On 04/13/2012 10:35 AM, Patrik Forsberg wrote: > Yes, I'm aware of that option. > But despite setting it and seeing it being in use, aka. I see that it gets > updated, the authentication doesn't survive the reload/restart.
I think this change in 4.8 is the reason. Quote from the history file: Server TACACSPLUS now supports a new parameter AuthorizeGroupAttr. If this parameter is specified, it specifies the name of an attribute in Access-Accept that will contain per-command authorization patterns for authorising TACACS+ commands. These are processed before any configured-in AuthorizeGroup parameters. The command authorization patterns are in the same format as supported by AuthorizeGroup. Added a new VSA to dictionary OSC-Authorize-Group, which is intended to carry per-user reply command authorization patterns The patterns received with AuthorizeGroupAttr are stored in the context and override the patterns in the config file. Now when the context is gone with the reload, the possible overrides are gone too. I think this is the reason why it refuses to process authorization. The authorization patters may no longer be correct without the overrides. -- Heikki Vatiainen <[email protected]> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
