Hi all, I have very simple conf as below:
<ServerTACACSPLUS> Key somekey AddToRequest NAS-Identifier=TACACS GroupMemberAttr OSC-AVPAIR AuthorizeGroup group1 permit service=shell cmd=show cmd-arg=.* AuthorizeGroup group1 permit service=shell cmd\* {autocmd="telnet 169.163.226.81"} AuthorizeGroup group1 permit service=ppp protocol=ip {inacl=101 outacl=102} AuthorizeGroupAttr permit service=shell cmd\* {priv-lvl=15} AuthorizeGroupAttr permit service=shell cmd\* {priv-lvl=1} AuthorizeGroupAttr permit .* {} </ServerTACACSPLUS> <Handler> <AuthBy SQL> Identifier SQLTAC # See the reference manual. You will also have to # change the one in <SessionDatabse SQL> below # so its the same DBSource dbi:mysql:radius:localhost DBUsername raduser DBAuth raduser # AuthSelect select PASSWORD 'Auth-Type=AuthSQL from SUBSCRIBERS where USERNAME=%0 in 'GroupList="group1 group2 group3 group8"' # AuthSelect select PASSWORD 'Auth-Type=AuthSQL from SUBSCRIBERS where USERNAME=%0 in ($GroupMembershipQuery) # You can customise the SQL query used to get user details with the # AuthSelect parameter: # AuthSelect select PASSWORD from SUBSCRIBERS where USERNAME=%0 # You can use statement caching and bound variables with AuthSelectParam: # AuthSelect select PASSWORD from SUBSCRIBERS where USERNAME=? # AuthSelectParam %u # You can control what is done with each field returned from the # AuthSelect query with the AuthColumnDef parameter: AuthColumnDef 1, OSC-Group-Identifier, reply # You may want to tailor these for your ACCOUNTING table # You can add your own columns to store whatever you like AccountingTable ACCOUNTING AcctColumnDef USERNAME,User-Name AcctColumnDef TIME_STAMP,Timestamp,integer AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer AcctColumnDef ACCTSESSIONID,Acct-Session-Id AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause AcctColumnDef NASIDENTIFIER,NAS-Identifier AcctColumnDef NASPORT,NAS-Port,integer AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address GroupMembershipQuery select GROUPNAME from GROUPS where USERNAME=%0 and GROUPNAME=%1 # GroupMembershipQueryParam %0 # GroupMembershipQueryParam %1 </AuthBy> </Handler> This conf works very well with AuthBy FILE.When I try AuthBy SQL I got the group DEFAULT. No matching AuthorizeGroup rule error,and cannot make TACACS authorization. In the reference manual it says GroupMembershipQuery checks to validate both the username and appropriate group membership. But as I can see it cannot do that and cannot return a reply for group identifier. Please help.I check the refence manuel but nothing to find. MURAT BÄ°LAL Services Engineer Ericsson Turkey CU Customer Support Cyber Plaza C Blok Kat:1 No:146 Cyberpark 6800 Bilkent/Ankara Mobile +90 554 898 98 43 murat.bi...@ericsson.com<mailto:murat.bi...@ericsson.com> www.ericsson.com [cid:image001.png@01CDC63D.7B2BB8A0]<http://www.ericsson.com/> This Communication is Confidential. We only send and receive email on the basis of the terms set out at www.ericsson.com/email_disclaimer<http://www.ericsson.com/email_disclaimer>
<<inline: image001.png>>
_______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator