(RADIATOR) Improvements to Server TACACSPLUS

Mike McCauley mikem at open.com.au
Mon Dec 6 01:24:09 CST 2004 

Hello all,

If you are not interested in TACACS+ authentication in Radiator, stop reading 
now.

We have made a number of changes to Server TACACSPLUS, now available in the 
3.11 patch set, as described below. The most significant change is the new 
AuthorizeGroup, and we are keen to have interested parties test the new 
behaviour to ensure it suits their needs.

=========

Added new parameter AuthorizeGroup, which permits much more fine-grained 
group-based control over authorization of services, including shell, exec, 
ppp etc. See example tacacsplusserver.cfg for details of how to use it. This 
new parameter is alpha code, and testing is encouraged, feedback to me. If 
AuthorizeGroup is not used in the config file, reverts to the previous 
behaviour.

The Tacacs group name now defaults to 'DEFAULT' if GroupMemberAttr is not 
defined, or if the Access-Accept does not include that named attribute (ie if 
the Tacacs group name cannot be determined)

Added new test client for TACACS+. 
    See goodies/tacacsplustest -h for help.

Server TACACSPLUS now allows you to set the group cache file name with the 
GroupCacheFile, which
    also permits special characters. 

Also ServerTACSCPLUS now uses the accounting type in incoming requests to
    set the Acct-Status-Type in Radius Acounting-Requests. 

Timestamp is now _not_ added to
    Radius requests, since the following Handler will always do it
    anyway. 

Added support for authentication using methods that can challenge,
    such as DIGIPASS, ACE, OPIE, OTP, INTERNAL etc. 
Default AuthorizationTimeout for Server TACACSPLUS changed to 600 seconds, to 
cater for
    authentication start/challenge/continue sequence that are subject to
    user input and could take a long time, and so that authorization
    replies will be available for longer sessions.

    Added -interactive flag to tacacsplustest to handle Tacacsplus
    authentications that might ask for additional data (such as when
    authenticating Tacacs with DIGIPASS, ACE, OPIE, OTP, INTERNAL etc).

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list