From: Petr Lapukhov (petr@internetworkexpert.com)
Date: Thu Nov 23 2006 - 08:20:44 ART
Tim,
Actually, Authorization is performed by router (client) after
Authentication.
So it's up to client to decide if it should start authorization for access
request.
From TACACS+ point of view, it just receives AUTH/AUTHOR requests
and responds as configured; There is no need for server to "keep state",
e.g. know if actual user has been successfully authenticated.
With RADIUS, there is no separate authorization phase; everything is
encoded in Auth response;
2006/11/21, Tim <ccie2be@nyc.rr.com>:
>
> Hey Guys,
>
>
>
> I know the different AAA services can be split over multiple servers, for
> example, having Authentication on one server and Authorization on another
> server if Tacacs+ is being used.
>
>
>
> But, I have a couple Q's about how this works.
>
>
>
> I know that before the Authorization function can be done, Authentication
> must have already been done. So, assuming the Authen function is on one
> server and the Author function is on another, how does the Authorization
> function know that Authen was successful when that takes place on a
> different server?
>
>
>
> Also, are there any rules of thumb or Best Practices as to when these
> services should be configured on separate servers? My assumption is that
> this will depend on how many users there are or how much strain is being
> placed on the ACS but I have no idea at point that might be.
>
>
>
> Does anyone have any benchmarks or other ways to determine when splitting
> AAA functions across multiple servers might make sense?
>
>
>
> Thanks, Tim
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
-- Petr Lapukhov, CCIE #16379 petr@internetworkexpert.comInternetwork Expert, Inc. http://www.InternetworkExpert.com Toll Free: 877-224-8987 Outside US: 775-826-4344
This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:48 ART