On 03/14/2013 06:18 PM, Fabio Prina wrote: > I'm developing a hook to return different "GroupMemberAttr" based on the > Calling-Station-Id and NAS-IP-Address of the request. > The same user from 2 different clients can has different permissions but; > "the context" is based only on NAS-IP-Address and this cause me permissions > override between sessions
Hello Fabio, NAS-IP-Address gets its value from the TACACS+ TCP connection's peer IP address. Calling-Station-Id is an ascii string, possibly empty, that should describe where the user is coming from. See http://tools.ietf.org/html/draft-grant-tacacs-02 > So I patched the ServerTACACSPLUS.pm to be able to use also > Calling-Station-Id in the "context" This makes authorization different based on where the user is logging in from. Can you tell why you could not use two different user (role) names for different authorization rules. This would help to better understand the implications of this patch. > If needed in attach you can find my horrible patch > I've added a Parameter (flag) "RemoteInContext" to enable/disable the option Thanks, Heikki -- Heikki Vatiainen <h...@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
