Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multiple TACACS+/RADIUS servers enhancement #734

Closed
Disco402 opened this issue Jul 8, 2020 · 4 comments
Closed

Multiple TACACS+/RADIUS servers enhancement #734

Disco402 opened this issue Jul 8, 2020 · 4 comments

Comments

@Disco402
Copy link

Disco402 commented Jul 8, 2020

Expected Behaviour

Be able to define multiple TACACS/RADIUS servers for failover, servers should be listed as per the LDAP server list and tried in that order. If the server is not available move onto the next in the list.

Documentation for RADIUS only describes the "server" option
https://github.com/netdisco/netdisco/wiki/Configuration#radius

Documentation for LDAP describes the "servers" option
https://github.com/netdisco/netdisco/wiki/Configuration#ldap

Current Behaviour

Currently TACACS/RADIUS options can only use one server which breaks authentication if that server is not available

Possible Solution

Might be possible to reuse the "servers" code from LDAP option but I am unsure if that is a good idea.

Context

Allows for HA of the authentication mechanism when using TACACS/RADIUS auth
@ollyg
Copy link
Member

ollyg commented Jul 8, 2020

We use https://metacpan.org/pod/Authen::Radius which supports only a single server, as far as I can tell

However https://metacpan.org/pod/Authen::TacacsPlus seems to support multiple servers.

@ollyg
Copy link
Member

ollyg commented Jul 8, 2020

Oh, looks like the RADIUS module can do it too:

Optional parameter NodeList may contain a Perl reference to an array, containing a list of Radius Cluster nodes. Each nodes in the list can be specified using a hostname or IP (with an optional port number), i.e. 'radius1.mytel.com' or 'radius.myhost.com:1812'. Radius Cluster contains a set of Radius servers, at any given moment of time only one server is considered to be "active" (so requests are send to this server). How the active node is determined? Initially in addition to the NodeList parameter you may supply the Host parameter and specify which server should become the first active node. If this parameter is absent, or the current active node does not reply anymore, the process of "discovery" will be performed: a request will be sent to all nodes and the consecutive communication continues with the node, which will be the first to reply.

ollyg added a commit that referenced this issue Jul 10, 2020
@ollyg
#734 Multiple TACACS+/RADIUS servers now supported
31fc6e1
@ollyg
Copy link
Member

ollyg commented Jul 10, 2020

thanks for the suggestion, implemented in
[master 31fc6e1] #734 Multiple TACACS+/RADIUS servers now supported

(docs will be updated to reflect the new way of config)

@ollyg ollyg closed this as completed Jul 10, 2020
@Disco402
Copy link
Author

Works great, had to lower the timeout value (15) otherwise it takes awhile but otherwise great. Cheers!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ollyg @Disco402