On 23/05/2018 12.10, Patrik Forsberg wrote:
I was wondering if the Gossip framework will make any difference for Tacacs Authorization vs. Authentication ? That is if the radiator process is killed for whatever reason will the Gossip framework help it Authorize new requests ? or even help another server to authorize the request(which would be preferred) ?
Yes, this could be handled with Gossip (or by some other storage too). There's some functionality already implemented that may already be useful to this case. See the reference manual and goodies/tacacsplusserver.cfg and look for AllowAuthorizeOnly flag parameter.
A more general approach would be to make Radius::Context storable. This which means a context could be stored and retrieved from Gossip, SQL, etc. and could be shared, when applicable, between processes. One possibility would be context created during TACACS+ authentication.
In addition to your examples above, AllowAuthorizeOnly parameter is useful when the authentication is done with RADIUS, Kerberos, local or by some other means. In other words, when there's no TACACS+ authentication and servicing an authorization request without the respective authentication is deemed acceptable.
Thanks, Heikki -- Heikki Vatiainen <[email protected]> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory, EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc. _______________________________________________ radiator mailing list [email protected] http://lists.open.com.au/mailman/listinfo/radiator
