1tac_plus.conf(5)              File Formats Manual             tac_plus.conf(5)
2
3
4

NAME

6       tac_plus.conf - tacacs+ daemon configuration file
7

DESCRIPTION

9       This page is a work in progress.
10
11       tac_plus.conf  contains  configuration  information  for  the  tac_plus
12       (tacacs+) daemon.
13
14       Each line contains either  one  of  the  directives  documented  below,
15       white-space (blanks or tabs), or a comment.
16
17       Syntax   enclosed  in  angle  brackets  (<>)  below,  refer  to  syntax
18       documented elsewhere in this manual page.
19

TOP-LEVEL DIRECTIVES

21       #      Comments begin with a '#' character and extend to the end of the
22              line.   Comments  may appear anywhere in the configuration file.
23              To disable the special meaning of the '#' character, enclose the
24              string containing it in double quotes ("#").
25
26       accounting
27              Only one configurable account parameter exists, the destination.
28              All accounting records are either written to a  file,  syslog(3)
29              at priority info, or both.
30
31                  accounting syslog;
32                  accounting file = <filename>
33
34              The default filename is /var/log/tac_plus.acct.
35
36              Since    accounting    requests   occur   (and   are   serviced)
37              asynchronously, it is necessary to lock the accounting  file  so
38              that  two writers do not simultaneously write to it.  The daemon
39              uses fcntl(2) to lock the file.  Although fcntl(2) locking  over
40              NFS  is  supported  on  some  implementations, it is notoriously
41              unreliable.  Even if it is reliable, locking  is  likely  to  be
42              extremely  inefficient  over NFS.  The file is best located on a
43              local file system.
44
45       acl    If compiled with acl  support  (--enable-acls),  Access  Control
46              Lists  can  be defined to limit user's (or group's) login and/or
47              enable access by daemon client IP address or hostname.   An  acl
48              is  referenced by its name, but must be defined before it can be
49              referenced.
50
51              The acl is a series of permit or deny statements applied to  the
52              source  IP  address  that  the  client  used to connected to the
53              daemon.  The first <regex> that matches ends the evaluation  and
54              the  result  is  the permit or deny on left.  If no entry of the
55              acl matches a given address, the result is an implicit deny.
56
57                  acl = <name> {
58                      <permission> = <regex>
59
60                      # deny 66.1.255/24, allow all else in 66.1/16
61                      deny = ^66\.1\.255\.
62                      permit = ^66\.1\.
63                      # implicit deny (ie: anything else)
64                  }
65
66              Briefly, if a company had all their loopback interfaces numbered
67              from  66.1/16  (and  thus  all  the  tacacs  clients  are within
68              66.1/16), this acl might be used to dis-allow a user to login to
69              (or  enable  on)  any  router  whose  loopback  interface  is in
70              66.1.255/24.
71
72              Note: because acls match against the daemon client's  source  IP
73              address,  the client should be configured to use a stable source
74              such as a loopback interface.  For example:
75                  ip tacacs-server source-interface loopback 0
76
77       default authentication
78              By default, authentication fails for users that do not appear in
79              the  configuration  file.   This  overrides  that behavior, thus
80              permitting all authentication requests for such users.
81
82                  default authentication = file <filename>
83
84              Such users will be authentication via the <user> "DEFAULT".
85
86              Also see "user  =  DEFAULT",  <default  service>,  and  <default
87              attribute>.
88
89       group  Analogous  to  a  <user>  and accepting the same syntax, a group
90              provides a template of which a <user> or another group can be  a
91              member.
92
93                  group = <name> {
94                      <user_decl>
95                  }
96
97              A group may be recursive; that is a group may be a member of one
98              other group (which may be a member of yet another group, and  so
99              on).
100
101       host   The  host  clause allows the configuration values noted below to
102              be set for the client named  by  IP  address.   If  tac_plus  is
103              started  with  the  -L  option,  the  name  can  also be name as
104              resolved from the address with the gethostbyaddr(3) system call,
105              which  may  be  the FQDN (Fully Qualified Domain Name) if DNS is
106              used.  It is recommended that the IP address be used, since  the
107              resolver can be slow to timeout when network faults exist.
108
109                  host = <IP address> {
110                   key = <string>
111                   prompt = <string>
112                   enable = <password_spec>
113                  }
114
115              key specifics the packet encryption <key> for this host.
116
117              prompt specifies the username prompt that will be presented to a
118              user.
119
120       key    Specifies an encryption key used to encrypt packets between  the
121              daemon  and  clients.  This key must match the key configured on
122              the clients.
123
124              key = <string>
125
126              The double quotes are only necessary if your key contains white-
127              space, key-words, or special characters.
128
129              Note: encryption is highly recommended.
130
131       logging
132              Specifies  the  syslog(3)  facility  used.  By default, logs are
133              posted to the daemon facility.
134
135                  logging = <syslog_fac>
136
137       user   Define a user whose username is <name>.
138
139                  user = <name> {
140                      [ <default service> ]
141                      <user_attr>
142                      <svc>
143                  }
144
145              Note: seventeen special usernames exist: "DEFAULT",  "$enable$",
146              and  "$enabN$" (where N is a privilege level number, normally in
147              the range 0-15 on a Cisco).  The "$enable$" user is for backward
148              compatibility  with  previous versions of tacacs that is queried
149              for privilege level 15 in addition to "$enab15$".
150
151              Also see the "priv-lvl" AV pair in the "AV Pairs" section  below
152              and the <default authentication> directive.
153
154       service
155                  user = <string> {
156                      [ default service = <permission> ]
157                      <user_attr>*
158                      <svc>*
159                  }
160
161              Also see the <default service> directive.
162

