[RADIATOR] overlapping Client clauses

2014-06-24 Thread David Zych
It would be nice if the manual documented what happens when an incoming request is potentially capable of matching more than one Client clause. Here's what I've figured out on my own (as of 4.13), in case it helps others in the meanwhile: * If multiple Client clauses have an exact match (same IP,

Re: [RADIATOR] Authorizing users via TACACS for Juniper Netscreens

2014-06-24 Thread Hugh Irvine
Hello Craig - The usual way to do this is with Identifiers in the Client clauses and Handlers to match. Something like this: ….. Identifier JuniperNetscreen Secret ….. ….. Identifier JuniperNetscreen Secret ….. ….. Identifier Jun

Re: [RADIATOR] Authorizing users via TACACS for Juniper Netscreens

2014-06-24 Thread Craig Ayliffe
Hi Hugh, Actually I was looking for a way to set the vsys/privilege to restrict what a user can do. i.e. wanted to do something like this: AuthorizeGroup READ permit service=netscreen {vsys=root privilege=read-only} AuthorizeGroup WRITE permit service=netscreen {vsys=root privil

Re: [RADIATOR] Authorizing users via TACACS for Juniper Netscreens

2014-06-24 Thread Hugh Irvine
Hello Craig - There are several steps: 1. define the AuthorizeGroup’s you require 2. specify the return attributes you need for each AuthorizeGroup (syntax will depend on the specific device) 3. perform the authentication and set which AuthorizeGroup the user belongs to ….. See the examples