11. Authorization
TACACS+ authorization is an extensible way of providing remote
authorization services. An authorization session is defined as a single pair of messages, a REQUEST followed by a RESPONSE.
The authorization REQUEST message contains a fixed set of fields that describe the authenticity of the user or process, and a variable set of arguments that describes the services and options for which authorization is requested.
The RESPONSE contains a variable set of response arguments (attribute-value pairs) which can restrict or modify the clients actions.
The arguments in both a REQUEST and a RESPONSE can be specified as either mandatory or optional. An optional argument is one that may or may not be used, modified or even understood by the recipient.
A mandatory argument MUST be both understood and used. This allows for extending the attribute list while providing secure backwards compatibility.
11.1. The authorization REQUEST packet body
1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
+----------------+----------------+----------------+----------------+ | authen_method | priv_lvl | authen_type | authen_service | +----------------+----------------+----------------+----------------+ | user len | port len | rem_addr len | arg_cnt | +----------------+----------------+----------------+----------------+ | arg 1 len | arg 2 len | ... | arg N len | +----------------+----------------+----------------+----------------+ | user ... +----------------+----------------+----------------+----------------+ | port ... +----------------+----------------+----------------+----------------+ | rem_addr ... +----------------+----------------+----------------+----------------+ | arg 1 ... +----------------+----------------+----------------+----------------+ | arg 2 ... +----------------+----------------+----------------+----------------+ | ... +----------------+----------------+----------------+----------------+ | arg N ... +----------------+----------------+----------------+----------------+
authen_method
This indicates the authentication method used by the client to acquire the user information.
TAC_PLUS_AUTHEN_METH_NOT_SET := 0x00
TAC_PLUS_AUTHEN_METH_NONE := 0x01
TAC_PLUS_AUTHEN_METH_KRB5 := 0x02
TAC_PLUS_AUTHEN_METH_LINE := 0x03
TAC_PLUS_AUTHEN_METH_ENABLE := 0x04
TAC_PLUS_AUTHEN_METH_LOCAL := 0x05
TAC_PLUS_AUTHEN_METH_TACACSPLUS := 0x06
TAC_PLUS_AUTHEN_METH_GUEST := 0x08
TAC_PLUS_AUTHEN_METH_RADIUS := 0x10
TAC_PLUS_AUTHEN_METH_KRB4 := 0x11
TAC_PLUS_AUTHEN_METH_RCMD := 0x20
KRB5 and KRB4 are kerberos version 5 and 4. LINE refers to a fixed password associated with the line used to gain access. LOCAL is a NAS local user database. ENABLE is a command that authenticates in order to grant new privileges. TACACSPLUS is, of course, TACACS+. GUEST is an unqualified guest authentication, such as an ARAP guest login. RADIUS is the Radius authentication protocol. RCMD refers to authen- tication provided via the R-command protocols from Berkeley Unix. (One should be aware of the security limitations to R-command authen- tication.)
priv_lvl
This field matches the priv_lvl field in the authentication section above. It indicates the users current privilege level.
authen_type
This field matches the authen_type field in the authentication sec- tion above. It indicates the type of authentication that was per- formed.
authen_service
This field matches the service field in the authentication section above. It indicates the service through which the user authenticated.
user
This field contains the user's account name.
port
This field matches the port field in the authentication section above.
rem_addr
This field matches the rem_addr field in the authentication section above.
arg_cnt
The number of authorization arguments to follow
arg
An attribute-value pair that describes the command to be performed. (see below)
The authorization arguments in both the REQUEST and the RESPONSE are attribute-value pairs. The attribute and the value are in a single ascii string and are separated by either a "=" (0X3D) or a "*" (0X2A). The equals sign indicates a mandatory argument. The asterisk indicates an optional one.
Optional arguments are ones that may be disregarded by either client or daemon. Mandatory arguments require that the receiving side under- stands the attribute and will act on it. If the client receives a mandatory argument that it cannot oblige or does not understand, it MUST consider the authorization to have failed. It is legal to send an attribute-value pair with a NULL (zero length) value.
Attribute-value strings are not NULL terminated, rather their length value indicates their end. The maximum length of an attribute-value string is 255 characters. The following attributes are defined:
12. Table 1: Attribute-value Pairs
service
The primary service. Specifying a service attribute indicates that this is a request for authorization or accounting of that service. Current values are "slip", "ppp", "arap", "shell", "tty-daemon", "connection", "system" and "firewall". This attribute MUST always be included.
protocol
a protocol that is a subset of a service. An example would be any PPP NCP. Currently known values are "lcp", "ip", "ipx", "atalk", "vines", "lat", "xremote", "tn3270", "telnet", "rlogin", "pad", "vpdn", "ftp", "http", "deccp", "osicp" and "unknown".
cmd
a shell (exec) command. This indicates the command name for a shell command that is to be run. This attribute MUST be specified if ser- vice equals "shell". A NULL value indicates that the shell itself is being referred to.
cmd-arg
an argument to a shell (exec) command. This indicates an argument for the shell command that is to be run. Multiple cmd-arg attributes may be specified, and they are order dependent.
acl
ASCII number representing a connection access list. Used only when service=shell and cmd=NULL
inacl
ASCII identifier for an interface input access list.
outacl
ASCII identifier for an interface output access list.
zonelist
A numeric zonelist value. (Applicable to AppleTalk only).
addr
a network address
addr-pool
The identifier of an address pool from which the NAS should assign an address.
routing
A boolean. Specifies whether routing information is to be propagated to, and accepted from this interface.
route
Indicates a route that is to be applied to this interface. Values MUST be of the form "<dst_address> <mask> [<routing_addr>]". If a
<routing_addr> is not specified, the resulting route should be via the requesting peer.
timeout
an absolute timer for the connection (in minutes). A value of zero indicates no timeout.
idletime
an idle-timeout for the connection (in minutes). A value of zero indicates no timeout.
autocmd
an auto-command to run. Used only when service=shell and cmd=NULL
noescape
Boolean. Prevents user from using an escape character. Used only when service=shell and cmd=NULL
nohangup
Boolean. Do no disconnect after an automatic command. Used only when service=shell and cmd=NULL
priv_lvl
privilege level to be assigned.
remote_user
remote userid (authen_method must have the value TAC_PLUS_AUTHEN_METH_RCMD)
remote_host
remote host (authen_method must have the value TAC_PLUS_AUTHEN_METH_RCMD)
callback-dialstring
Indicates that callback should be done. Value is NULL, or a dial- string. A NULL value indicates that the service MAY choose to get the dialstring through other means.
callback-line
The line number to use for a callback.
callback-rotary
The rotary number to use for a callback.
nocallback-verify
Do not require authentication after callback.
For all boolean attributes, valid values are "true" or "false". A
value of NULL means an attribute with a zero length string for its value
i.e. cmd=NULL is actually transmitted as the string of 4 characters
"cmd=".
If a host is specified in a cmd-arg or addr, it is recommended that it
be specified as a numeric address so as to avoid any ambiguities.
In the case of rcmd authorizations, the authen_method will be set to
TAC_PLUS_AUTHEN_METH_RCMD and the remote_user and remote_host attributes
will provide the remote user and host information to enable rhost style
authorization. The response may request that a privilege level be set
for the user.
The protocol attribute is intended for use with PPP. When service equals
"ppp" and protocol equals "lcp", the message describes the PPP link
layer service. For other values of protocol, this describes a PPP NCP
(network layer service). A single PPP session can support multiple NCPs.
The attributes addr, inacl, outacl, route and routing may be used for
all network protocol types that are supported. Their format and meaning
is determined by the values of the service or protocol attributes. Not
all are necessarily implemented for any given network protocol.
12.1. The authorization RESPONSE packet body
1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
+----------------+----------------+----------------+----------------+ | status | arg_cnt | server_msg len | +----------------+----------------+----------------+----------------+ + data len | arg 1 len | arg 2 len | +----------------+----------------+----------------+----------------+ | ... | arg N len | server_msg ... +----------------+----------------+----------------+----------------+ | data ... +----------------+----------------+----------------+----------------+ | arg 1 ... +----------------+----------------+----------------+----------------+ | arg 2 ... +----------------+----------------+----------------+----------------+ | ... +----------------+----------------+----------------+----------------+ | arg N ... +----------------+----------------+----------------+----------------+
status
This field indicates the authorization status
TAC_PLUS_AUTHOR_STATUS_PASS_ADD := 0x01
TAC_PLUS_AUTHOR_STATUS_PASS_REPL := 0x02
TAC_PLUS_AUTHOR_STATUS_FAIL := 0x10
TAC_PLUS_AUTHOR_STATUS_ERROR := 0x11
TAC_PLUS_AUTHOR_STATUS_FOLLOW := 0x21
server_msg
This is an ASCII string that may be presented to the user. The decision to present this message is client specific.
data
This is an ASCII string that may be presented on an administrative display, console or log. The decision to present this message is client specific.
arg_cnt
The number of authorization arguments to follow.
arg
An attribute-value pair that describes the command to be performed. (see below)
If the status equals TAC_PLUS_AUTHOR_STATUS_FAIL, then the appropriate action is to deny the user action.
If the status equals TAC_PLUS_AUTHOR_STATUS_PASS_ADD, then the arguments specified in the request are authorized and the arguments in the response are to be used IN ADDITION to those arguments.
If the status equals TAC_PLUS_AUTHOR_STATUS_PASS_REPL then the arguments in the request are to be completely replaced by the arguments in the response.
If the intended action is to approve the authorization with no modifications, then the status should be set to TAC_PLUS_AUTHOR_STATUS_PASS_ADD and the arg_cnt should be set to 0.
A status of TAC_PLUS_AUTHOR_STATUS_ERROR indicates an error occurred on the daemon.
When the status equals TAC_PLUS_AUTHOR_STATUS_FOLLOW, then the arg_cnt MUST be 0. In that case, the actions to be taken and the contents of the data field are identical to the TAC_PLUS_AUTHEN_STATUS_FOLLOW status for Authentication.
None of the arg values have any relevance if an ERROR is set.