[RADIATOR] Radius authentication with Tacacs+ for authorization only
Heikki Vatiainen
hvn at open.com.au
Wed Sep 24 13:12:38 CDT 2014
On 09/24/2014 03:34 PM, Alessandro Marcandalli wrote:
> To make this work I created separate users files and default realms for
> radius authentication and tacacs authorization like the following:
>
> - authentication user file matching username and password
>
> user1 User-Password="pwd"
> ... ...
>
> - authorization user file matching username and Service-Type
>
> user1 Service-Type = Authorize-Only
> ...
>
> This solution worked but I wonder if a simpler and better configuration
> is possible that avoids having separate users definitions for
> authentication and authorization.
How about using <Handler Service-Type=Authorize-only> with an AuthBy
that has NoCheckPassword? Add this Handler before your current Handler
to process TACACS+ based authorisation requests differently from RADIUS
originated access requests.
Thanks,
Heikki
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list