1234, 1, 0, ,
Disconnect from localhost:4949
OK
sending Authorization request...
authorization response: 192, 2, 2, 0, 1234, 1, , ,
local-user-name=noc-user allow-commands=configure private|clear
interface allow-configuration=routing-options static route .* next-hop
ds.* deny-commands=configure|ssh*|test*|request*|file*|mtrace*
Disconnect from localhost:4949
OK
tacacsplustest can be very useful for testing the configuration.
> AuthorizeGroup ADMINTEST permit service=shell cmd\* {priv-lvl=15 idletime=45
> timeout=600}
> AuthorizeGroup ADMINTEST permit service=arbor cmd\* {arbor_group=arbor_user}
> AuthorizeGroup ADMINTEST permit service=junos-exec cmd\*
> {local-user-name=noc-user allow-commands="configure private|clear interface" \
> allow-configuration="routing-options static route .* next-hop ds.*"
> deny-commands="configure|ssh*|test*|request*|file*|mtrace*"}
> AuthorizeGroup ADMINTEST permit .*
>
> I wasn't sure if I needed a new "service=junos-exec" or if those commands
> could just go under the normal "service=shell cmd\*" section.
I would not move the commands if JunOS uses junos-exec as service name
instead of shell. Note that permit .* as the last action and pattern can
easily grant too much access if the matching rules are incorrect.
--
Heikki Vatiainen <[email protected]>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator
