assignment of vendor specific attributes in the tacacs server
Alan DeKok
aland at deployingradius.com
Fri Aug 16 15:16:47 UTC 2024
On Aug 14, 2024, at 8:32 AM, Simon N via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> i am currently testing Version 4. I have already successfully connected the ldap module to an Active Directory server. Now I want to use the Tacacs server to authenticate and authorize users. I have already tested the authentication and it works without any problems. To assign certain authorizations to the user, I want to use the user's groups on the AD. I could already test it successfully by adding the following in the sites-available/tacacs file under send Authorization-Pass-Add:
>
> if (%ldap.memberof(“Admin”)) {
> &reply.Viptela.Viptela-Group-Name = “netadmin”
> }
>
> Now I wonder if I can also use the module files to assign vendor specific attributes. For example if the service == ppp, protocol == ip and the user has a specific LDAP group. Or is the top variant the only one I can use?
TACACS+ is text only. So there's no real concept of "vendor-specific attributes". There's just text names of attributes, and text values.
You will have to read the TACACS+ client documentation to see what text strings it accepts. Then, configure FreeRADIUS to send those.
Alan DeKok.
More information about the Freeradius-Users
mailing list