[RADIATOR] Tacacs Authentication to survive reloads ?
Heikki Vatiainen
hvn at open.com.au
Fri Apr 13 08:26:37 CDT 2012
On 04/13/2012 10:35 AM, Patrik Forsberg wrote:
> Yes, I'm aware of that option.
> But despite setting it and seeing it being in use, aka. I see that it gets updated, the authentication doesn't survive the reload/restart.
I think this change in 4.8 is the reason. Quote from the history file:
Server TACACSPLUS now supports a new parameter AuthorizeGroupAttr.
If this parameter is specified, it specifies the name of an attribute
in Access-Accept that will contain per-command authorization patterns
for authorising TACACS+ commands. These are processed before any
configured-in AuthorizeGroup parameters. The command authorization
patterns are in the same format as supported by AuthorizeGroup. Added
a new VSA to dictionary OSC-Authorize-Group, which is intended to
carry per-user reply command authorization patterns
The patterns received with AuthorizeGroupAttr are stored in the context
and override the patterns in the config file. Now when the context is
gone with the reload, the possible overrides are gone too. I think this
is the reason why it refuses to process authorization. The authorization
patters may no longer be correct without the overrides.
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list