ADDITIONAL DIRECTIVE SYNTAX

164       attr_value_pair
165              Specify  an  AV  (Attribute Value) pair.  The "optional" keyword
166              specifies that the AV pair is optional.
167
168                  [ optional ] <string> = <string>
169
170              Optional AV pairs are only sent to the  client  if  it  requests
171              them.   That is, the client must have included the given AV pair
172              as a mandatory or optional pair in the request.
173
174              Some clients react incorrectly and negatively  to  receiving  AV
175              pairs  that  it  did  not  solicit.  Optional AV pairs should be
176              ignored if they are not recognized or not supported in any given
177              context.
178
179              Also see the "Configuring Authorization" and "AV Pairs" sections
180              below.
181
182       cmd_auth
183              Specify command authorization.
184
185              For  command  authorization,  the  device  should   expand   all
186              abbreviated  commands  to their full names and compress adjacent
187              white-space.  For  example,  when  the  command  "config  t"  is
188              entered it will be expanded to "configure terminal".
189
190                  cmd = <string> {
191                      <cmd-match>
192                  }
193
194
195       cmd-match
196              Specify a command argument match.
197
198                  <permission> <regex>
199                  <permission> <regex>
200                   ...
201                  <permission>
202
203              The  <regex>  matches  arguments  of  the command <string>.  For
204              example, to allow show diag but no other show commands:
205
206                  cmd = show {
207                      permit diag
208                      deny
209                  }
210
211              The  end  of  the  <cmd-match>  has  an  implicit   <permission>
212              determined  by  <default  service>.   So, if the 'deny' had been
213              omitted in the example above, the result  of  the  authorization
214              would be the value of <default service>.
215
216              Note: 'cmd-arg' should never appear in a configuration file.  It
217              is used internally by the daemon to construct a string which  is
218              then  matched  against the regular expressions which appear in a
219              cmd clause in the configuration file.
220
221              Note: when a command has multiple arguments, they may be entered
222              in  many different permutations.  It can be cumbersome to create
223              regular expressions which will reliably authorize commands under
224              these  conditions.   Administrators  may  wish to consider other
225              methods of performing authorization.
226
227       default service
228              Specifies the default <permission> for service authorization.
229
230                  default service = <permission>
231
232              If omitted, the default is 'deny'.
233
234              Note: if used, <default service> must precede  all  other  <svc>
235              directives in a <user> clause.
236
237       default attribute
238              Specifies   the   default  attribute  <permission>  for  service
239              authorization.
240
241                  default attribute = <permission>
242
243              Note: if  used,  <default  attribute>  must  precede  all  other
244              <svc_attr> directives in a <svc> clause.
245
246       des_string
247              Represents  the  one-way encryption of a password <string>.  For
248              example, a password might encrypt to the string 0AmUKnIT2gheo.
249
250              DES is the encryption historically used in Unix passwd(5) files.
251              The crypt() function of the system's libcrypt is used to perform
252              the encryption.  The libcrypt of modern Unicies tend to  support
253              additional  encryption  algorithms  and  thus so would tac_plus.
254              See the system's crypt manual page.  To utilize another  format,
255              use  the  des  keyword  followed  by  the crypt in the format as
256              described in the manpage.  Typically it will have a "$1"  prefix
257              for MD5, "$2" for blowfish, and so on.
258
259              tac_pwd(8)  is  a  utility  supplied  with tac_plus to assist in
260              performing this encryption.
261
262       expires
263              Causes the <user>'s password to become invalid, starting on  the
264              specified expiration date.
265
266                  expires "May 23 2005"
267
268              A  expiry  warning  message  is  sent to the user at login time,
269              starting at 14 days before the expiration date.
270
271              If the <user>'s <login> <password_spec> is "file", the "expires"
272              field  of the configuration file is not consulted.  Instead, the
273              daemon looks at the the "shell" field of the password file entry
274              for a valid expiration date.
275
276              If  Solaris  shadow  password files are used for authentication,
277              the "expires" field of the configuration file is not  consulted.
278              The expiry field from the shadow password file (if it exists) is
279              used as the expiration date.
280
281              Case is not significant.
282
283       filename
284              A <string> specifying a file located in the filesystem.
285
286              While the daemon does change directories to  /  (root)  when  it
287              starts,  it  is  best  to  specify  files  by  their FQPN (Fully
288              Qualified Path Name).  That is, a path that begins with /.   For
289              example,   /var/log/file   rather   than   the   relative   path
290              var/log/file.
291
292       IP address
293              A <string> representing an IPv4 address in dotted-quad notation.
294              For example:
295
296                  192.168.1.1
297
298       name   A <string> by which to refer to a configuration element, such as
299              an <acl> or a <group>.
300
301              In  general,  a  <name>  must  be  defined  before  it  can   be
302              referenced.   For example, before a <user> can be a specified as
303              a member of a <group>, the <group> has to be defined.
304
305       password_spec
306              There are five authentication mechanisms available: no password,
307              cleartext, DES, PAM, a file in passwd(5) format, and skey.
308
309                  file <filename>
310                  cleartext <string>
311                  des <des_string>
312                  PAM
313                  skey
314                  nopassword
315
316              skey is an OTP (One Time Password) facility.  The daemon must be
317              built with skey (--enable-skey) support.
318
319              PAM  (Pluggable  Authentication   Modules   framework)   is   an
320              authentication  mechanism  (and  much  more)  capable of various
321              types  of  authentication  methods  that   are   chosen   by   a
322              configuration  file.   The  PAM  service  name  is  the  name of
323              tac_plus executable, normally "tac_plus".  PAM can be used  only
324              for  login  authentication,  it  is  not  implemented for enable
325              authorization, and does not support  OTP-like  challenge  system
326              (ie:  no  additional  prompting).  The daemon must be built with
327              PAM support, which is included by default if libpam is found.
328
329              Note: some cases of <password_spec> do not accept all  of  these
330              mechanisms.
331
332       permission
333              Specifies  that  some  match  (for  example a <service> or <cmd-
334              match>) is to be allowed or denied.
335
336                  (permit | deny)
337
338       proto  A protocol is a subset of  a  service.   Typical  NAS  supported
339              values  are atalk, bap, bridging, ccp, cdp, deccp, ip, ipx, lat,
340              lcp, multilink, nbf, osicp, pad, rlogin, telnet, tn3270,  vines,
341              vpdn,  xns,  xremote,  and  unknown.   Note  that  'protocol' is
342              actually an AV pair.
343
344       string A series of characters, not including  white-space  or  tac_plus
345              key-words  or  special  characters (ie: A-Za-z0-9_).  To include
346              any of those exceptions, enclose the  string  in  double  quotes
347              ("this has whitespace").
348
349       svc         XXX:
350
351                  <svc_auth> | <cmd_auth>
352
353
354
355       svc_auth
356                   XXX:            service  = ( arap | connection | exec | ppp
357              protocol = <proto> |                shell | slip | system | tty-
358              daemon  |  <client  defined> )                {                [
359              <default attribute> ]
360                                      <attr_value_pair>*
361                                  }
362
363              The service AV pair is required.
364
365       syslog_fac
366              syslog(3)  normally   has   16   well-known   channels,   called
367              facilities.   syslogd(8)  can  be  configured  to direct each of
368              these facilities to different files.  The facilities are  named:
369              auth,  cron,  daemon, local[0-7], lpr, mail, news, syslog, user,
370              and uucp.
371
372       user_attr
373                   XXX:
374
375                  user = bart {
376                      arap = cleartext "arap password"
377                      chap = cleartext "chap password"
378                      enable = <password_spec>
379                      pap  = cleartext "inbound pap password"
380                      opap = cleartext "outbound pap password"
381                      pap  = des <des_string>
382                      pap  = file <filename>
383                      pap  = PAM
384                      login = <password_spec>
385                      global = cleartext "outbound pap password"
386                  }
387
388              global specifies the authentication  method  for  all  services.
389              login  applies  to  normal  logins (exec).  arap, chap, pap, and
390              opap (outbound PAP) service passwords may be defined separately.
391
392              NOTE: a global user password cannot be used  for  outbound  PAP.
393              This  is  because  outbound  PAP  is  implemented by sending the
394              password from the daemon to the client. This is a security issue
395              if the <key> is ever compromised.
396
397              enable  specifies  the enable password.  The <password_spec> may
398              only be of type cleartext, des,  nopassword  or  file.   If  the
399              daemon  was  compiled  with  per-user  enable support (--enable-
400              uenable), the host enable password will  be  evaluated  iff  the
401              user does not have a personal enable password.
402
403
404
405              login  name  member    -  can only be 1 default service = permit
406              expires "May 23 2005"
407                  arap = cleartext "Fred's arap secret"
408                  chap  =  cleartext  "Fred's  chap  secret"  acl  =  <string>
409              enableacl = <string>
410
411              In  the  case  of  recursion, the first match is returned.  host
412              enable is cleartext, des, nopassword or file  only.   arap  chap
413              expires  May  23  2005  login  member password      user_attr :=
414                        name     = <string> |
415                                       login    = <password_spec> |
416                                       member   = <string> |
417                                       expires  = <string> |
418                                       arap     = cleartext <string> |
419                                       chap       =   cleartext   <string>   |
420                   #ifdef MSCHAP
421                                       ms-chap    =   cleartext   <string>   |
422                   #endif
423                                       pap      = cleartext <string> |
424                                       pap      = des <string> |
425                                       pap        =    file    <filename>    |
426                   #ifdef PAM
427                                       pap      = PAM |      #endif
428                                       opap     = cleartext <string> |
429                                       global   = cleartext <string> |
430                                       msg      = <string>
431                                       before authorization = <string> |
432                                       after authorization = <string>
433
434

CONFIGURING AUTHORIZATION

436       Authorizing a single session can result in multiple requests being sent
437       to the daemon.  For example, to authorize a dialin ppp user for IP, the
438       following authorization requests would be made from the client:
439
440       1)     An  initial  authorization request to startup ppp from the exec,
441              using the AV pairs service=ppp protocol=ip, will be made  (Note:
442              this  initial  request  will be omitted if you are autoselecting
443              ppp, since username will not be known yet).
444
445              This request is really done to find the address for dumb PPP (or
446              SLIP)  clients  who cannot do address negotiation. Instead, they
447              expect you to tell them what address to use  before  PPP  starts
448              up, via a text message.
449
450       2)     Next, an authorization request is made from the PPP subsystem to
451              see if ppp's LCP layer is authorized. LCP parameters can be  set
452              at this time (e.g. callback). This request contains the AV pairs
453              service=ppp protocol=lcp.
454
455       3)     Next an authorization request to startup  ppp's  IPCP  layer  is
456              made   using   the   AV  pairs  service=ppp  protocol=ipcp.  Any
457              parameters returned by the daemon are cached.
458
459       4)     Next, during PPP's address  negotiation  phase,  each  time  the
460              remote  peer  requests a specific address, if that address isn't
461              in the cache obtained in step 3, a new authorization request  is
462              made  to  see if the peers requested address is allowable.  This
463              step can be repeated multiple times until both  sides  agree  on
464              the  remote  peer's  address or until the NAS (or client) decide
465              they're never going to agree and they shut down PPP instead.
466
467       As you can see  from  the  above,  a  program  which  plans  to  handle
468       authorization  must be able to handle a variety of requests and respond
469       appropriately.
470
471       Authorization must be configured on both the client and the  daemon  to
472       operate  correctly.  By default, the client will allow everything until
473       configured to make authorization requests to the daemon.
474
475       With the daemon, the opposite is true; by default, the daemon will deny
476       authorization of anything that isn't explicitly permitted.
477
478       Authorization allows the daemon to deny commands and services outright,
479       or to modify commands and services on a per-user basis.   Authorization
480       on  the  daemon  is  divided  into  two  separate  parts:  commands and
481       services.
482
483       Authorizing:
484
485       commands
486              Exec commands are those commands which are typed at a Cisco exec
487              prompt.  When  authorization is requested by the NAS, the entire
488              command is sent to the daemon for authorization.
489
490              Command authorization is configured  by  specifying  a  list  of
491              <regex>s  to  match  command  arguments and an action which is a
492              <permission>.
493
494              The following permits user Fred to run these commands:
495
496                  telnet 131.108.13.<any number> and
497                  telnet 128.<any number>.12.3 and
498                  show <anything>
499
500              All other commands are denied (by default).
501
502                  user=fred {
503                      cmd = telnet {
504                          # permit specified telnets
505                          permit 131\.108\.13\.[0-9]+
506                          permit 128\.[0-9]+\.12\.3
507                      }
508                      cmd = show {
509                          # permit show commands
510                          permit .*
511                      }
512                  }
513
514              The command and arguments which the user types  are  matched  to
515              the  regular expressions specified in the configuration file (in
516              order of appearance).  The first successful match  performs  the
517              associated  action  (<permission>).  If  there  is no match, the
518              command is denied by default.
519
520
521
522
523              Also see the <default authentication>, <default  authorization>,
524              <default attribute>, and <default service> directives.
525

AUTHORIZATION SCRIPTS

527       There  are some limitations to the authorization that can be done using
528       a configuration file.  One solution is to arrange  for  the  daemon  to
529       call  user-supplied programs to control authorization. These "callouts"
530       permit almost complete control over authorization, allowing you to read
531       all  the  fields  in  the  authorization  packet  sent  by  the client,
532       including all its AV pairs, and to set authorization status and send  a
533       new set of AV pairs to the client in response.
534
535       Pre  and post authorization programs are invoked by handing the command
536       line to the Bourne shell. On most Unix systems, if  the  shell  doesn't
537       find  the  specified  program  it returns a status of one, which denies
538       authorization. However, at least  one  Unix  system  (BSDI)  returns  a
539       status   code  of  2  under  these  circumstances,  which  will  permit
540       authorization, and probably isn't what you intended.
541
542       Note: if your program hangs, the authorization will time out and return
543       an  error on the client, and you'll tie up a process slot on the daemon
544       host, eventually running out of resources. There is no special code  to
545       detect this in the daemon.
546
547       The   daemon   communicates  with  pre  and  post  (before  and  after)
548       authorization programs  over  a  pair  of  pipes.  Programs  using  the
549       standard  i/o  library  will use full buffering in these circumstances.
550       This should not be a problem, since AV pairs will be read until end  of
551       file (EOF) is seen on input, and output will be flushed when they exit.
552
553       Fields from the authorization packet can be supplied to the programs as
554       arguments on the command line  by  using  the  appropriate  dollar-sign
555       variables in the configuration file.  These fields are:
556
557           user    -- user name
558           name    -- client/NAS name
559           ip      -- client/NAS IP
560           port    -- client/NAS port
561           address -- user address (remote user location)
562           priv    -- privilege level number (0-15)
563           method  -- a digit (1-4)
564           type    -- digit (1-4)
565           service -- digit (1-7)
566           status  -- (pass, fail, error, unknown)
567
568       Unrecognized variables will appear as the string "unknown".
569
570       AV  pairs  from  the  authorization  packet  are  fed  to the program's
571       standard input, one per line. The program is expected to process the AV
572       pairs and write them to its standard output, one per line. What happens
573       then is determined by the exit status of the program.
574
575       Note: when AV pairs containing spaces are listed in  the  configuration
576       file, you need to enclose them in double quotes so that they are parsed
577       correctly. AV pairs which are returned via standard output do not  need
578       delimiters and so should not be enclosed in double quotes.
579
580       Note: unless special arrangements are made, the daemon will run as root
581       and hence the programs it invokes will also run as  root,  which  is  a
582       security  weakness. It is strongly recommended that FQPNs are used when
583       specifying programs to execute, and that the daemon  is  compiled  with
584       unprivileged  user  and group IDs (--with-userid and --with-groupid) so
585       that the daemon is not running as root when calling these programs,
586
587       Calling scripts
588
589       before authorization
590              Specify a  per-user  program  to  be  called  before  any  other
591              authorization attempt is made by using a "before" clause.
592
593                  user = auth1 {
594                      before authorization "/path/pre_authorize $user $port $address"
595                  }
596
597              The  AV  pairs sent from the NAS will be supplied to the program
598              standard input, one pair per line.
599
600              If  the  program  returns  a  status  of  0,  authorization   is
601              unconditionally permitted. No further processing is done on this
602              request and no AV pairs are returned to the client.
603
604              If  the  program  returns  a  status  of  1,  authorization   is
605              unconditionally  denied.  No  further processing is done on this
606              request and no AV pairs are returned to the client.
607
608              If  the  program  returns  a  status  of  2,  authorization   is
609              permitted.   The program is expected to modify the AV pairs that
610              it receives on its standard input (or  to  create  entirely  new
611              ones)  and  to write them, one per line, to its standard output.
612              The new AV pairs will be sent to the client  with  a  status  of
613              AUTHOR_STATUS_PASS_REPL.   No  further processing takes place on
614              this request.
615
616              If the program returns a status of 3, authorization  is  denied,
617              but  all  attributes  returned  by  the  program  via stdout are
618              returned to the client. Also, whatever the  program  returns  on
619              stderr  is  placed into the server-msg field and returned to the
620              client.
621
622              Any other status value returned from the program will  cause  an
623              error to be returned to the client.
624
625              Note:  a  status  of  2  is  not  acceptable  when doing command
626              authorization.
627
628       after authorization
629              Specify a per-user program  to  be  called  after  authorization
630              processing  has  been  performed  by the default, but before the
631              authorization status and AV pairs have been transmitted  to  the
632              client, by using a "after" clause.
633
634                  group = auth1 {
635                      after authorization "/path/post_authorize $user $port $status"
636                  }
637
638              The AV pairs resulting from the authorization algorithm that the
639              daemon proposes to return  to  the  NAS,  are  supplied  to  the
640              program  on standard input, one AV pair per line, so they can be
641              modified if required.
642
643              The program is expected to process the AV pairs and  write  them
644              to  its  standard  output,  one  per  line. What happens then is
645              determined by the exit status of the program:
646
647              If the program returns a status of 0, authorization continues as
648              if the program had never been called.  Use this if (for example)
649              to  just  send  mail  when  an  authorization  occurs,   without
650              otherwise affecting normal authorization.
651
652              If   the  program  returns  a  status  of  1,  authorization  is
653              unconditionally denied. No AV pairs are returned to the NAS.  No
654              further authorization processing occurs on this request.
655
656              If the program returns a status of 2, authorization is permitted
657              and any AV pairs returned  from  the  program  on  its  standard
658              output  are  sent  to  the NAS in place of any AV pairs that the
659              daemon may have constructed.
660
661              Any other value will cause an error to be returned to the NAS by
662              the daemon.
663
664       Current attributes are:
665
666           "unknown"
667           "service"
668           "start_time"
669           "port"
670           "elapsed_time"
671           "status"
672           "priv_level"
673           "cmd"
674           "protocol"
675           "cmd-arg"
676           "bytes_in"
677           "bytes_out"
678           "paks_in"
679           "paks_out"
680           "address"
681           "task_id"
682           "callback-dialstring"
683           "nocallback-verify"
684           "callback-line"
685           "callback-rotary"
686
687       Also see the "AV Pairs" section below.
688

