-
Notifications
You must be signed in to change notification settings - Fork 0
/
tac_plus.conf.5.in
1712 lines (1684 loc) · 47.9 KB
/
tac_plus.conf.5.in
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
.\"
.hys 50
.TH tac_plus.conf 5 "1 August 2013"
.\"
.SH NAME
.\"
tac_plus.conf \- tacacs+ daemon configuration file
.\"
.SH DESCRIPTION
.\"
This page is a work in progress.
.PP
.B tac_plus.conf
contains configuration information for the tac_plus (tacacs+) daemon.
.\"
.PP
Each line contains either one of the directives documented below,
white-space (blanks or tabs), or a comment.
.PP
Syntax enclosed in angle brackets (<>) below, refer to syntax documented
elsewhere in this manual page.
.\"
.SH "TOP-LEVEL DIRECTIVES"
.\"
.TP
.B #
Comments begin with a '#' character and extend to the end of the line.
Comments may appear anywhere in the configuration file. To disable the
special meaning of the '#' character, enclose the string containing it
in double quotes ("#").
.TP
.B accounting
Only one configurable account parameter exists, the destination.
All accounting records are either written to a file,
.BR syslog(3)
at priority info, or both.
.sp
.nf
accounting syslog;
accounting file = <filename>
.fi
.sp
The default
.B filename
is @TACPLUS_ACCTFILE@.
.sp
Since accounting requests occur (and are serviced) asynchronously, it is
necessary to lock the accounting file so that two writers do not
simultaneously write to it. The daemon uses
.BR fcntl(2)
to lock the file. Although
.BR fcntl(2)
locking over NFS is supported on some implementations, it is notoriously
unreliable. Even if it is reliable, locking is likely to be extremely
inefficient over NFS. The file is best located on a local file system.
.\"
.TP
.B acl
If compiled with acl support (--enable-acls), Access Control Lists can be
defined to limit user's (or group's) login and/or enable access by daemon
client IP address or hostname. An acl is referenced by its name, but must
be defined before it can be referenced.
.sp
The acl is a series of permit or deny statements applied to the source IP
address that the client used to connected to the daemon. The first <regex>
that matches ends the evaluation and the result is the permit or deny on
left. If no entry of the acl matches a given address, the result is an
implicit deny.
.sp
.nf
acl = <name> {
<permission> = <regex>
# deny 66.1.255/24, allow all else in 66.1/16
deny = ^66\\.1\\.255\\.
permit = ^66\\.1\\.
# implicit deny (ie: anything else)
}
.fi
.sp
Briefly, if a company had all their loopback interfaces numbered from
66.1/16 (and thus all the tacacs clients are within 66.1/16), this acl
might be used to dis-allow a user to login to (or enable on) any router
whose loopback interface is in 66.1.255/24.
.sp
Note: because acls match against the daemon client's source IP address,
the client should be configured to use a stable source such as a loopback
interface. For example:
.nf
ip tacacs-server source-interface loopback 0
.fi
.\"
.TP
.B default authentication
By default, authentication fails for users that do not appear in the
configuration file. This overrides that behavior, thus permitting
all authentication requests for such users.
.sp
.nf
default authentication = file <filename>
.fi
.sp
Such users will be authentication via the <user> "DEFAULT".
.sp
Also see "user = DEFAULT", <default service>, and <default attribute>.
.\"
.TP
.B group
Analogous to a <user> and accepting the same syntax, a group provides
a template of which a <user> or another group can be a member.
.sp
.nf
group = <name> {
<user_decl>
}
.fi
.sp
A group may be recursive; that is a group may be a member of one other
group (which may be a member of yet another group, and so on).
.\"
.TP
.B host
The host clause allows the configuration values noted below to be set
for the client named by IP address. If
.B tac_plus
is started with the
.B \-L
option, the name can also be name as resolved from the address with the
.BR gethostbyaddr(3)
system call, which may be the FQDN (Fully Qualified Domain Name) if DNS
is used. It is recommended that the IP address be used, since the
resolver can be slow to timeout when network faults exist.
