[RADIATOR] Radiator Authorization Cisco ASA
I have a Cisco ASA with multiple context. I am trying to deny the use of the command changeto context system, but allow authorized group to be able to change to any of the other context. When user types in the command they get denied. I have entered authorizedgroup readonly group permit service=shell cmd=changeto cmd-arg=context other context name authorizedgroup readonly group deny service=shell cmd=changeto cmd-arg=context system authorizedgroup readonly group deny .* ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator Authorization Cisco ASA
On 5.1.2015 15.34, Steve Normoyle wrote: I have a Cisco ASA with multiple context. I am trying to deny the use of the command changeto context system, but allow authorized group to be able to change to any of the other context. When user types in the command they get denied. Hello Steve, does it work if you reorder the first two lines? That is, deny the more specific first and allow the less specific then. If this does not help, please reply with more debug logs that shows the authorization request from ASA with the processing Radiator does. I have entered authorizedgroup readonly group permit service=shell cmd=changeto cmd-arg=context other context name authorizedgroup readonly group deny service=shell cmd=changeto cmd-arg=context system authorizedgroup readonly group deny .* Just to make sure: the configuration parameter is AuthorizeGroup (no d and with capital A and G). There should especially be no d. Thanks, Heikki -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Proxy Radius server configuration for fail over
Dear Heikki, I would like to configure two Radius servers for a roaming partner (proxy) as a handler, can I configure it like the below? Just adding another host as the second server? Should I carnage some parameters at the first one? Thank you Handler User-Name=/^boingo\// AuthByPolicy ContinueWhileIgnore LogRejectLevel 3 AuthBy RADIUS AcctPort 1813 AuthPort 1812 CacheOnNoReply 1 CachePasswordExpiry 86400 EAPAnonymous anonymous EAPContextTimeout 1000 EAPFAST_PAC_Lifetime 7776000 EAPFAST_PAC_Reprovision 2592000 EAPTLS_MaxFragmentSize 2048 EAPTLS_PEAPVersion 0 EAPTLS_SessionResumption 1 EAPTLS_SessionResumptionLimit 43200 EAPTLS_VerifyDepth 1 KeepaliveTimeout 0 LocalAddress 0.0.0.0 MaxFailedGraceTime 0 MaxFailedRequests 1 OutPort 0 PasswordPrompt password Retries 3 RetryTimeout 5 SIPDigestRealm DefaultSipRealm Secret tom!jerry# Host 54.77.144.149 AcctPort 1813 AuthPort 1812 BogoMips 1 KeepaliveTimeout 0 LocalAddress 0.0.0.0 MaxFailedGraceTime 0 MaxFailedRequests 1 OutPort 0 Retries 3 RetryTimeout 5 Secret somesecret /Host Host 54.164.51.1 AcctPort 1813 AuthPort 1812 BogoMips 1 KeepaliveTimeout 0 LocalAddress 0.0.0.0 MaxFailedGraceTime 0 MaxFailedRequests 1 OutPort 0 Retries 3 RetryTimeout 5 Secret somesecret /Host /AuthBy /Handler ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