AV PAIRS

690       AV  (Attribute  Value)  pairs  are  text  strings exchanged between the
691       client and server of the form "attribute=value".   The  value  may  not
692       appear  in authorization request packets, indicating that it is null or
693       unspecified.  The equal sign ('=')  means  that  this  is  a  mandatory
694       attribute.   An  asterisk  ('*') may appear in place of the equal sign,
695       indicating that it is an optional attribute which either the client  or
696       server may not understand or may ignore.
697
698       Optional  attributes  are  preceded  by  the "optional" key-word in the
699       configuration.  For example:
700
701           priv_lvl = 15
702           optional allow-shell = true
703
704           service=ppp
705           protocol=ip
706           addr*131.108.12.44
707
708       The following AV pairs specify which service is being authorized.  They
709       are  typically  accompanied  by protocol AV pairs and other, additional
710       pairs from the lists below.
711
712
713       service=arap
714
715       service=shell       for   exec   startup,   and   also   for    command
716                           authorizations.  Requires:
717
718                               aaa authorization exec tacacs+
719
720       service=ppp
721
722       service=slip
723
724       service=system      not used.
725
726       service=raccess     Used for managing reverse telnet connections e.g.
727
728                               user = jim {
729                                   login = cleartext lab
730                                   service = raccess {
731                                       port#1 = clientname1/tty2
732                                       port#2 = clientname2/tty5
733                                   }
734                               }
735
736                           Requires IOS configuration
737
738                               aaa authorization reverse-access tacacs+
739
740       protocol=lcp        The  lower  layer  of PPP, always brought up before
741                           IP, IPX, etc.  is brought up.
742
743       protocol=ip         Used with service=ppp and service=slip to  indicate
744                           which protocol layer is being authorized.
745
746       protocol=ipx        Used  with  service=ppp  to indicate which protocol
747                           layer is being authorized.
748
749       protocol=atalk      with service=ppp or service=arap
750
751       protocol=vines      For vines over ppp.
752
753       protocol=ccp        Authorization   of   CCP.    Compression    Control
754                           Protocol). No other AV-pairs associated with this.
755
756       protocol=cdp        Authorization of CDP (Cisco Discovery Protocol). No
757                           other av-pairs associated with this.
758
759       protocol=multilink  Authorization of multilink PPP.
760
761       protocol=unknown    For undefined/unsupported  conditions.  Should  not
762                           occur under normal circumstances.
763
764       Incomplete   list  of  Cisco  AV  pairs.   Other  vendors  may  provide
765       additional AV pairs specific to their products.
766
767
768       acl    For EXEC authorization  this  contains  an  access-class  number
769              (acl=2)  which is applied to the line (tty) as the output access
770              class.  The specified access-list must be predefined.
771
772              ARAP, EXEC.
773
774       addr   The IP address the remote host should be assigned when a slip or
775              PPP/IP connection is made.  For example: addr=1.2.3.4
776
777              SLIP, PPP/IP.
778
779       autocmd
780              During  exec  startup,  this  specifies an autocommand, like the
781              autocommand option to the username configuration  command.   For
782              example: autocmd="telnet foo.com"
783
784              EXEC.
785
786       callback-line
787              The  number  of  a  TTY line to use for the callback.  Used with
788              service=arap, slip, ppp, or shell.  Does not work for ISDN.
789
790       callback-rotary
791              The number of a rotary group (0 through  100)  to  use  for  the
792              callback.   Used  with service=arap, slip, ppp, and shell.  Does
793              not work for ISDN.
794
795       cmd    If  the  value  of  cmd  is  NULL  (cmd=),  then  this   is   an
796              authorization request for starting an exec.
797
798              If cmd is non-null, this is a command authorization request.  It
799              contains the name of the command being authorized.  For example:
800              cmd=telnet
801
802              EXEC.
803
804       cmd-arg
805              During  command  authorization, the name of the command is given
806              by an accompanying "cmd=" AV pair, and each command argument  is
807              represented by a cmd-arg AV pair e.g. cmd-arg=archie.sura.net
808
809              NOTE: 'cmd-arg' should never appear in a configuration file.  It
810              is used internally by the daemon to construct a string which  is
811              then  matched  against the regular expressions which appear in a
812              cmd clause in the configuration file.
813
814              EXEC.
815
816       dns-servers
817              Identifies a primary or backup DNS server that can be  requested
818              by  Microsoft  PPP  clients  during IPCP negotiation.  Used with
819              service=ppp and protocol=ip.
820
821       gw-password
822              Specifies the password for the home gateway  during  L2F  tunnel
823              authentication.  Used with service=ppp and protocol=vpdn.
824
825       idletime
826              Sets  a  value,  in minutes, after which an IDLE session will be
827              terminated.  Does NOT work for PPP.
828
829              EXEC, 11.1 onward.
830
831       inacl  This AV pair contains an IP or IPX input access list number  for
832              slip  or  PPP  (inacl=2).  The  access  list itself must be pre-
833              configured on the Cisco box. Per-user access lists do  not  work
834              with  ISDN  interfaces  unless  you  also  configure  a  virtual
835              interface. After 11.2(5.1)F, you can also  use  the  name  of  a
836              predefined named access list, instead of a number, for the value
837              of this attribute.
838
839              Note: For IPX, inacl is only valid after 11.2(4)F.
840
841              PPP/IP/IPX.
842
843       inacl#<n>
844              This AV pair contains the definition of an input access list  to
845              be installed and applied to an interface for the duration of the
846              current connection, e.g.
847
848                  inacl#1="permit ip any any precedence immediate"
849                  inacl#2="deny igrp 0.0.1.2 255.255.0.0 any"
850
851              Attributes are sorted numerically before they are applied.   For
852              IP,  standard OR extended access list syntax may be used, but it
853              is an error to mix the two within a given access-list.
854
855              For IPX, only extended access list syntax may be used.
856
857              PPP/IP/PPP/IPX, 11.2(4)F.
858
859       interface-config
860              Specifies user-specific AAA interface configuration  information
861              with  Virtual  Profiles.  The information that follows the equal
862              sign (=) can be any Cisco IOS interface configuration command.
863
864       ip-address
865              List of possible IP addresses, separated by spaces, that can  be
866              used  for  the end-point of a tunnel.  Used with service=ppp and
867              protocol=vpdn.
868
869       link-compression
870              Defines whether to turn on or turn off Stac compression  over  a
871              PPP link.  Valid values are:
872
873                   0    None
874                   1    Stac
875                   2    Stac Draft-9
876                   3    MS-Stac
877
878       load-threshold
879              This  AV  pair  sets  the  load threshold at which an additional
880              multilink link is added to the bundle (if load  goes  above)  or
881              deleted (if load goes below).
882
883                  service=ppp protocol=multilink {
884                      load-threshold=<n>
885                  }
886
887              The range of <n> is [1-255].
888
889              PPP/multilink - Multilink parameter, 11.3.
890
891       max-links
892              This AV pair restricts the number of multilink bundle links that
893              a user can have.
894
895                  service=ppp protocol=multilink {
896                      max-links=<n>
897                  }
898
899              The range of <n> is [1-255].
900
901              PPP/multilink, 11.3.
902
903       nas-password
904              Specifies  the  password  for  the   NAS   during   L2F   tunnel
905              authentication.  Used with service=ppp and protocol=vpdn.
906
907       nocallback-verify
908              Indicates  that  no  callback verification is required. The only
909              valid  value  for  this  parameter  is  the  digit  one,    i.e.
910              nocallback-verify=1.   Not  valid  for  ISDN.   ARAP/EXEC,  11.1
911              onward.
912
913       noescape
914              During  exec  startup,  this  specifies  "noescape",  like   the
915              noescape option to the username configuration command.  Can have
916              as its  value  the  string  "true"  or  "false".   For  example:
917              noescape=true
918
919              EXEC.
920
921       nohangup
922              During   exec  startup,  this  specifies  "nohangup",  like  the
923              nohangup option to the username configuration command.  Can have
924              as  its  value  the  string  "true"  or  "false".   For example:
925              nohangup=true
926
927              EXEC.
928
929       old-prompts
930              Allows the prompts in TACACS+ to appear identical  to  those  of
931              earlier  systems  (TACACS and Extended TACACS).  This allows the
932              upgrade  from  TACACS  or  Extended  TACACS  to  TACACS+  to  be
933              transparent to users.
934
935       outacl This AV pair contains an IP or IPX output access list number for
936              SLIP. PPP/IP or PPP/IPX connections (outacl=4). The access  list
937              itself  must  be  pre-configured.   Per-user access lists do not
938              work with ISDN interfaces unless you also  configure  a  virtual
939              interface.   PPP/IPX  is  supported  in  11.1 onward only. After
940              11.2(5.1)F, you can also use the  name  of  a  predefined  named
941              access  list,  as  well  as  a  number,  for  the  value of this
942              attribute.
943
944              PPP/IP, PPP/IPX.
945
946       outacl#<n>
947              This AV pair contains an output access  list  definition  to  be
948              installed  and  applied  to an interface for the duration of the
949              current connection.
950
951                  outacl#1="permit ip any any precedence immediate"
952                  outacl#2="deny igrp 0.0.9.10 255.255.0.0 any"
953
954              Attributes are sorted numerically before they are applied.   For
955              IP,  standard OR extended access list syntax may be used, but it
956              is an error to mix the two within a given access-list.
957
958              For IPX, only extended access list syntax may be used.
959
960              PPP/IP/PPP/IPX, 11.2(4)F.
961
962       pool-def#
963              Defines IP address pools on the NAS.  Used with service=ppp  and
964              protocol=ip.
965
966       pool-timeout
967              In  conjunction  with  pool-def, defines IP address pools on the
968              NAS.  During IPCP address negotiation, if an  IP  pool  name  is
969              specified  for  a user (see the addr-pool attribute), a check is
970              made that the named pool is defined on the NAS.  If it  is,  the
971              pool is consulted for an IP address.
972
973       ppp-vj-slot-compression
974              Instructs  the  Cisco  router  not  to use slot compression when
975              sending VJ-compressed packets over a PPP link.
976
977       priv-lvl
978              Specifies   the   current   privilege    level    for    command
979              authorizations,   a  number  from  zero  to  15.   For  example:
980              priv_lvl=5.
981
982              Note: in 10.3 this attribute was priv_lvl, i.e.  it contained an
983              underscore instead of a hyphen.
984
985              EXEC.
986
987       route  This  AV  pair specifies a temporary static route to be applied,
988              which expunged once the connection terminates.  The daemon  side
989              declaration is:
990
991                  service=ppp protocol=ip {
992                      route="<dst_addr> <mask> [ <gateway> ]"
993                  }
994
995              <dst_address>, <mask>, and <gateway> are <IP address>'s.  If the
996              gateway is omitted, the peer's address is assumed.
997
998              PPP/IP/SLIP, 11.1 onward.
999
1000       route#<n>
1001              Same as the "route" attribute, except that these are  valid  for
1002              IPX  as  well  as  IP,  and they are numbered, allowing multiple
1003              routes to be applied.  For example:
1004
1005                  route#1="3.0.0.0 255.0.0.0 1.2.3.4"
1006                  route#2="4.0.0.0 255.0.0.0"
1007
1008              or, for IPX,
1009
1010                  route#1="4C000000 ff000000 30.12.3.4"
1011                  route#2="5C000000 ff000000 30.12.3.5"
1012
1013              PPP/IP/IPX, 11.2(4)F.
1014
1015       routing
1016              Equivalent to the /routing flag in slip and  ppp  commands.  Can
1017              have as its value the string "true" or "false".
1018
1019              SLIP/PPP/IP.
1020
1021       rte-ftr-in#
1022              Specifies  an  input  access list definition to be installed and
1023              applied to routing updates on  the  current  interface  for  the
1024              duration  of  the  current  connection.   Used  with service=ppp
1025              protocol=ip or protocol=ipx.
1026
1027       rte-ftr-out#
1028              Output version of rte-ftr-in#.
1029
1030       sap#<n>
1031              This  AV  pair  specifies  static  SAPs   (Service   Advertising
1032              Protocol) to be installed for the duration of a connection.  For
1033              example:
1034
1035                  sap#1="4 CE1-LAB 1234.0000.0000.0001 451 4"
1036                  sap#2="5 CE3-LAB 2345.0000.0000.0001 452 5"
1037
1038              The syntax of static saps is the same as that used  by  the  IOS
1039              "ipx sap" command.  Used with service=ppp protocol=ipx.
1040
1041              PPP/IPX, 11.2(4)F.
1042
1043       sap-fltr-in#<n>
1044              This   AV  pair  specifies  an  input  SAP  filter  access  list
1045              definition to be installed and applied to the current interface,
1046              for the duration of the current connection.
1047
1048              Only  Cisco extended access list syntax is legal (ipx input-sap-
1049              filter <number>).  For example:
1050
1051                  sap-fltr-in#1="deny 6C01.0000.0000.0001"
1052                  sap-fltr-in#2="permit -1"
1053
1054              Attributes are sorted numerically before  being  applied.   Used
1055              with service=ppp protocol=ipx.
1056
1057              PPP/IPX, 11.2(4)F.
1058
1059       sap-fltr-out#<n>
1060              This  AV  pair  specifies  an  output  sap  filter  access  list
1061              definition to be installed and applied on the current interface,
1062              for the duration of the current connection.
1063
1064              Only Cisco extended access list syntax is legal (ipx output-sap-
1065              filter <number>), e.g
1066
1067                  sap-fltr-out#1="deny 6C01.0000.0000.0001"
1068                  sap-fltr-out#2="permit -1"
1069
1070              Attributes are sorted numerically before  being  applied.   Used
1071              with service=ppp protocol=ipx.
1072
1073              PPP/IPX, 11.2(4)F.
1074
1075       source-ip
1076              This  specifies  a  single  ip  address that will be used as the
1077              source of all VPDN packets generated as part of the VPDN  tunnel
1078              (see  the  equivalent source-ip keyword in the IOS vpdn outgoing
1079              command).
1080
1081              PPP/VPDN, now deprecated, only  existed  in  releases  11.2(1.4)
1082              thru 11.2(4.0.2).
1083
1084       timeout
1085              Sets  the  time  until  an  ARAP  or  exec  session  disconnects
1086              unconditionally (in minutes).  For example: timeout=60
1087
1088              ARAP/EXEC, 11.0 onward.
1089
1090       tunnel-id
1091              This AV pair  specifies  the  username  that  will  be  used  to
1092              authenticate  the tunnel over which the individual user MID will
1093              be projected.  This is analogous to the "NAS name" in the  "vpdn
1094              outgoing" command.
1095
1096              PPP/VPDN, 11.2 onward.
1097
1098       zonelist
1099              An  Appletalk  zonelist  for  arap (ARAP) equivalent to the line
1100              configuration command "arap zonelist".  For example: zonelist=5.
1101
1102       AV pairs reserved for future use (this list may be out-dated):
1103
1104           ppp-vj-slot-compression
1105           link-compression
1106           asyncmap
1107           x25-addresses (PPP/VPDN)
1108           frame-relay (PPP/VPDN)
1109
1110       Note: this AV pair list is NOT  complete  and  not  all  AV  pairs  are
1111       supported  by  all  vendors.   See  the vendor's documentation.  When a
1112       client (or server) receives a  mandatory  AV  pair  that  it  does  not
1113       understand, the authorization FAILS!
1114
1115       Also  see  the  tac_plus  user guide.  Some of the callback, appletalk,
1116       IPX, VPDN, PPP routing, and address pool related AV pairs found in  the
1117       user guide have been omitted.
1118

