tacacs/draft-4

  11.  Authorization

  TACACS+ authorization is an extensible way of providing remote

  authorization services.  An authorization session is defined as a
  single pair of messages, a REQUEST followed by a RESPONSE.

  The authorization REQUEST message contains a fixed set of fields that
  describe the authenticity of the user or process, and a variable set
  of arguments that describes the services and options for which
  authorization is requested.

  The RESPONSE contains a variable set of response arguments
  (attribute-value pairs) which can restrict or modify the clients
  actions.

  The arguments in both a REQUEST and a RESPONSE can be specified as
  either mandatory or optional. An optional argument is one that may or
  may not be used, modified or even understood by the recipient.

  A mandatory argument MUST be both understood and used. This allows
  for extending the attribute list while providing secure backwards
  compatibility.

  11.1.  The authorization REQUEST packet body

        1 2 3 4 5 6 7 8  1 2 3 4 5 6 7 8  1 2 3 4 5 6 7 8  1 2 3 4 5 6 7 8

       +----------------+----------------+----------------+----------------+
       |  authen_method |    priv_lvl    |  authen_type   | authen_service |
       +----------------+----------------+----------------+----------------+
       |    user len    |    port len    |  rem_addr len  |    arg_cnt     |
       +----------------+----------------+----------------+----------------+
       |   arg 1 len    |   arg 2 len    |      ...       |   arg N len    |
       +----------------+----------------+----------------+----------------+
       |   user ...
       +----------------+----------------+----------------+----------------+
       |   port ...
       +----------------+----------------+----------------+----------------+
       |   rem_addr ...
       +----------------+----------------+----------------+----------------+
       |   arg 1 ...
       +----------------+----------------+----------------+----------------+
       |   arg 2 ...
       +----------------+----------------+----------------+----------------+
       |   ...
       +----------------+----------------+----------------+----------------+
       |   arg N ...
       +----------------+----------------+----------------+----------------+

authen_method

  This indicates the authentication method used by the client to
  acquire the user information.

  TAC_PLUS_AUTHEN_METH_NOT_SET    := 0x00

  TAC_PLUS_AUTHEN_METH_NONE       := 0x01

  TAC_PLUS_AUTHEN_METH_KRB5       := 0x02

  TAC_PLUS_AUTHEN_METH_LINE       := 0x03

  TAC_PLUS_AUTHEN_METH_ENABLE     := 0x04

  TAC_PLUS_AUTHEN_METH_LOCAL      := 0x05

  TAC_PLUS_AUTHEN_METH_TACACSPLUS := 0x06

  TAC_PLUS_AUTHEN_METH_GUEST      := 0x08

  TAC_PLUS_AUTHEN_METH_RADIUS     := 0x10

  TAC_PLUS_AUTHEN_METH_KRB4       := 0x11

  TAC_PLUS_AUTHEN_METH_RCMD       := 0x20

  KRB5 and KRB4 are kerberos version 5 and 4. LINE refers to a fixed
  password associated with the line used to gain access. LOCAL is a NAS
  local user database. ENABLE is a command that authenticates in order
  to grant new privileges. TACACSPLUS is, of course, TACACS+. GUEST is
  an unqualified guest authentication, such as an ARAP guest login.
  RADIUS is the Radius authentication protocol. RCMD refers to authen-
  tication provided via the R-command protocols from Berkeley Unix.
  (One should be aware of the security limitations to R-command authen-
  tication.)

priv_lvl

  This field matches the priv_lvl field in the authentication section
  above. It indicates the users current privilege level.

authen_type

  This field matches the authen_type field in the authentication sec-
  tion above. It indicates the type of authentication that was per-
  formed.

authen_service

  This field matches the service field in the authentication section
  above. It indicates the service through which the user authenticated.

user

  This field contains the user's account name.

port

  This field matches the port field in the authentication section
  above.

rem_addr

  This field matches the rem_addr field in the authentication section
  above.

arg_cnt

  The number of authorization arguments to follow

arg

  An attribute-value pair that describes the command to be performed.
  (see below)

  The authorization arguments in both the REQUEST and the RESPONSE are
  attribute-value pairs. The attribute and the value are in a single
  ascii string and are separated by either a "=" (0X3D) or a "*"
  (0X2A). The equals sign indicates a mandatory argument. The asterisk
  indicates an optional one.

  Optional arguments are ones that may be disregarded by either client
  or daemon. Mandatory arguments require that the receiving side under-
  stands the attribute and will act on it. If the client receives a
  mandatory argument that it cannot oblige or does not understand, it
  MUST consider the authorization to have failed. It is legal to send
  an attribute-value pair with a NULL (zero length) value.

  Attribute-value strings are not NULL terminated, rather their length
  value indicates their end. The maximum length of an attribute-value
  string is 255 characters. The following attributes are defined:

  12.  Table 1: Attribute-value Pairs

service

  The primary service. Specifying a service attribute indicates that
  this is a request for authorization or accounting of that service.
  Current values are "slip", "ppp", "arap", "shell", "tty-daemon",
  "connection", "system" and "firewall". This attribute MUST always be
  included.

protocol

  a protocol that is a subset of a service. An example would be any PPP
  NCP. Currently known values are "lcp", "ip", "ipx", "atalk", "vines",
  "lat", "xremote", "tn3270", "telnet", "rlogin", "pad", "vpdn", "ftp",
  "http", "deccp", "osicp" and "unknown".

cmd

  a shell (exec) command. This indicates the command name for a shell
  command that is to be run. This attribute MUST be specified if ser-
  vice equals "shell". A NULL value indicates that the shell itself is
  being referred to.

cmd-arg

  an argument to a shell (exec) command. This indicates an argument for
  the shell command that is to be run. Multiple cmd-arg attributes may
  be specified, and they are order dependent.

acl

  ASCII number representing a connection access list. Used only when
  service=shell and cmd=NULL

inacl

  ASCII identifier for an interface input access list.

outacl

  ASCII identifier for an interface output access list.

zonelist

  A numeric zonelist value. (Applicable to AppleTalk only).

addr

  a network address

addr-pool

  The identifier of an address pool from which the NAS should assign an
  address.

routing

  A boolean. Specifies whether routing information is to be propagated
  to, and accepted from this interface.

route

  Indicates a route that is to be applied to this interface. Values
  MUST be of the form "<dst_address> <mask> [<routing_addr>]". If a

  <routing_addr> is not specified, the resulting route should be via
  the requesting peer.

timeout

  an absolute timer for the connection (in minutes). A value of zero
  indicates no timeout.

idletime

  an idle-timeout for the connection (in minutes). A value of zero
  indicates no timeout.

autocmd

  an auto-command to run. Used only when service=shell and cmd=NULL

noescape

  Boolean. Prevents user from using an escape character. Used only when
  service=shell and cmd=NULL

nohangup

  Boolean. Do no disconnect after an automatic command. Used only when
  service=shell and cmd=NULL

priv_lvl

  privilege level to be assigned.

remote_user

  remote userid (authen_method must have the value
  TAC_PLUS_AUTHEN_METH_RCMD)

remote_host

  remote host (authen_method must have the value
  TAC_PLUS_AUTHEN_METH_RCMD)

callback-dialstring

  Indicates that callback should be done. Value is NULL, or a dial-
  string. A NULL value indicates that the service MAY choose to get the
  dialstring through other means.

callback-line

  The line number to use for a callback.

callback-rotary

  The rotary number to use for a callback.

nocallback-verify

  Do not require authentication after callback.

For all boolean attributes, valid values are "true" or "false". A

value of NULL means an attribute with a zero length string for its value
i.e. cmd=NULL is actually transmitted as the string of 4 characters
"cmd=".

If a host is specified in a cmd-arg or addr, it is recommended that it
be specified as a numeric address so as to avoid any ambiguities.

In the case of rcmd authorizations, the authen_method will be set to
TAC_PLUS_AUTHEN_METH_RCMD and the remote_user and remote_host attributes
will provide the remote user and host information to enable rhost style
authorization. The response may request that a privilege level be set
for the user.

The protocol attribute is intended for use with PPP. When service equals
"ppp" and protocol equals "lcp", the message describes the PPP link
layer service. For other values of protocol, this describes a PPP NCP
(network layer service). A single PPP session can support multiple NCPs.

The attributes addr, inacl, outacl, route and routing may be used for
all network protocol types that are supported. Their format and meaning
is determined by the values of the service or protocol attributes. Not
all are necessarily implemented for any given network protocol.

  12.1.  The authorization RESPONSE packet body

        1 2 3 4 5 6 7 8  1 2 3 4 5 6 7 8  1 2 3 4 5 6 7 8  1 2 3 4 5 6 7 8

       +----------------+----------------+----------------+----------------+
       |    status      |     arg_cnt    |         server_msg len          |
       +----------------+----------------+----------------+----------------+
       +            data len             |    arg 1 len   |    arg 2 len   |
       +----------------+----------------+----------------+----------------+
       |      ...       |   arg N len    |         server_msg ...
       +----------------+----------------+----------------+----------------+
       |   data ...
       +----------------+----------------+----------------+----------------+
       |   arg 1 ...
       +----------------+----------------+----------------+----------------+
       |   arg 2 ...
       +----------------+----------------+----------------+----------------+
       |   ...
       +----------------+----------------+----------------+----------------+
       |   arg N ...
       +----------------+----------------+----------------+----------------+

status

  This field indicates the authorization status

  TAC_PLUS_AUTHOR_STATUS_PASS_ADD  := 0x01

  TAC_PLUS_AUTHOR_STATUS_PASS_REPL := 0x02

  TAC_PLUS_AUTHOR_STATUS_FAIL      := 0x10

  TAC_PLUS_AUTHOR_STATUS_ERROR     := 0x11

  TAC_PLUS_AUTHOR_STATUS_FOLLOW    := 0x21

server_msg

  This is an ASCII string that may be presented to the user. The decision
  to present this message is client specific.

data

  This is an ASCII string that may be presented on an administrative
  display, console or log. The decision to present this message is client
  specific.

arg_cnt

  The number of authorization arguments to follow.

arg

  An attribute-value pair that describes the command to be performed. (see
  below)

  If the status equals TAC_PLUS_AUTHOR_STATUS_FAIL, then the appropriate
  action is to deny the user action.

  If the status equals TAC_PLUS_AUTHOR_STATUS_PASS_ADD, then the
  arguments specified in the request are authorized and the arguments in
  the response are to be used IN ADDITION to those arguments.

  If the status equals TAC_PLUS_AUTHOR_STATUS_PASS_REPL then the
  arguments in the request are to be completely replaced by the
  arguments in the response.

  If the intended action is to approve the authorization with no
  modifications, then the status should be set to
  TAC_PLUS_AUTHOR_STATUS_PASS_ADD and the arg_cnt should be set to
  0.

  A status of TAC_PLUS_AUTHOR_STATUS_ERROR indicates an error occurred
  on the daemon.

  When the status equals TAC_PLUS_AUTHOR_STATUS_FOLLOW, then the arg_cnt
  MUST be 0. In that case, the actions to be taken and the contents of
  the data field are identical to the TAC_PLUS_AUTHEN_STATUS_FOLLOW
  status for Authentication.

  None of the arg values have any relevance if an ERROR is set.