Hi all, I have very simple conf as below:
<ServerTACACSPLUS>
Key somekey
AddToRequest NAS-Identifier=TACACS
GroupMemberAttr OSC-AVPAIR
AuthorizeGroup group1 permit service=shell cmd=show cmd-arg=.*
AuthorizeGroup group1 permit service=shell cmd\* {autocmd="telnet
169.163.226.81"}
AuthorizeGroup group1 permit service=ppp protocol=ip {inacl=101
outacl=102}
AuthorizeGroupAttr permit service=shell cmd\* {priv-lvl=15}
AuthorizeGroupAttr permit service=shell cmd\* {priv-lvl=1}
AuthorizeGroupAttr permit .* {}
</ServerTACACSPLUS>
<Handler>
<AuthBy SQL>
Identifier SQLTAC
# See the reference manual. You will also have to
# change the one in <SessionDatabse SQL> below
# so its the same
DBSource dbi:mysql:radius:localhost
DBUsername raduser
DBAuth raduser
# AuthSelect select PASSWORD 'Auth-Type=AuthSQL from SUBSCRIBERS where
USERNAME=%0 in 'GroupList="group1 group2 group3 group8"'
# AuthSelect select PASSWORD 'Auth-Type=AuthSQL from SUBSCRIBERS where
USERNAME=%0 in ($GroupMembershipQuery)
# You can customise the SQL query used to get user details with the
# AuthSelect parameter:
# AuthSelect select PASSWORD from SUBSCRIBERS where USERNAME=%0
# You can use statement caching and bound variables with
AuthSelectParam:
# AuthSelect select PASSWORD from SUBSCRIBERS where USERNAME=?
# AuthSelectParam %u
# You can control what is done with each field returned from the
# AuthSelect query with the AuthColumnDef parameter:
AuthColumnDef 1, OSC-Group-Identifier, reply
# You may want to tailor these for your ACCOUNTING table
# You can add your own columns to store whatever you like
AccountingTable ACCOUNTING
AcctColumnDef USERNAME,User-Name
AcctColumnDef TIME_STAMP,Timestamp,integer
AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
AcctColumnDef NASIDENTIFIER,NAS-Identifier
AcctColumnDef NASPORT,NAS-Port,integer
AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
GroupMembershipQuery select GROUPNAME from GROUPS where USERNAME=%0
and GROUPNAME=%1
# GroupMembershipQueryParam %0
# GroupMembershipQueryParam %1
</AuthBy>
</Handler>
This conf works very well with AuthBy FILE.When I try AuthBy SQL I got the
group DEFAULT. No matching AuthorizeGroup rule error,and cannot make TACACS
authorization.
In the reference manual it says GroupMembershipQuery checks to validate both
the username and appropriate group membership. But as I can see it cannot do
that and cannot return a reply for group identifier.
Please help.I check the refence manuel but nothing to find.
MURAT BÄ°LAL
Services Engineer
Ericsson Turkey
CU Customer Support
Cyber Plaza C Blok Kat:1 No:146
Cyberpark 6800 Bilkent/Ankara
Mobile +90 554 898 98 43
murat.bi...@ericsson.com<mailto:murat.bi...@ericsson.com>
www.ericsson.com
[cid:image001.png@01CDC63D.7B2BB8A0]<http://www.ericsson.com/>
This Communication is Confidential. We only send and receive email on the basis
of the terms set out at
www.ericsson.com/email_disclaimer<http://www.ericsson.com/email_disclaimer>
<<inline: image001.png>>
_______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
