[tac_plus] (no subject)
John Heasley
heas at shrubbery.net
Mon Dec 19 23:26:17 UTC 2016
> Am 19.12.2016 um 17:09 schrieb Philip Prindeville <philipp_subx at redfish-solutions.com>:
>
>
>> On Dec 19, 2016, at 1:09 PM, heasley <heas at shrubbery.net> wrote:
>>
>> Tue, Dec 13, 2016 at 11:13:56AM -0700, Philip Prindeville:
>>> If anyone is interested, there were some bugs that impeded single connection mode from working.
>>>
>>> This commit fixes that:
>>>
>>> https://github.com/pprindeville/tac_plus/commit/b71502fac3ee593468c87bd4253eac423fc6ed70
>>>
>>> The main problems were that we were checking for the seq_no for being 1 during authentication or authorization requests; and we were resetting the session sequence number each time through start_session()’s loop. The latter should only have happened at the top of the loop.
>>>
>>> The only verification needed is that the received header’s seq_no needs to match that of the session.
>>>
>>> The changes are trivial.
>>
>> my recollection is that cisco ios and ios-xr both do not perform
>> single-connection tacacs properly. and, when I tried to engage DEs to
>> fix the problem, they were not interested in touching it.
>
>
> Didn’t know that. Do any other platforms do it correctly?
i only had ios, iosxr, junos and foundry to test and IIRC only junos worked.
>
> I fixed the pam_tacplus library to reuse connections (though without having multiple requests on-the-fly simultaneously, so still strictly serialized)…
>
> -Philip
More information about the tac_plus
mailing list