[RADIATOR] TACACS Authorisation sessions across reloads in 4.9

Fri Jun 8 13:52:30 CDT 2012

Hi Patrik,

I had feedback (By the way, thanks to Mike for that!) stating that the only
problems were the loss of specific AV pairs specified in the local users
file if this is used, and the fact that I removed the DEFAULT group from
the code.

In the limited time that I have been working on it I have solved the
DEFAULT group issue by putting it back and adding another check, but I am
still working on the local user attributes which is a bit more tricky for
me.

I'll share my changes once complete. No word on whether this will ever be
officially fixed, but I didn't specifically ask.

Jason

On Fri, Jun 8, 2012 at 8:32 AM, Patrik Forsberg
<patrik.forsberg at ip-only.se>wrote:

> Hello,****
>
> ** **
>
> Sorry for being slow to answer this!****
>
> This is exactly the functionality I wished for.****
>
> One thing thou. Is it possible to modify the 24 hour limit to follow
> “AuthorizationTimeout” clause instead of a static value ?****
>
> ** **
>
> What’s the word from OSC ? is it possible that this could find its way
> into a patchset or next release ?****
>
> Or does it break something unforeseen ?****
>
> ** **
>
> Mvh,****
>
> Patrik Forsberg****
>
> ** **
>
> *From:* radiator-bounces at open.com.au [mailto:radiator-bounces at open.com.au]
> *On Behalf Of *Jason Griffith
> *Sent:* Wednesday, May 30, 2012 8:45 PM
> *To:* radiator at open.com.au
> *Subject:* [RADIATOR] TACACS Authorisation sessions across reloads in 4.9*
> ***
>
> ** **
>
> Hello,****
>
> ** **
>
> I've recently been toying with Radiator 4.9 as we are planning on
> upgrading from 4.5 and have come across this TACACS+ session issue where
> command authorisations fail after Radiator is reloaded even when the
> session is saved to the temporary TACACS sessions file. I could not get
> this to function correctly with standard configuration listed in the manual.
> ****
>
> ** **
>
> As I can't compromise on the frequency of Radiator reloads due to our
> integration with other upstream systems, I instead modified the
> Radius/ServerTACACSPLUS.pm file (see attached). I've done a couple of
> things here - move the check for a valid context to after the point where
> the temporary file is read; and also added a timestamp to the session file
> so that any sessions older than 24 hours will not authorise.
> My initial testing of this is positive and I have not come across anything
> unexpected.****
>
> ** **
>
> My question to the group is - are there any side effects to this of which
> I may not be aware of or any other features that I'm not using right now
> that may be broken? Being only familiar with the features we use and our
> other customisations I thought it best to throw this out there.****
>
> ** **
>
> Thanks for any feed back.****
>
> ** **
>
> Jason Griffith****
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20120608/5548b25a/attachment.html 