Hi all, I want to use Radiator both for RADIUS and for TACACS for Cisco devices, including command level authorization. Based on some posts on this list I got both the active directory and the TACACS server module up and running, but struggle with the configuration of both.
If I understand correctly, the TACACS module simply converts the TACACS authentication requests to radius requests and passes them to Radiator for ordinary execution. Authorization requests are handled within the TACACS module. My configuration currently looks as follows: --- begin --- <AuthBy LDAP2> # Define DC to connect to Host dc-b.ad.xxxxx.com # Identifier to use this AuthBy Clause later Identifier AuthByAD # Administrative user used to perform LDAP queries AuthDN cn=Administrator,cn=Users,DC=ad,DC=xxxxx,DC=xxxxxxx,DC=de AuthPassword xxxxxxxx # Where to search for users BaseDN OU= User,DC=ad,DC=xxx,DC=xxxxxxx,DC=de ServerChecksPassword # Add Check for group membership AuthAttrDef memberOf, ADGroup, check # Reply should include the group names for further processing AuthAttrDef memberOf, ADGroups, reply # There will be no default User NoDefault # LDAP attribute to check the UserName on UsernameAttr sAMAccountName </AuthBy> <ServerTACACSPLUS> Port 49 AddToRequest NAS-Identifier=TACACS GroupMemberAttr tacacsgroup AuthorizeGroup network_ro deny service=shell cmd=show cmd-arh=tech-support AuthorizeGroup network_ro permit service=shell cmd=show cmd-arg=.* AuthorizeGroup network_ro deny .* # This is for authorized users for full access. Place in lvl 15 immediately, no restrictions apply AuthorizeGroup full_access permit service=shell cmd\* {priv-lvl=15} AuthorizeGroup full_access permit .* # Default deny to prevent accidents when something is misconfigured AuthorizeGroup DEFAULT deny .* </ServerTACACSPLUS> # Include client definition include %D/radius-clients.cfg # Include Active Directory AuthBy Handler include %D/authby-ad.cfg # Include configuration for the built-in TACACS server include %D/tacacs.cfg # TACACS Handler <Handler NAS-Identifier=TACACS> AddToRequest ADGroup="CN=netadmin,C=ad,DC=xxxx,DC=xxxxxxxx,DC=de" AuthBy AuthByAD # Try read-only access # AddToRequest ADGroup="CN=netadmin-readonly,C=ad,DC=xxxx,DC=xxxxxxx,DC=de" # AuthBy AuthByAD </Handler> --- end --- My problem now is how to tie both clues together in the handler. Ideally I would also like to distinguish based on the TACACS client which is asking. If it is a firewall (IPs known), then use command sets full_access_fw and firewall_ro based on AD groups. Basically I need something like this: - Firewall is TACACS client, and the user is member of group netadmin-security, return request with tacacsgroup=full_access_fw - Switch is TACACS client, and the user is member of group netadmin, return request with tacacsgroup=full_access - Firewall is TACACS client, and the user is member of group netadmin-security-ro, return request with tacacsgroup=firewall_ro - Switch is TACACS client, and the user is member of group netadmin-ro, return request with tacacsgroup=network_ro How would I do this mapping? Many thanks and best regards Daniel _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator