Hi all,
mysql> select * from RADGROUPAUTH;
+-----------+-----------------------------------------+--------------+----------+----------+------+-----------+-------+
| ATTRIBUTE | AUTHRULE | DEVICEGROUP | PRIORITY
| PROTOCOL | TYPE | USERGROUP | VALUE |
+-----------+-----------------------------------------+--------------+----------+----------+------+-----------+-------+
| NULL | NULL | x.x.x.x | NULL |
NULL | NULL | test | NULL |
| NULL | permit service=shell cmd\* {priv-lvl=6} | x.x.x.x | NULL |
NULL | NULL | DDAP6 | NULL |
| NULL | NULL | x.x.x.x | NULL |
NULL | NULL | DDAP15 | NULL |
| NULL | NULL | x.x.x.x | NULL |
NULL | NULL | gm | NULL |
| NULL | deny service=shell cmd=show cmd-arg=.* | x.x.x.x | NULL |
NULL | NULL | test1 | NULL |
| NULL | permit .* {} | x.x.x.x | NULL |
NULL | NULL | DDAP6 | NULL |
| NULL | permit service=shell cmd\* {priv-lvl=6} | x.x.x.x | NULL |
NULL | NULL | test1 | NULL |
| NULL | NULL | NULL | NULL
| NULL | NULL | NULL | NULL |
| NULL | NULL | x.x.x.x | NULL |
NULL | NULL | AADP15 | NULL |
| NULL | NULL | x.x.x.x | NULL |
NULL | NULL | DDAP6 | NULL |
| NULL | deny service=shell cmd=show cmd-arg=.* | x.x.x.x | NULL |
NULL | NULL | DDAP6 | NULL |
| NULL | deny service=shell cmd=ping cmd-arg=.* | x.x.x.x | NULL |
NULL | NULL | DDAP6 | NULL |
| NULL | deny service=shell cmd=ping cmd-arg=.* | x.x.x.x | NULL |
NULL | NULL | test1 | NULL |
| NULL | permit .* {} | x.x.x.x | NULL |
NULL | NULL | test1 | NULL |
+-----------+-----------------------------------------+--------------+----------+----------+------+-----------+-------+
I have 4 rules in AUTHRULE column.This is the debug log for Access-Accept
*** Reply to TACACSPLUS request:
Code: Access-Accept
Identifier: UNDEF
Authentic: ~<244>'Z<160>cB<211><31><171><171>ze<132><178><151>
Attributes:
OSC-Group-Identifier = "DDAP6"
OSC-Authorize-Group = "permit service=shell cmd\* {priv-lvl=6}"
I cannot get other attributes.It returns only 1 one row How can I get the other
Attributes?
Here is my radmin config
AuthSelect select na.PASS_WORD,na.STATICADDRESS,na.TIMELEFT,\
na.MAXLOGINS, na.SERVICENAME, na.BADLOGINS, na.VALIDFROM,
na.VALIDTO,\
na.TACACSGROUPID,ga.DEVICEGROUP, ga.AUTHRULE\
from RADUSERS as na,RADGROUPAUTH as ga where\
na.USERNAME='%n' and na.BADLOGINS < 5 and \
na.VALIDFROM < %t and na.VALIDTO > %t and
na.TACACSGROUPID=ga.USERGROUP
AuthColumnDef 0, OSC-Group-Identifier, reply
AuthColumnDef 2,OSC-Authorize-Group,reply
I also try GENERIC but no luck
Thanks
-----Original Message-----
From: [email protected] [mailto:[email protected]] On
Behalf Of Heikki Vatiainen
Sent: 30 Kasım 2012 Cuma 12:24
To: [email protected]
Subject: Re: [RADIATOR] Radmin Web interface
On 11/30/2012 01:07 AM, Murat Bilal wrote:
> I do not understand.i want to edit those commands from Radmin Web
> Interface, not in /etc/radiator/radiator.cfg
Hello Murat,
please see below, I was describing doing this with Radmin. With Radmin you need
to add each line as a reply attribute. The attribute name (such as
OSC-Authorize-Group) is then configured as AuthorizeGroupAttr in
<ServerTACACSPLUS>.
Thanks,
Heikki
> -----Original Message-----
> From: [email protected]
> [mailto:[email protected]] On Behalf Of Heikki Vatiainen
> Sent: 29 Kasım 2012 Perşembe 14:58
> To: [email protected]
> Subject: Re: [RADIATOR] Radmin Web interface
>
> On 11/28/2012 11:16 PM, Murat Bilal wrote:
>
>> In <ServerTACACSPlus> clause I have rules for command auth such as below:
>> AuthorizeGroup DDAP6 permit service=shell cmd\* {priv-lvl=6}
>> AuthorizeGroup DDAP6 deny service=shell cmd=show cmd-arg=.*
>> AuthorizeGroup DDAP6 deny service=shell cmd=ping cmd-arg=.*
>> AuthorizeGroup DDAP6 permit .* {}
>
>> Is it possible to write these rules from Radmin Web interface?If so
>> in which table .I am using the latest Radmin and Radiator version
>
> Hello Murat,
>
> yes, this is possible. Just add each line as e.g., OSC-Authorize-Group with
> Radmin. That is, the user should have four OSC-Authorize-Group reply
> attributes.
>
> Then configure your <ServerTACACSPLUS> with
> AuthorizeGroupAttr OSC-Authorize-Group
>
> When you authenticate, the Access-Accept should have:
> OSC-Authorize-Group = "permit service=shell cmd\* {priv-lvl=6}"
> OSC-Authorize-Group = "deny service=shell cmd=show cmd-arg=.*"
> OSC-Authorize-Group = "deny service=shell cmd=ping cmd-arg=.*"
> OSC-Authorize-Group = "permit .* {}"
> OSC-Group-Identifier = "group1"
>
> Here OSC-Group-Identifier is configured as GroupMemberAttr. This will set
> 'group1' as the authorization group for the user. During the authorization
> the OSC-Authorize-Group attribute values are processed first followed by
> group1 values as defined by AuthorizeGroup configuration options.
>
> Thanks,
> Heikki
>
>
> --
> Heikki Vatiainen <[email protected]>
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS,
> PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full
> source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
> _______________________________________________
> radiator mailing list
> [email protected]
> http://www.open.com.au/mailman/listinfo/radiator
>
--
Heikki Vatiainen <[email protected]>
Radiator: the most portable, flexible and configurable RADIUS server anywhere.
SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside,
TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX,
RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix,
Windows, MacOSX, Solaris, VMS, NetWare etc.
_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator
_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator
