[RADIATOR] TACACS Authentication Expired

Remco van Noorloos rvannoorloos at proxsys.nl
Fri Sep 14 03:58:25 CDT 2012 

Dear all,

This week I've implemented TACACS in our Radiator setup and it is working correctly. I've got one issue at the moment though.

The thing I'd like to change is the 'authorization expired' messages. Authorization works correctly until a logged in user has been idle for some time. Radiator logs shows a 'no context found' message in this case, so it seems that Radiator already flushed the authentication cache. I've tried to set the 'idle-time' and 'timeout' values, but this doesn't seem to change a thing. Please note that when this message appears Radiator hasn't been restarted.

Corresponding configuration:

<ServerTACACSPLUS>
      BindAddress       x.x.x.x
      Key               xxxxxxx

      AddToRequest            NAS-Identifier=TACACS

      GroupMemberAttr   tacacsgroup

      AuthorizationTimeout    1800
      IdleTimeout       1800

      AuthorizeGroup          ReadOnly    permit service=shell .*
      AuthorizeGroup          ReadOnly    deny service=shell enable .*
      AuthorizeGroup          ReadOnly    deny service=shell configure .*

      # Cisco WLC
      AuthorizeGroup          ReadWrite   permit service=ciscowlc .*   {role1=ALL}

      #
      # Specific permit statement to enter enable-mode directly
      #
      AuthorizeGroup          ReadWrite   permit service=shell cmd\*   {priv-lvl=15 idletime=45 timeout=600}
      AuthorizeGroup          ReadWrite   permit .*


      GroupCacheFile          %D/group-cache.dat
</ServerTACACSPLUS>

Corresponding logging:

Fri Sep 14 10:43:24 2012: DEBUG: New TacacsplusConnection created for x.x.x.x:60437
Fri Sep 14 10:43:24 2012: WARNING: Could not find a Client for x.x.x.x:60437. Falling back to default Key
Fri Sep 14 10:43:24 2012: DEBUG: TacacsplusConnection request 192, 2, 1, 0, 3937159092, 106
Fri Sep 14 10:43:24 2012: DEBUG: TacacsplusConnection Authorization REQUEST 1, 1, 1, 0, mvanwilligen, tty514, x.x.x.x, 5, service=shell cmd=show cmd-arg=access-lists cmd-arg=101 cmd-arg=<cr>
Fri Sep 14 10:43:24 2012: INFO: Authorization denied for [username] at x.x.x.x: No context found. Expired?
Fri Sep 14 10:43:24 2012: DEBUG: TacacsplusConnection Authorization RESPONSE 17, Authentication expired, ,
Fri Sep 14 10:43:24 2012: DEBUG: TacacsplusConnection disconnected from x.x.x.x:60437

Anyone knows how to prevent this from happening?

Thanks in advance!

Best regards,

PROXSYS*
Remco van Noorloos

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20120914/07971de5/attachment-0001.html

More information about the radiator mailing list