Re: [RADIATOR] TACACS Configuration to AuthorizeGroup

Wed, 22 Jun 2011 07:44:58 -0700 

This is a working example of how I've set it up.. it doesn't restrict the use 
of commands on juniper tho.

AuthorizeGroup <GROUP> permit service=shell cmd\* {priv-lvl=15}
AuthorizeGroup <GROUP> permit service=shell cmd= {priv-lvl=15}
AuthorizeGroup <GROUP> permit service=junos-exec 
{local-user-name=<TEMPLATE_USER>}
AuthorizeGroup <GROUP> permit service=arbor {arbor_group=system_admin}
AuthorizeGroup <GROUP> permit .*

it might help.. or might not ;)


Regards,
Patrik Forsberg

From: [email protected] [mailto:[email protected]] On 
Behalf Of David Heinz
Sent: Tuesday, June 21, 2011 7:50 PM
To: [email protected]
Subject: [RADIATOR] TACACS Configuration to AuthorizeGroup

I've recently added some Juniper routers into the network that are 
authenticating against a legacy freeware tacacs server. I'm moving to the 
Radiator format but am not sure how to convert the configuration to an 
"AuthorizeGroup"... Below is the example config I'm wanting to convert.

service = arbor {
   arbor_group = arbor_user
}
service = exec {
   priv-lvl = 15
}
service = junos-exec {
   local-user-name = noc-user
   allow-commands = "configure private|clear interface"
   allow-configuration = "routing-options static route .* next-hop ds.*"
   deny-commands = "configure|ssh*|test*|request*|file*|mtrace*"
}

Would this look something like??

AuthorizeGroup ADMINTEST permit service=shell cmd\* {priv-lvl=15 idletime=45 
timeout=600}
AuthorizeGroup ADMINTEST permit service=arbor cmd\* {arbor_group=arbor_user}
AuthorizeGroup ADMINTEST permit service=junos-exec cmd\* 
{local-user-name=noc-user allow-commands="configure private|clear interface" \
     allow-configuration="routing-options static route .* next-hop ds.*" 
deny-commands="configure|ssh*|test*|request*|file*|mtrace*"}
AuthorizeGroup ADMINTEST permit .*

I wasn't sure if I needed a new "service=junos-exec" or if those commands could 
just go under the normal "service=shell cmd\*" section.

Thanks in advance
Dave

_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator

Reply via email to