[RADIATOR] Radius authentication with Tacacs+ for authorization only

[Alessandro Marcandalli]

Hi all,
I'm trying to figure out what is the best way to configure Radiator to
support routers that use Radius for authentication and Tacacs+ for
shell/command authorization only.
I found that TACACS+ authorization requests from a NAS not previously
authenticated with the same protocol (in my scenario, routers are
authenticated via Radius by the same Radiator instance), are rejected with
the following message:

Wed Sep 24 11:26:00 2014: INFO: Authorization denied for <user> at <nas
ip>: No context found. Expired?

To overcome this issue I added the AllowAuthorizeOnly flag to the TACACS
server configuration.
This allowed Radiator to further process authorization requests but had the
side effect that users defined as following

user1   User-Password="pwd"
...

were not matched since authorization requests have no User-Password
attribute.

Wed Sep 24 12:38:57 2014: WARNING: No CHAP-Password or User-Password in
request: does your dictionary have User-Password in it?
Wed Sep 24 12:38:57 2014: DEBUG: Radius::AuthFILE REJECT: Bad Password:
user1 [user1]

To make this work I created separate users files and default realms for
radius authentication and tacacs authorization like the following:

- authentication user file matching username and password

user1   User-Password="pwd"
... ...

- authorization user file matching username and Service-Type

user1   Service-Type = Authorize-Only
...

This solution worked but I wonder if a simpler and better configuration is
possible that avoids having separate users definitions for authentication
and authorization.

Any hints?

Thanks in advance,

Alessandro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20140924/e1dbdeba/attachment.html