[RADIATOR] Gossip and Tacacs

Heikki Vatiainen hvn at open.com.au
Wed May 23 13:16:30 UTC 2018


On 23/05/2018 12.10, Patrik Forsberg wrote:

> I was wondering if the Gossip framework will make any difference for
> Tacacs Authorization vs. Authentication ? That is if the radiator
> process is killed for whatever reason will the Gossip framework help
> it Authorize new requests ? or even help another server to authorize
> the request(which would be preferred) ?

Yes, this could be handled with Gossip (or by some other storage too). 
There's some functionality already implemented that may already be 
useful to this case. See the reference manual and 
goodies/tacacsplusserver.cfg and look for AllowAuthorizeOnly flag parameter.

A more general approach would be to make Radius::Context storable. This 
which means a context could be stored and retrieved from Gossip, SQL, 
etc. and could be shared, when applicable, between processes. One 
possibility would be context created during TACACS+ authentication.

In addition to your examples above, AllowAuthorizeOnly parameter is 
useful when the  authentication is done with RADIUS, Kerberos, local or 
by some other means. In other words, when there's no TACACS+ 
authentication and servicing an authorization request without the 
respective authentication is deemed acceptable.

Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.


More information about the radiator mailing list