Re: [RADIATOR] Authorizing users via TACACS for Juniper Netscreens

Tue, 24 Jun 2014 17:52:30 -0700 

Hi Hugh,

Actually I was looking for a way to set the vsys/privilege to restrict what a 
user can do.

i.e. wanted to do something like this:
        AuthorizeGroup READ permit service=netscreen {vsys=root 
privilege=read-only}
        AuthorizeGroup WRITE permit service=netscreen {vsys=root privilege=root}

Or do I need to use something like AuthorizeAdd/AuthorizeReplace to pass back 
attribute-value pairs?

Regards,

Craig

-----Original Message-----
From: Hugh Irvine [mailto:h...@open.com.au] 
Sent: Wednesday, 25 June 2014 8:39 AM
To: Craig Ayliffe
Cc: radiator@open.com.au
Subject: Re: [RADIATOR] Authorizing users via TACACS for Juniper Netscreens


Hello Craig -

The usual way to do this is with Identifiers in the Client clauses and Handlers 
to match.

Something like this:


.....

<Client 1.1.1.1>
        Identifier JuniperNetscreen
        Secret .....
        .....
</Client>

<Client 2.2.2.2>
        Identifier JuniperNetscreen
        Secret .....
        .....
</Client>

<Client 3.3.3.3>
        Identifier JuniperNetscreen
        Secret .....
        .....
</Client>

.....

<Handler Client-Identifier = JuniperNetscreen>

        <AuthBy .....>
                .....
        </AuthBy>

</Handler>

.....

hope that helps

regards

Hugh


On 24 Jun 2014, at 23:24, Craig Ayliffe <craig.ayli...@brennanit.com.au> wrote:

> Hi,
>  
> I am looking for examples of Radiator configuration to restrict users logging 
> into Juniper Netscreens running ScreenOS 6.3 and higher.
>  
> Need to be able to specify the vsys to be Root and the privilege to be either 
> 'root' or 'read-only' depending of their AuthorizeGroup configuration.
>  
> Haven't been able to find any examples anywhere.
> Would appreciate any assistance.
>  
> Regards,
> 
> Craig
> 
> Craig Ayliffe | Brennan IT | Infrastructure Engineer
> 
> T: 02 8235 3515 | M: 0410 400 546 | craig.ayli...@brennanit.com.au | 
> www.brennanit.com.au
> 
> <image940dd2.jpg@f917d609.b99d4a76>
> _______________________________________________
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Reply via email to