This repository has been archived by the owner on Feb 28, 2024. It is now read-only.
vendor specific attributes #114
Comments
|
Ketan Kulkarni <[email protected]> wrote:
Not a bug; but a support request.
Is there any support for including vendor specific attributes in authorization
requests?
e.g. some tacacs server might need extra or special attributes in authorization
request, does this library support such thing?
Is there any plan around this?
I don't see any current support, and I don't remember any discussions
or requests to add it.
What kind of VSAs did you have in mind? There is some support for
attributes in the code, and I added more to get the privilege level
in my fork, so it shouldn't be hard to look for other attributes.
The bigger question is what do you do with the attributes; are they
strictly part of login, or do they need to be preserved in some way
for the login process, and if so, how will you do that?
Dave Olson
[email protected]
|
|
Yes, indeed it is easy to add a new attributes. I looked into the code seems fairly straightforward. the attribute 'service-argument' that we need is part of authorization request. server needs it in order to do some identification based on it. Few similar examples are listed here - HTH Thanks |
|
Ketan Kulkarni <[email protected]> wrote:
Yes, indeed it is easy to add a new attributes. I looked into the code seems
fairly straightforward.
the attribute 'service-argument' that we need is part of authorization request.
server needs it in order to do some identification based on it. Few similar
examples are listed here -
https://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115926-tacacs-radius-devices-00.html#r
I misread your earlier mail as the server needing to send it to the
client.
You are correct, adding attributes to send to the server is very easy.
Just use tac_add_attrib() as is done for service, protocol, etc.
Dave Olson
[email protected]
|
|
i was inclined towards giving any such attributes as configuration parameters. just like service and protocol today are; add another parameter 'service-argument' in this case which if passed as an argument will be added in authorization request. if its ok; i can create PR for this. Thanks |
|
Ketan Kulkarni <[email protected]> wrote:
i was inclined towards giving any such attributes as configuration parameters.
just like service and protocol today are; add another parameter
'service-argument' in this case which if passed as an argument will be added in
authorization request.
if its ok; i can create PR for this.
Sure. May as well make it generic, so something like
extra_attribute=your_attribute_name=yourvalue
so people can add whatever extra attributes they want with
no further code changes.
Dave Olson
[email protected]
|
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Not a bug; but a support request.
Is there any support for including vendor specific attributes in authorization requests?
e.g. some tacacs server might need extra or special attributes in authorization request, does this library support such thing?
Is there any plan around this?
Thanks
Ketan
The text was updated successfully, but these errors were encountered: