Page MenuHomeVyOS Platform

Optimize PAM configs for RADIUS/TACACS+
Closed, ResolvedPublicBUG

Description

Current versions of configurations are not fully correct which leads to needless calls to authentication servers and slowing down command execution.

https://github.com/vyos/vyos-1x/blob/4a51fb08e73d259bab87e154f99fb5c3e85fbc46/src/pam-configs/tacplus
https://github.com/vyos/vyos-1x/blob/4a51fb08e73d259bab87e154f99fb5c3e85fbc46/src/pam-configs/radius

We need to:

  1. Make each type of authentication self-sufficient (ensure that it does not conflict with others, to avoid extra calls to RADIUS/TACACS+ servers).
  2. Add a new CLI fallback option to control authentication policy - if the authentication source can be skipped in case of failed authentication (_not failed communication_) or we need to fail immediately and avoid skipping to other authentication sources.
  3. Add a new CLI option to define authentication order (local, RADIUS, TACACS+).

Details

Version
1.5, 1.4, 1.3
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Event Timeline

zsdc changed the task status from Open to In progress.Sep 13 2023, 8:42 PM
zsdc claimed this task.