.sp
.nf
host = <IP address> {
key = <string>
prompt = <string>
enable = <password_spec>
}
.fi
.sp
key specifics the packet encryption <key> for this host.
.sp
prompt specifies the username prompt that will be presented to a user.
.\"
.TP
.B key
Specifies an encryption key used to encrypt packets between the daemon
and clients. This key must match the key configured on the clients.
.sp
key = <string>
.sp
The double quotes are only necessary if your key contains white-space,
key-words, or special characters.
.sp
Note: encryption is highly recommended.
.\"
.TP
.B logging
Specifies the
.BR syslog(3)
facility used.
By default, logs are posted to the daemon facility.
.sp
.nf
logging = <syslog_fac>
.fi
.\"
.TP
.B user
Define a user whose username is <name>.
.sp
.nf
user = <name> {
[ <default service> ]
<user_attr>
<svc>
}
.fi
.sp
Note: seventeen special usernames exist: "DEFAULT", "$enable$",
and "$enabN$" (where N is a privilege level number, normally in the
range 0-15 on a Cisco). The "$enable$" user is for backward compatibility
with previous versions of tacacs that is queried for privilege
level 15 in addition to "$enab15$".
.sp
Also see the "priv-lvl" AV pair in the "AV Pairs" section below and
the <default authentication> directive.
.\"
.TP
.B service
.nf
user = <string> {
[ default service = <permission> ]
<user_attr>*
<svc>*
}
.fi
.sp
Also see the <default service> directive.
.\"
.PP
.\"
.SH "ADDITIONAL DIRECTIVE SYNTAX"
.\"
.TP
.B attr_value_pair
Specify an AV (Attribute Value) pair. The "optional" keyword specifies that
the AV pair is optional.
.sp
.nf
[ optional ] <string> = <string>
.fi
.sp
Optional AV pairs are only sent to the client if it requests them. That is,
the client must have included the given AV pair as a mandatory or optional
pair in the request.
.sp
Some clients react incorrectly and negatively to receiving AV pairs that it
did not solicit. Optional AV pairs should be ignored if they are not
recognized or not supported in any given context.
.sp
Also see the "Configuring Authorization" and "AV Pairs" sections below.
.\"
.TP
.B cmd_auth
Specify command authorization.
.sp
For command authorization, the device should expand all abbreviated commands
to their full names and compress adjacent white-space.
For example, when the command "config t" is entered it will be expanded
to "configure terminal".
.sp
.nf
cmd = <string> {
<cmd-match>
}
.fi
.sp
.\"
.TP
.B cmd-match
Specify a command argument match.
.sp
.nf
<permission> <regex>
<permission> <regex>
...
<permission>
.fi
.sp
The <regex> matches arguments of the command <string>. For example,
to allow show diag but no other show commands:
.sp
.nf
cmd = show {
permit diag
deny
}
.fi
.sp
The end of the <cmd-match> has an implicit <permission> determined by
<default service>.
So, if the 'deny' had been omitted in the example above, the result of
the authorization would be the value of <default service>.
.sp
Note: 'cmd-arg' should never appear in a configuration file.
It is used internally by the daemon to construct a string
which is then matched against the regular expressions which appear
in a cmd clause in the configuration file.
.sp
Note: when a command has multiple arguments, they may be entered in
many different permutations. It can be cumbersome to create regular
expressions which will reliably authorize commands under these
conditions. Administrators may wish to consider other methods of
performing authorization.
.\"
.TP
.B default service
Specifies the default <permission> for service authorization.
.sp
.nf
default service = <permission>
.fi
.sp
If omitted, the default is 'deny'.
.sp
Note: if used, <default service> must precede all other <svc> directives
in a <user> clause.
.\"
.TP
.B default attribute
Specifies the default attribute <permission> for service authorization.
.sp
.nf
default attribute = <permission>
.fi
.sp
Note: if used, <default attribute> must precede all other <svc_attr>
directives in a <svc> clause.
.\"
.TP
.B des_string
Represents the one-way encryption of a password <string>. For example,
a password might encrypt to the string 0AmUKnIT2gheo.
.sp
DES is the encryption historically used in Unix passwd(5) files. The
crypt() function of the system's libcrypt is used to perform the
encryption. The libcrypt of modern Unicies tend to support additional
encryption algorithms and thus so would
.B tac_plus.
See the system's crypt manual page. To utilize another format, use the
des keyword followed by the crypt in the format as described in the
manpage. Typically it will have a "$1" prefix for MD5, "$2" for blowfish,
and so on.
.sp
.BR tac_pwd (8)
is a utility supplied with
.B tac_plus
to assist in performing this encryption.
.\"
.TP
.B expires
Causes the <user>'s password to become invalid, starting on the specified
expiration date.
.sp
.nf
expires "May 23 2005"
.fi
.sp
A expiry warning message is sent to the user at login time,
starting at 14 days before the expiration date.
.sp
If the <user>'s <login> <password_spec> is "file", the "expires" field
of the configuration file is not consulted. Instead, the daemon
looks at the the "shell" field of the password file entry for a valid
expiration date.
.sp
If Solaris shadow password files are used for authentication, the
"expires" field of the configuration file is not consulted. The expiry
field from the shadow password file (if it exists) is used as the
expiration date.
.sp
Case is not significant.
.\"
.TP
.B filename
A <string> specifying a file located in the filesystem.
.sp
While the daemon does change directories to / (root) when it starts, it
is best to specify files by their FQPN (Fully Qualified Path Name). That
is, a path that begins with /. For example, /var/log/file rather
than the relative path var/log/file.
.\"
.TP
.B IP address
A <string> representing an IPv4 address in dotted-quad notation. For
example:
.sp
.nf
192.168.1.1
.fi
.\"
.TP
.B name
A <string> by which to refer to a configuration element, such as an <acl>
or a <group>.
.sp
In general, a <name> must be defined before it can be referenced. For
example, before a <user> can be a specified as a member of a <group>,
the <group> has to be defined.
.\"
.TP
.B password_spec
There are five authentication mechanisms available: no password, cleartext,
DES, PAM, a file in
.BR passwd(5)
format, and skey.
.sp
.nf
file <filename>
cleartext <string>
des <des_string>
PAM
skey
nopassword
.fi
.sp
skey is an OTP (One Time Password) facility. The daemon must be built
with skey (--enable-skey) support.
.sp
PAM (Pluggable Authentication Modules framework) is an authentication
mechanism (and much more) capable of various types of authentication
methods that are chosen by a configuration file.
The PAM service name is the name of tac_plus executable, normally "tac_plus".
PAM can be used only for login authentication, it is not implemented for
enable authorization, and does not support OTP-like challenge system (ie:
no additional prompting).
The daemon must be built with PAM support, which is included by default
if libpam is found.
.sp
Note: some cases of <password_spec> do not accept all of these mechanisms.
.\"
.TP
.B permission
Specifies that some match (for example a <service> or <cmd-match>) is
to be allowed or denied.
.sp
.nf
(permit | deny)
.fi
.\"
.TP
.B proto
A protocol is a subset of a service. Typical NAS supported values are
atalk, bap, bridging, ccp, cdp, deccp, ip, ipx, lat, lcp, multilink, nbf,
osicp, pad, rlogin, telnet, tn3270, vines, vpdn, xns, xremote, and
unknown. Note that 'protocol' is actually an AV pair.
.\"
.TP
.B string
A series of characters, not including white-space or
.B tac_plus
key-words or special characters (ie: A-Za-z0-9_). To include any of
those exceptions, enclose the string in double quotes ("this has whitespace").
.\"
.TP
.B svc
XXX:
.sp
.nf
<svc_auth> | <cmd_auth>
.fi
.sp
.\"
.TP
.B svc_auth
XXX:
service = ( arap | connection | exec | ppp protocol = <proto> |
shell | slip | system | tty-daemon | <client defined> )
{
[ <default attribute> ]
<attr_value_pair>*
}
.sp
The service AV pair is required.
.\"
.TP
.B syslog_fac
.BR syslog(3)
normally has 16 well-known channels, called facilities.
.BR syslogd(8)
can be configured to direct each of these facilities to different files.
The facilities are named: auth, cron, daemon, local[0-7], lpr, mail,
news, syslog, user, and uucp.
.\"
.TP
.B user_attr
XXX:
.sp
.nf
user = bart {
arap = cleartext "arap password"
chap = cleartext "chap password"
enable = <password_spec>
pap = cleartext "inbound pap password"
opap = cleartext "outbound pap password"
pap = des <des_string>
pap = file <filename>
pap = PAM
login = <password_spec>
global = cleartext "outbound pap password"
}
.fi
.sp
global specifies the authentication method for all services. login
applies to normal logins (exec). arap, chap, pap, and opap (outbound
PAP) service passwords may be defined separately.
.sp
NOTE: a global user password cannot be used for outbound PAP. This is
because outbound PAP is implemented by sending the password from the
daemon to the client. This is a security issue if the <key> is ever
compromised.
.sp
enable specifies the enable password. The <password_spec> may only be
of type cleartext, des, nopassword or file. If the daemon was compiled with
per-user enable support (--enable-uenable), the host enable password will be
evaluated iff the user does not have a personal enable password.
.sp
.sp
login
name
member - can only be 1
default service = permit
expires "May 23 2005"
arap = cleartext "Fred's arap secret"
chap = cleartext "Fred's chap secret"
acl = <string>
enableacl = <string>
.sp
In the case of recursion, the first match is returned.
host enable is cleartext, des, nopassword or file only.
arap
chap
.B expires "May 23 2005"
.B login
.B member
.B password
user_attr :=
name = <string> |
login = <password_spec> |
member = <string> |
expires = <string> |
arap = cleartext <string> |
chap = cleartext <string> |
#ifdef MSCHAP
ms-chap = cleartext <string> |
#endif
pap = cleartext <string> |
pap = des <string> |
pap = file <filename> |
#ifdef PAM
pap = PAM |
#endif
opap = cleartext <string> |
global = cleartext <string> |
msg = <string>
before authorization = <string> |
after authorization = <string>
.\"
.SH "CONFIGURING AUTHORIZATION"
.\"
Authorizing a single session can result in multiple requests being
sent to the daemon. For example, to authorize a dialin ppp
user for IP, the following authorization requests would be made
from the client:
.TP
1)
An initial authorization request to startup ppp from the exec,
using the AV pairs service=ppp protocol=ip, will be made (Note:
this initial request will be omitted if you are autoselecting ppp,
since username will not be known yet).
.sp
This request is really done to find the address for dumb PPP (or SLIP)
clients who cannot do address negotiation. Instead, they expect you to
tell them what address to use before PPP starts up, via a text message.
.TP
2)
Next, an authorization request is made from the PPP subsystem to
see if ppp's LCP layer is authorized. LCP parameters can be set at
this time (e.g. callback). This request contains the AV pairs
service=ppp protocol=lcp.
.TP
3)
Next an authorization request to startup ppp's IPCP layer is made
using the AV pairs service=ppp protocol=ipcp. Any parameters returned
by the daemon are cached.
.TP
4)
Next, during PPP's address negotiation phase, each time the remote
peer requests a specific address, if that address isn't in the cache
obtained in step 3, a new authorization request is made to see if the
peers requested address is allowable. This step can be repeated
multiple times until both sides agree on the remote peer's address or
until the NAS (or client) decide they're never going to agree and they
shut down PPP instead.
.PP
As you can see from the above, a program which plans to handle
authorization must be able to handle a variety of requests and respond
appropriately.
.PP
Authorization must be configured on both the client and the daemon to
operate correctly. By default, the client will allow everything until
configured to make authorization requests to the daemon.
.PP
With the daemon, the opposite is true; by default, the daemon will deny
authorization of anything that isn't explicitly permitted.
.PP
Authorization allows the daemon to deny commands and services outright,
or to modify commands and services on a per-user basis. Authorization
on the daemon is divided into two separate parts: commands and services.
.PP
Authorizing:
.TP
.B commands
Exec commands are those commands which are typed at a Cisco exec
prompt. When authorization is requested by the NAS, the entire command
is sent to the daemon for authorization.
.sp
Command authorization is configured by specifying a list of <regex>s
to match command arguments and an action which is a <permission>.
.sp
The following permits user Fred to run these commands:
.sp
.nf
telnet 131.108.13.<any number> and
telnet 128.<any number>.12.3 and
show <anything>
.fi
.sp
All other commands are denied (by default).
.sp
.nf
user=fred {
cmd = telnet {
# permit specified telnets
permit 131\\.108\\.13\\.[0-9]+
permit 128\\.[0-9]+\\.12\\.3
}
cmd = show {
# permit show commands
permit .*
}
}
.fi
.sp
The command and arguments which the user types are matched to the
regular expressions specified in the configuration file (in order of
appearance). The first successful match performs the associated
action (<permission>). If there is no match, the command is denied
by default.
.sp
.sp
Also see the <default authentication>, <default authorization>, <default
attribute>, and <default service> directives.
.\"
.SH "AUTHORIZATION SCRIPTS"
.\"
There are some limitations to the authorization that can be done using
a configuration file. One solution is to arrange for the daemon to
call user-supplied programs to control authorization. These "callouts"
permit almost complete control over authorization, allowing you to
read all the fields in the authorization packet sent by the client,
including all its AV pairs, and to set authorization status and send a
new set of AV pairs to the client in response.
.PP
Pre and post authorization programs are invoked by handing the command
line to the Bourne shell. On most Unix systems, if the shell doesn't
find the specified program it returns a status of one, which denies
authorization. However, at least one Unix system (BSDI) returns a
status code of 2 under these circumstances, which will permit
authorization, and probably isn't what you intended.
.PP
Note: if your program hangs, the authorization will time out
and return an error on the client, and you'll tie up a process slot on
the daemon host, eventually running out of resources. There is no
special code to detect this in the daemon.
.PP
The daemon communicates with pre and post (before and after)
authorization programs over a pair of pipes. Programs using the
standard i/o library will use full buffering in these circumstances.
This should not be a problem, since AV pairs will be read until
end of file (EOF) is seen on input, and output will be flushed
when they exit.
.PP
Fields from the authorization packet can be supplied to the programs
as arguments on the command line by using the appropriate dollar-sign
variables in the configuration file. These fields are:
.PP
.nf
user -- user name
name -- client/NAS name
ip -- client/NAS IP
port -- client/NAS port
address -- user address (remote user location)
priv -- privilege level number (0-15)
method -- a digit (1-4)
type -- digit (1-4)
service -- digit (1-7)
status -- (pass, fail, error, unknown)
.fi
.PP
Unrecognized variables will appear as the string "unknown".
.PP
AV pairs from the authorization packet are fed to the program's
standard input, one per line. The program is expected to process the
AV pairs and write them to its standard output, one per line. What
happens then is determined by the exit status of the program.
.PP
Note: when AV pairs containing spaces are listed in the
configuration file, you need to enclose them in double quotes so that
they are parsed correctly. AV pairs which are returned via standard
output do not need delimiters and so should not be enclosed in double
quotes.
.PP
Note: unless special arrangements are made, the daemon will run as root
and hence the programs it invokes will also run as root, which is a
security weakness. It is strongly recommended that FQPNs are used
when specifying programs to execute, and that the daemon is compiled
with unprivileged user and group IDs (--with-userid and --with-groupid)
so that the daemon is not running as root when calling these programs,
.PP
Calling scripts
.TP
.B before authorization
Specify a per-user program to be called before any other
authorization attempt is made by using a "before" clause.
.sp
.nf
user = auth1 {
before authorization "/path/pre_authorize $user $port $address"
}
.fi
.sp
The AV pairs sent from the NAS will be supplied to the program
standard input, one pair per line.
.sp
If the program returns a status of 0, authorization is unconditionally
permitted. No further processing is done on this request and no AV
pairs are returned to the client.
.sp
If the program returns a status of 1, authorization is unconditionally
denied. No further processing is done on this request and no AV pairs
are returned to the client.
.sp
If the program returns a status of 2, authorization is permitted. The
program is expected to modify the AV pairs that it receives on its
standard input (or to create entirely new ones) and to write them, one
per line, to its standard output. The new AV pairs will be sent to the
client with a status of AUTHOR_STATUS_PASS_REPL. No further processing
takes place on this request.
.sp
If the program returns a status of 3, authorization is denied, but all
attributes returned by the program via stdout are returned to the
client. Also, whatever the program returns on stderr is placed into the
server-msg field and returned to the client.
.sp
Any other status value returned from the program will cause an error
to be returned to the client.
.sp
Note: a status of 2 is not acceptable when doing command authorization.
.\"
.TP
.B after authorization
Specify a per-user program to be called after authorization
processing has been performed by the default, but before the
authorization status and AV pairs have been transmitted to the
client, by using a "after" clause.
.sp
.nf
group = auth1 {
after authorization "/path/post_authorize $user $port $status"
}
.fi
.sp
The AV pairs resulting from the authorization algorithm that the
daemon proposes to return to the NAS, are supplied to the program on
standard input, one AV pair per line, so they can be modified if
required.
.sp
The program is expected to process the AV pairs and write them to its
standard output, one per line. What happens then is determined by the
exit status of the program:
.sp
If the program returns a status of 0, authorization continues as if
the program had never been called. Use this if (for example) to just
send mail when an authorization occurs, without otherwise affecting
normal authorization.
.sp
If the program returns a status of 1, authorization is unconditionally
denied. No AV pairs are returned to the NAS. No further authorization
processing occurs on this request.
.sp
If the program returns a status of 2, authorization is permitted and
any AV pairs returned from the program on its standard output are sent
to the NAS in place of any AV pairs that the daemon may have
constructed.
.sp
Any other value will cause an error to be returned to the NAS by the
daemon.
.PP
Current attributes are:
.sp
.nf
"unknown"
"service"
"start_time"
"port"
"elapsed_time"
"status"
"priv_level"
"cmd"
"protocol"
"cmd-arg"
"bytes_in"
"bytes_out"
"paks_in"
"paks_out"
"address"
"task_id"
"callback-dialstring"
"nocallback-verify"
"callback-line"
"callback-rotary"
.fi
.sp
Also see the "AV Pairs" section below.
.\"
.SH "AV PAIRS"
.\"
AV (Attribute Value) pairs are text strings exchanged between the client
and server of the form "attribute=value". The value may not appear in
authorization request packets, indicating that it is null or unspecified.
The equal sign ('=') means that this is a mandatory attribute. An asterisk
('*') may appear in place of the equal sign, indicating that it is an
optional attribute which either the client or server may not understand or
may ignore.
.PP
Optional attributes are preceded by the "optional" key-word in the
configuration. For example:
.sp
.nf
priv_lvl = 15
optional allow-shell = true
service=ppp
protocol=ip
addr*131.108.12.44
.fi
.\"
.PP
The following AV pairs specify which service is being authorized. They
are typically accompanied by protocol AV pairs and other, additional
pairs from the lists below.
.sp
.TP 20
service=arap
.TP
service=shell
for exec startup, and also for command authorizations. Requires:
.sp
.nf
aaa authorization exec tacacs+
.fi
.TP
service=ppp
.TP
service=slip
.TP
service=system
not used.
.TP
service=raccess
Used for managing reverse telnet connections e.g.
.sp
.nf
user = jim {
login = cleartext lab
service = raccess {
port#1 = clientname1/tty2
port#2 = clientname2/tty5
}
}
.fi
.sp
Requires IOS configuration
.sp
.nf
aaa authorization reverse-access tacacs+
.fi
.\"
.\"
.PP
.TP 20
protocol=lcp
The lower layer of PPP, always brought up before IP, IPX, etc.
is brought up.
.TP
protocol=ip
Used with service=ppp and service=slip to indicate which
protocol layer is being authorized.
.TP
protocol=ipx
Used with service=ppp to indicate which protocol layer is being authorized.
.TP
protocol=atalk
with service=ppp or service=arap
.TP
protocol=vines
For vines over ppp.
.TP
protocol=ccp
Authorization of CCP. Compression Control Protocol). No other
AV-pairs associated with this.
.TP
protocol=cdp
Authorization of CDP (Cisco Discovery Protocol). No other
av-pairs associated with this.
.TP
protocol=multilink
Authorization of multilink PPP.
.TP
protocol=unknown
For undefined/unsupported conditions. Should not occur under
normal circumstances.
.PP
Incomplete list of Cisco AV pairs. Other vendors may provide
additional AV pairs specific to their products.
.sp
.\"
.TP
acl
For EXEC authorization this contains an access-class number (acl=2)
which is applied to the line (tty) as the output access class. The
specified access-list must be predefined.
.sp
ARAP, EXEC.
.\"
.TP
addr
The IP address the remote host should be assigned when a slip
or PPP/IP connection is made. For example: addr=1.2.3.4
.sp
SLIP, PPP/IP.
.\"
.TP
autocmd
During exec startup, this specifies an autocommand, like the
autocommand option to the username configuration command. For
example: autocmd="telnet foo.com"
.sp
EXEC.
.\"
.TP
callback-line
The number of a TTY line to use for the callback. Used with service=arap,
slip, ppp, or shell. Does not work for ISDN.
.\"
.TP
callback-rotary
The number of a rotary group (0 through 100) to use for the callback.
Used with service=arap, slip, ppp, and shell. Does not work for ISDN.
.\"
.TP
cmd
If the value of cmd is NULL (cmd=), then this is an authorization
request for starting an exec.
.sp
If cmd is non-null, this is a command authorization request. It
contains the name of the command being authorized. For example: cmd=telnet
.sp
EXEC.
.\"
.TP
cmd-arg
During command authorization, the name of the command is given
by an accompanying "cmd=" AV pair, and each command argument
is represented by a cmd-arg AV pair e.g. cmd-arg=archie.sura.net
.sp
NOTE: 'cmd-arg' should never appear in a configuration file.
It is used internally by the daemon to construct a string
which is then matched against the regular expressions which appear
in a cmd clause in the configuration file.
.sp
EXEC.
.\"
.TP
dns-servers
Identifies a primary or backup DNS server that can be requested by
Microsoft PPP clients during IPCP negotiation. Used with service=ppp and
protocol=ip.
.\"
.TP
gw-password
Specifies the password for the home gateway during L2F tunnel authentication.
Used with service=ppp and protocol=vpdn.
.\"
.TP
idletime
Sets a value, in minutes, after which an IDLE session will be
terminated. Does NOT work for PPP.
.sp
EXEC, 11.1 onward.
.\"
.TP
inacl
This AV pair contains an IP or IPX input access list number
for slip or PPP (inacl=2). The access list itself must be
pre-configured on the Cisco box. Per-user access lists do not
work with ISDN interfaces unless you also configure a virtual
interface. After 11.2(5.1)F, you can also use the name of a
predefined named access list, instead of a number, for the
value of this attribute.
.sp
Note: For IPX, inacl is only valid after 11.2(4)F.
.sp
PPP/IP/IPX.
.\"
.TP
inacl#<n>
This AV pair contains the definition of an input access list
to be installed and applied to an interface for the duration
of the current connection, e.g.
.sp
.nf