[RADIATOR] Mapping AD groups to TACAS+ groups

W.Siebert Mon, 27 Sep 2010 01:41:08 -0700

Hello,

I try to implement the mapping of AD groups to TACAS+ groups.


Witch AuthAttrDef memberOf,tacacsgroup,reply will be the complete LDAP string 
delivered:
tacacsgroup = CN=ASAADMINS,DC=adtest,DC=corporate,DC=net

My question: it is possible to strip all the unnecessary parts to deliver 
"ASAADMINS" only to tacacsgroup?

I read manual and mailinlist diligently, but was not clever.

Thanks for your help



Here an extract of my config:
###############################################
        <AuthBy LDAP2>
                Identifier ASA-Admin

                Host            w3kvm.adtest.corporate.net
                HoldServerConnection

                AuthDN cn=radiator,cn=Users,dc=adtest,dc=corporate,dc=net
                AuthPassword    XXXXX
                BaseDN          dc=adtest,dc=corporate,dc=net
                ServerChecksPassword
                UsernameAttr sAMAccountName

                SearchFilter 
(&(%0=%1)(memberOf=CN=ASAADMINS,DC=adtest,DC=corporate,DC=net))

                AuthAttrDef memberOf,tacacsgroup,reply

                Debug 255
        </AuthBy>
###############################################
<ServerTACACSPLUS>
                GroupMemberAttr tacacsgroup

                AuthorizeGroup ASAADMINS permit service=shell cmd=show 
cmd-arg=.*
                AuthorizeGroup group1 deny .*
.....................
</ServerTACACSPLUS>
###############################################

Here an extract of my Log:


Sun Sep 26 19:27:09 2010: DEBUG: AuthBy LDAP2 result: ACCEPT,
Sun Sep 26 19:27:09 2010: DEBUG: Access accepted for aduser01
Sun Sep 26 19:27:09 2010: DEBUG: Packet dump:
*** Reply to TACACSPLUS request:
Code:       Access-Accept
Identifier: UNDEF
Authentic:  ,|C<229><152><134><142>p? U<154>qSk<191>
Attributes:
        tacacsgroup = CN=ASAADMINS,DC=adtest,DC=corporate,DC=net

Sun Sep 26 19:27:09 2010: DEBUG: TacacsplusConnection result Access-Accept
Sun Sep 26 19:27:09 2010: DEBUG: TacacsplusConnection Authentication REPLY 1, 
0, ,
Sun Sep 26 19:27:09 2010: DEBUG: TacacsplusConnection request 193, 2, 2, 0, 
1234, 79
Sun Sep 26 19:27:09 2010: DEBUG: TacacsPlus request packet dump: 
c1020200000004d20000004f0e63dedad6576899fad69068509e9bc4dd7fe3edaab83f773ddf0d4679cdadcbca8cd54899138d3cf493fc776e476146108586b5ff3052adcca129fb3fc2b59ca16a8ef718f1f2753f2c136795f90b
Sun Sep 26 19:27:09 2010: DEBUG: Decrypting TacacsPlus request
Sun Sep 26 19:27:09 2010: DEBUG: TacacsPlus request decrypted body: 
0600020015030a030d080d61647573657230314061646d696e732e7265616c6d31323374657374636c69656e74736572766963653d7368656c6c636d643d73686f77636d642d6172673d686f737431
Sun Sep 26 19:27:09 2010: DEBUG: TacacsplusConnection Authorization REQUEST 6, 
0, 2, 0, aduse...@admins.realm, 123, testclient, 3, service=shell cmd=show 
cmd-arg=host1
Sun Sep 26 19:27:09 2010: INFO: Authorization denied for aduse...@admins.realm, 
group CN=ASAADMINS,DC=adtest,DC=corporate,DC=net. No matching AuthorizeGroup 
rule for args service=shell cmd=show cmd-arg=host1
Sun Sep 26 19:27:09 2010: DEBUG: TacacsplusConnection Authorization RESPONSE 
16, denied, ,
Sun Sep 26 19:27:09 2010: DEBUG: TacacsplusConnection disconnected from 
10.11.11.2:1786


Kind regards
Waldemar Siebert

T-Systems International GmbH
Corporate Customers
Telecommunications Services & Solutions (TSS)
Technical Engineering (TSS TE) - Security, Production Engineering & Lab
Dipl.-Ing. Waldemar Siebert

_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

[RADIATOR] Mapping AD groups to TACAS+ groups

Reply via email to