On 03/04/2015 05:01 PM, Vangelis Kyriakakis wrote: > I have configured the following AuthorizeGroup command: > > AuthorizeGroup group permit service=shell cmd\* {task*#ADMIN-USER} > > What I would like to do is to be able to change the ADMIN-USER > word on the fly. > For example if User-Name is USER1 I would like the command to be > > AuthorizeGroup group permit service=shell cmd\* {task*#ADMIN-USER1} > > If User-Name is USER2 then it will be > > AuthorizeGroup group permit service=shell cmd\* {task*#ADMIN-USER2} > > and so on. Is there a way to do variable substitution or change > the authorize rule on the fly (while the authorization request is being > processed)?
See the reference manual section '5.96.11 AuthorizeGroupAttr'. Add something like this in the ServerTACACSS+ configuration: AuthorizeGroupAttr OSC-Authorize-Group During the authentication, you can return 'group' as usually to set the authorisation group for the user. In addition to this, you can now return OSC-Authorize-Group with the user specific values. For example: <ServerTACACSPLUS> GroupMemberAttr OSC-Group-Identifier AuthorizeGroupAttr OSC-Authorize-Group # Rest of the parameters AuthorizeGroup group1 permit service=shell cmd=show cmd-arg=.* AuthorizeGroup group1 deny .* </SeverTACACSPLUS> The attributes in Access-Accept for USER2 during the TACACS+ authentication would then look like this: OSC-Group-Identifier = "group1" AuthorizeGroupAttr = "permit service=shell cmd\* {task*#ADMIN-USER2}" When the TACACS+ authorization requests are processed, this is the effective list they are evaluated against: AuthorizeGroup group1 permit service=shell cmd\* {task*#ADMIN-USER2} AuthorizeGroup group1 permit service=shell cmd=show cmd-arg=.* AuthorizeGroup group1 deny .* In other words, the OSC-Authorize-Group attributes, there can be more than one, returned during the authentication are evaluated before the static configuration. Thanks, Heikki -- Heikki Vatiainen <h...@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator