3.112.13. AllowAuthorizeOnly Previous topic Parent topic Child topic Next topic

When enabled, allows Radiator to create a RADIUS Access-Request with Service-Type attribute set to Authorize-Only when TACACS+ authorisation request is received but Radiator has no previous information about the user's authorisation. This may happen if the TACACS+ client does not use TACACS+ for authentication, has authenticated against another TACACS+ server, Radiator has been reloaded or AuthorizationTimeout has expired. Defaults to disabled.
For example Cisco 'aaa new model' allows non-TACACS+ authentication with TACACS+ based accounting and authorisation: you can authenticate with local user name, Radius or kerberos and then do command authorisation over TACACS+.
The default for Radiator is to require TACACS+ authentication first to create the authorisation context before being able to do command authorisation. With AllowAuthorizeOnly you can relax this requirement.
Before enabling this option, we recommend considering if it's acceptable to trust the TACACS+ client authentication and allow Radiator to do command authorisation without any previous knowledge about the users' authentication.