Previous page Section 3.119.9. DefaultRealm Section 3.119.10. GroupMemberAttr (1394 / 1691)   Table of Contents Section 3.119.11. AuthorizeGroup Next page

3.119.10. GroupMemberAttr Previous topic Parent topic Child topic Next topic

When AuthorizeGroup is use to specify TACACS+ user privileges, GroupMemberAttr specifies the name of the RADIUS reply attribute in the Access-Accept that is expected to contain the name of the TACACS+ users privilege group. This group name will then be used by AuthorizeGroup to determine which privileges can be extended to that user. If there is no such attribute in the Access-Accept, the TACACS+ group name for the user will be assumed to be ’DEFAULT’. If GroupMemberAttr is not defined in the configuration file, then all TACACS+ users will be assumed to have a TACACS+ group name of ‘DEFAULT’.
The RADIUS attribute named by GroupMemberAttr may be a real RADIUS attribute received from a remote RADIUS server (in the case where the remote RADIUS server provides the authentication of TACACS+ requests). Or it could be pseudo RADIUS attribute added to the reply by an AuthBy internal to the current Radiator server.
# Name of the pseudo attribute containing the TACACS group name
# in RADIUS Access-Accepts:
GroupMemberAttr tacacsgroup
Previous page Section 3.119.9. DefaultRealm Section 3.119.10. GroupMemberAttr (1394 / 1691)   Table of Contents Section 3.119.11. AuthorizeGroup Next page