Re: [RADIATOR] group DEFAULT. No matching AuthorizeGroup

Fri, 09 Nov 2012 07:16:06 -0800 

On 11/09/2012 02:40 PM, Murat Bilal wrote:

> INFO: Authorization denied for tacuser7, group DEFAULT. No matching
> AuthorizeGroup rule for args service=shell cmd=show cmd-arg=version

Hello Murat, please review doc/ref.pdf and documentation for
GroupMemberAttr.

> My Config is below. I give the name of the group to group 1 but still
> shows group name DEFAULT when debugging.When I change the group name to
> DEFAULT it is ok.Why can I not use the group name as group 1.

GroupMemberAttr should be set to the name of attribute in the
Access-Accept. For example OSC-Group-Identifier. The value of attribute
(e.g., value of OSC-Group-Identifier) should be e.g., 'group1' or 'group3'.

I noticed you have tried for example this in ServerTACACSPLUS clause:

  AddToRequest OSC-Group-Identifier = tacuser3*

What you should have is 'AddToReply OSC-Group-Identifier=...' in AuthBy
clause that authenticates the TACACS+ user. The value in place of '...'
should be 'group1', 'group3', or what ever groups you have in
AuthorizeGroup options.

Thanks,
Heikki


> *<ServerTACACSPLUS>*
> 
> *#       AddToRequest OSC-Environment-Identifier=Tacacs*
> 
> *         AddToRequest NAS-Identifier=TACACS*
> 
> *#         AuthorizeGroup tacuser3 permit service=shell cmd\* {priv-lvl=15}*
> 
> *         GroupMemberAttr group1*
> 
> *          AuthorizeGroupAttr group1  permit service=shell cmd=show
> cmd-args=.**
> 
> *#         AddToRequest OSC-Group-Identifier = tacuser3*
> 
> *#         AddToRequest OSC-Group-Identifier = tac*
> 
> *         AuthorizeGroup group1  permit service=shell cmd=show cmd-args=.**
> 
> *         AuthorizeGroup group1 permit .**
> 
> * *
> 
> *</ServerTACACSPLUS>*
> 
> *                      *
> 
> * *
> 
> * *
> 
> * *
> 
> * *
> 
> *MURAT BÄ°LAL * 
> *Services Engineer*
> 
> 
> Ericsson Turkey
> CU Customer Support
> Cyber Plaza C Blok Kat:1 No:146
> Cyberpark 6800 Bilkent/Ankara
> Mobile +90 554 898 98 43
> [email protected] <mailto:[email protected]>
> www.ericsson.com  
> 
> 
> 
> <http://www.ericsson.com/>  
> 
> 
> This Communication is Confidential. We only send and receive email on
> the basis of the terms set out at www.ericsson.com/email_disclaimer
> <http://www.ericsson.com/email_disclaimer>  
> 
>  
> 
> 
> 
> _______________________________________________
> radiator mailing list
> [email protected]
> http://www.open.com.au/mailman/listinfo/radiator
> 


-- 
Heikki Vatiainen <[email protected]>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator

Reply via email to