3.114.13. AllowAuthorizeOnly Previous topic Parent topic Child topic Next topic

When enabled, this parameter allows Radiator to create a RADIUS Access-Request with Service-Type attribute set to Authorize-Only when TACACS+ authorisation request is received but Radiator has no previous information about the user's authorisation. This can happen if the TACACS+ client does not use TACACS+ for authentication, has authenticated against another TACACS+ server, Radiator has been reloaded, or AuthorizationTimeout has expired. This is disabled by default.
For example, Cisco 'aaa new model' allows non-TACACS+ authentication with TACACS+ based accounting and authorisation: you can authenticate with local user name, Radius, or kerberos and then do command authorisation over TACACS+.
The default for Radiator is to require TACACS+ authentication first to create the authorisation context before being able to do command authorisation. If AllowAuthorizeOnly is enabled, this is not requires.
Before enabling this option, we recommend considering if it is acceptable to trust the TACACS+ client authentication and allow Radiator to do command authorisation without any previous knowledge about the users' authentication.