[RADIATOR] TACACS Authentication Expired

Heikki Vatiainen hvn at open.com.au
Fri Sep 14 15:26:01 CDT 2012


On 09/14/2012 11:58 AM, Remco van Noorloos wrote:

> The thing I’d like to change is the ‘authorization expired’ messages.
> Authorization works correctly until a logged in user has been idle for
> some time. Radiator logs shows a ‘no context found’ message in this
> case, so it seems that Radiator already flushed the authentication
> cache. I’ve tried to set the ‘idle-time’ and ‘timeout’ values, but this
> doesn’t seem to change a thing. Please note that when this message
> appears Radiator hasn’t been restarted.

You should be able to control expiration time with AuthorizationTimeout.

If it does not work and you get 'no context' message, check that the
TACACS+ connections are coming from the same client interface. If they
are not, see if you can fix the source interface. With cisco you can do
something like 'ip tacacas source-interface ...'. A loopback interface
might be a good choice here.

If the client IP changes and there's a new TCP connection for each
request this can lead to the above problems.

Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list