[tac_plus] Re: after authorization

john heasley heas at shrubbery.net
Mon Nov 3 06:37:03 UTC 2008


Mon, Nov 03, 2008 at 02:42:45PM +1300, Ian Batterbee:
> >
> >
> > you can ignore the suggestions or try them.  try this or see/try svc_auth
> > and attr_value_pair in tac_plus.conf.
> >
> 
> Yes, thanks for that helpful piece of advice. I have in fact tried the
> suggestions, and they're ineffective.
> 
> After spending some time working backwards through the tac_plus source code,
> I have now worked out that the problem is that the PIX is sending only an
> authentication request when a VPN user connections - that is to say, it
> doesn't send an *authorization* request.
> 
> As a result, the after authorization clause in tac_plus.conf has no effect,
> because authorization is never performed.
> 
is your pix configured as in the pix configuration reference section
titled "Configuring Authorization for Network Access"?  have you tried
enabling the debugging output to verify that the AV pair is NOT sent?


More information about the tac_plus mailing list