On 09/24/2014 03:34 PM, Alessandro Marcandalli wrote: > To make this work I created separate users files and default realms for > radius authentication and tacacs authorization like the following: > > - authentication user file matching username and password > > user1 User-Password="pwd" > ... ... > > - authorization user file matching username and Service-Type > > user1 Service-Type = Authorize-Only > ... > > This solution worked but I wonder if a simpler and better configuration > is possible that avoids having separate users definitions for > authentication and authorization.
How about using <Handler Service-Type=Authorize-only> with an AuthBy that has NoCheckPassword? Add this Handler before your current Handler to process TACACS+ based authorisation requests differently from RADIUS originated access requests. Thanks, Heikki -- Heikki Vatiainen <h...@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
