On 03/13/2012 05:57 PM, Derek Rider wrote: Hello Derek,
> We currently have an installation running Radiator 3.15. We use Radiator for > TACACS authentication with Safeword. We are moving to version 4.9. Our > current radius.cfg, for the default realm, authenticates > users with the Authby File: > > <Realm DEFAULT> > > AuthByPolicy ContinueAlways With this policy you will reply attributes will be collected from each matching AuthBy. So if the user is matched by multiple AuthBys, these all will contribute to the set of returned reply attributes. That will likely to contribute to the maintenance nightmare too. > <AuthBy FILE> > Filename %D/tacacsusers > </AuthBy> ... > > > The file tacacusers has entries like the following: > > UserOne > Tacacs-Group = ADMIN > UserTwo NAS-IP-Address = 111.111.111.111 > Tacacs-Group = ADMIN > UserThree NAS-IP-Address = 222.222.222.222 > Tacacs-Group = ADMIN > > We then have about 300 additional AuthBy File statements. Each file is for > an individual device/IP at different locations. Users in these files have > different permissions as well. For example, READNOCONFIG or READONLY. This > has gotten to be a maintenance nightmare. Is there a better way to do this? It's a bit hard to say how to how reduce the number of entries, but you could consider the following: - alternation, for example: NAS-IP-Address = 1.2.3.4|2.3.4.5 If a user has similar rights to multiple NASes, the above syntax can be used to specify them all with one entry. - other backends: If the information can be structured for e.g. SQL relations, you could use SQL database to hold the authorization information and query it with <AuthBy SQL> It's hard to say exactly how to simplify your setup without knowing better your setup. > Also, we have a problem were a users rights for one device will change if > that user authenticates to another device with a higher level. For example, > we see a user authenticating to a device at a read only level. That same > user will then authenticate to another device at an ADMIN level. That users > rights to the first device will be for an ADMIN. This problem is likely fixed with upgrade. From change log: http://www.open.com.au/radiator/history.html o Revision 4.6 (2010-02-05) New features and some bug fixes. The TacacsPlus group cache GroupCacheFile now uses the IP address of the client as part of the key, so that in situations where the group name depends on the client the correct group name will be retrieved There are also many other Tacacs related changes. See the history file for more. Thanks! Heikki -- Heikki Vatiainen <h...@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator