Re: [RADIATOR] Changing TACACS AuthorizeGroup on the fly

Wed, 04 Mar 2015 12:48:51 -0800 

On 03/04/2015 05:01 PM, Vangelis Kyriakakis wrote:

>        I have configured the following AuthorizeGroup command:
> 
> AuthorizeGroup group permit service=shell cmd\* {task*#ADMIN-USER}
> 
>        What I would like to do is to be able to change the ADMIN-USER
> word on the fly.
>        For example if User-Name is USER1 I would like the command to be
> 
> AuthorizeGroup group permit service=shell cmd\* {task*#ADMIN-USER1}
>  
>        If User-Name is USER2 then it will be
> 
> AuthorizeGroup group permit service=shell cmd\* {task*#ADMIN-USER2}
> 
>        and so on. Is there a way to do variable substitution or change
> the authorize rule on the fly (while the authorization request is being
> processed)?

See the reference manual section '5.96.11 AuthorizeGroupAttr'. Add
something like this in the ServerTACACSS+ configuration:

  AuthorizeGroupAttr OSC-Authorize-Group

During the authentication, you can return 'group' as usually to set the
authorisation group for the user. In addition to this, you can now
return OSC-Authorize-Group with the user specific values.

For example:

<ServerTACACSPLUS>
   GroupMemberAttr OSC-Group-Identifier
   AuthorizeGroupAttr OSC-Authorize-Group
   # Rest of the parameters
   AuthorizeGroup group1 permit service=shell cmd=show cmd-arg=.*
   AuthorizeGroup group1 deny .*
</SeverTACACSPLUS>

The attributes in Access-Accept for USER2 during the TACACS+
authentication would then look like this:

  OSC-Group-Identifier = "group1"
  AuthorizeGroupAttr = "permit service=shell cmd\* {task*#ADMIN-USER2}"

When the TACACS+ authorization requests are processed, this is the
effective list they are evaluated against:

   AuthorizeGroup group1 permit service=shell cmd\* {task*#ADMIN-USER2}
   AuthorizeGroup group1 permit service=shell cmd=show cmd-arg=.*
   AuthorizeGroup group1 deny .*

In other words, the OSC-Authorize-Group attributes, there can be more
than one, returned during the authentication are evaluated before the
static configuration.

Thanks,
Heikki

-- 
Heikki Vatiainen <h...@open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Reply via email to