Hi all, I'm trying to figure out what is the best way to configure Radiator to support routers that use Radius for authentication and Tacacs+ for shell/command authorization only. I found that TACACS+ authorization requests from a NAS not previously authenticated with the same protocol (in my scenario, routers are authenticated via Radius by the same Radiator instance), are rejected with the following message:
Wed Sep 24 11:26:00 2014: INFO: Authorization denied for <user> at <nas ip>: No context found. Expired? To overcome this issue I added the AllowAuthorizeOnly flag to the TACACS server configuration. This allowed Radiator to further process authorization requests but had the side effect that users defined as following user1 User-Password="pwd" ... were not matched since authorization requests have no User-Password attribute. Wed Sep 24 12:38:57 2014: WARNING: No CHAP-Password or User-Password in request: does your dictionary have User-Password in it? Wed Sep 24 12:38:57 2014: DEBUG: Radius::AuthFILE REJECT: Bad Password: user1 [user1] To make this work I created separate users files and default realms for radius authentication and tacacs authorization like the following: - authentication user file matching username and password user1 User-Password="pwd" ... ... - authorization user file matching username and Service-Type user1 Service-Type = Authorize-Only ... This solution worked but I wonder if a simpler and better configuration is possible that avoids having separate users definitions for authentication and authorization. Any hints? Thanks in advance, Alessandro
_______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator