Do you know how to set attribute-value?
34 views
Skip to first unread message
sh.bae
Dec 19, 2024, 10:21:49 AM12/19/24
to Event-Driven Servers
Hello
My AAA authentication needs attribute-value
For example, in tacacs authorization, I want the tacacs server to respond with a groups attribute that I've arbitrarily set instead of priv-lvl = 15.
Below is the packet when set to tacacs+.
user = 1234 {
pap = cleartext "1234"
service = exec {
groups = network-admin,network-debug
}
}
However, I don't know how to set this configuration in cfg in tac_plus-ng.
My AAA authentication needs attribute-value
For example, in tacacs authorization, I want the tacacs server to respond with a groups attribute that I've arbitrarily set instead of priv-lvl = 15.
Below is the packet when set to tacacs+.
I set the user as follows in tacacs+ config. Then the tacacs server will respond as above packet.
user = 1234 {
pap = cleartext "1234"
service = exec {
groups = network-admin,network-debug
}
}
However, I don't know how to set this configuration in cfg in tac_plus-ng.
this is my tac_plus-ng config
id = spawnd {
listen = { address = 0.0.0.0 port = 49 }
}
id = tac_plus-ng {
host IPv4only {
address = 0.0.0.0/0
key = 1234
}
profile netadmin {
script {
if (service == shell) {
if (cmd == "")
set priv-lvl = 15
permit
}
}
}
group admin
user 1234 {
password {
login = clear 1234
pap = clear 1234
chap = clear 1234
}
member = admin
}
ruleset {
rule {
script {
if (member == admin) { profile = netadmin permit }
}
}
}
}
listen = { address = 0.0.0.0 port = 49 }
}
id = tac_plus-ng {
host IPv4only {
address = 0.0.0.0/0
key = 1234
}
profile netadmin {
script {
if (service == shell) {
if (cmd == "")
set priv-lvl = 15
permit
}
}
}
group admin
user 1234 {
password {
login = clear 1234
pap = clear 1234
chap = clear 1234
}
member = admin
}
ruleset {
rule {
script {
if (member == admin) { profile = netadmin permit }
}
}
}
}
plz help me
Marc Huber
Dec 19, 2024, 10:29:53 AM12/19/24
to event-driv...@googlegroups.com
Hi,
something like
profile = netadmin {
script {
set groups = "network-admin,network-debug,admin"
permit
}
}
is likely sufficient.
You didn't show the request packet, it likely contains a service type,
and enclosing the "set groups = ..." directive in a "if (service ==
yourServiceType) { ... ]" might make sense.
Cheers,
Marc
On 19.12.2024 14:37, sh.bae wrote:
> Hello
> My AAA authentication needs attribute-value
>
> For example, in tacacs authorization, I want the tacacs server to
> respond with a groups attribute that I've arbitrarily set instead of
> priv-lvl = 15.
> Below is the packet when set to tacacs+.
> <snip>
something like
profile = netadmin {
script {
set groups = "network-admin,network-debug,admin"
permit
}
}
is likely sufficient.
You didn't show the request packet, it likely contains a service type,
and enclosing the "set groups = ..." directive in a "if (service ==
yourServiceType) { ... ]" might make sense.
Cheers,
Marc
On 19.12.2024 14:37, sh.bae wrote:
> Hello
> My AAA authentication needs attribute-value
>
> For example, in tacacs authorization, I want the tacacs server to
> respond with a groups attribute that I've arbitrarily set instead of
> priv-lvl = 15.
> Below is the packet when set to tacacs+.
Reply all
Reply to author
Forward
0 new messages