[RADIATOR] Gossip and Tacacs
Heikki Vatiainen
hvn at open.com.au
Wed May 23 13:16:30 UTC 2018
On 23/05/2018 12.10, Patrik Forsberg wrote:
> I was wondering if the Gossip framework will make any difference for
> Tacacs Authorization vs. Authentication ? That is if the radiator
> process is killed for whatever reason will the Gossip framework help
> it Authorize new requests ? or even help another server to authorize
> the request(which would be preferred) ?
Yes, this could be handled with Gossip (or by some other storage too).
There's some functionality already implemented that may already be
useful to this case. See the reference manual and
goodies/tacacsplusserver.cfg and look for AllowAuthorizeOnly flag parameter.
A more general approach would be to make Radius::Context storable. This
which means a context could be stored and retrieved from Gossip, SQL,
etc. and could be shared, when applicable, between processes. One
possibility would be context created during TACACS+ authentication.
In addition to your examples above, AllowAuthorizeOnly parameter is
useful when the authentication is done with RADIUS, Kerberos, local or
by some other means. In other words, when there's no TACACS+
authentication and servicing an authorization request without the
respective authentication is deemed acceptable.
Thanks,
Heikki
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.
More information about the radiator
mailing list