[RADIATOR] Radius authentication with Tacacs+ for authorization only

Heikki Vatiainen hvn at open.com.au
Wed Sep 24 13:12:38 CDT 2014


On 09/24/2014 03:34 PM, Alessandro Marcandalli wrote:

> To make this work I created separate users files and default realms for
> radius authentication and tacacs authorization like the following:
> 
> - authentication user file matching username and password
> 
> user1   User-Password="pwd" 
> ... ...
> 
> - authorization user file matching username and Service-Type
> 
> user1   Service-Type = Authorize-Only   
> ...
> 
> This solution worked but I wonder if a simpler and better configuration
> is possible that avoids having separate users definitions for
> authentication and authorization.

How about using <Handler Service-Type=Authorize-only> with an AuthBy
that has NoCheckPassword? Add this Handler before your current Handler
to process TACACS+ based authorisation requests differently from RADIUS
originated access requests.

Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list