We have the same need and I've written some hooks that do what you want.
We have multiple radiator instances proxying tacacs+ requests to our central
instance with radius.
We use the OSC-Group-Identifier radius attribute for the tacacsgroup on the
outer instances and build the ldap dn from it on
Hello Waldemar -
If you already know the group from the SearchFilter query, you can just use an
AddToReply like this:
###
Identifier ASA-Admin
Hostw3kvm.adtest.corporate.net
HoldS
Hello Waldemar -
On 27 Sep 2010, at 18:40,
wrote:
> Hello,
>
> I try to implement the mapping of AD groups to TACAS+ groups.
>
> Witch AuthAttrDef memberOf,tacacsgroup,reply will be the complete LDAP string
> delivered:
> tacacsgroup = CN=ASAADMINS,DC=adtest,DC=corporate,DC=net
>
>
Hello,
I try to implement the mapping of AD groups to TACAS+ groups.
Witch AuthAttrDef memberOf,tacacsgroup,reply will be the complete LDAP string
delivered:
tacacsgroup = CN=ASAADMINS,DC=adtest,DC=corporate,DC=net
My question: it is possible to strip all the unnecessary parts to deliver
"ASAA