ACCOUNTING AV PAIRS

1120       bytes_in            The  number  of input bytes transferred during this
1121                           connection.
1122
1123       bytes_out           The number of output bytes transferred during  this
1124                           connection.
1125
1126       cmd                 The command the user executed.
1127
1128       data-rate           This AV pair has been renamed. See nas-rx-speed.
1129
1130       disc-cause          Specifies  the  reason  a connection was taken off-
1131                           line.  The Disconnect-Cause attribute  is  sent  in
1132                           accounting   stop  records.   This  attribute  also
1133                           causes stop records to be generated  without  first
1134                           generating  start  records  if  disconnected before
1135                           authentication.
1136
1137                                1    User request
1138                                2    Lost carrier
1139                                3    Lost service
1140                                4    Idle timeout
1141                                5    Session timeout
1142                                6    Admin reset
1143                                7    Admin reboot
1144                                8    Port error
1145                                9    NAS error
1146                                10   NAS request
1147                                11   NAS reboot
1148                                12   Port unneeded
1149                                13   Port pre-empted
1150                                14   Port suspended
1151                                15   Service unavailable
1152                                16   Callback
1153                                17   User error
1154                                18   Host request
1155
1156       disc-cause-ext      Extends the disc-cause attribute to support vendor-
1157                           specific  reasons  that a connection was taken off-
1158                           line.
1159
1160                                1000 Session timed out. This value applies to all session types.
1161                                1002 Reason unknown.
1162                                1004 Failure to authenticate calling-party number.
1163                                1010 No carrier detected. This value applies to modem connections.
1164                                1011 Loss of carrier. This value applies to modem connections.
1165                                1012 Failure to detect modem result codes. This value applies to modem connections.
1166                                1020 User terminates a session. This value applies to EXEC sessions.
1167                                1021 Timeout waiting for user input. This value applies to all session types.
1168                                1022 Disconnect due to exiting Telnet session. This value applies to EXEC sessions.
1169                                1023 Could not switch to SLIP/PPP; the remote end has no IP address. This value applies to EXEC sessions.
1170                                1024 Disconnect due to exiting raw TCP. This value applies to EXEC sessions.
1171                                1025 Bad passwords. This value applies to EXEC sessions.
1172                                1026 Raw TCP disabled. This value applies to EXEC sessions.
1173                                1027 Control-C detected. This value applies to EXEC sessions.
1174                                1028 EXEC process destroyed. This value applies to EXEC sessions.
1175                                1040 PPP LCP negotiation timed out. This value applies to PPP sessions.
1176                                1041 PPP LCP negotiation failed.
1177                                1042 PPP PAP authentication failed.
1178                                1043 PPP CHAP authentication failed.
1179                                1044 PPP remote authentication failed.
1180                                1045 PPP received a Terminate Request from remote end.
1181                                1046 Upper layer requested that the session be closed.  This value applies to PPP sessions.
1182                                1101 Session failed for security reasons. This value applies to all session types.
1183                                1102 Session terminated due to callback. This value applies to all session types.
1184                                1120 Call refused because the detected protocol is disabled. This value applies to all session types.
1185
1186       elapsed_time        The elapsed time in seconds for the action.  Useful
1187                           when the device does not keep real time.
1188
1189       event               Information  included in the accounting packet that
1190                           describes a state change  in  the  router.   Events
1191                           described  are  accounting  starting and accounting
1192                           stopping.
1193
1194       mlp-links-max       Gives the count of links known to have  been  in  a
1195                           given  multilink session at the time the accounting
1196                           record is generated.
1197
1198       mlp-sess-id         Reports the identification number of the  multilink
1199                           bundle  when  the  session  closes.  This attribute
1200                           applies to sessions that are part  of  a  multilink
1201                           bundle.   This attribute is sent in authentication-
1202                           response packets.
1203
1204       nas-rx-speed        Specifies the average number  of  bits  per  second
1205                           over the course of the connection's lifetime.  This
1206                           attribute is sent in accounting stop records.
1207
1208       nas-tx-speed        Reports the transmit speed negotiated  by  the  two
1209                           modems.
1210
1211       paks_in             The number of input packets transferred during this
1212                           connection.
1213
1214       paks_out            The number of  output  packets  transferred  during
1215                           this connection.
1216
1217       port                The port into which the user was logged.
1218
1219       pre-bytes-in        Records   the   number   of   input   bytes  before
1220                           authentication.   This   attribute   is   sent   in
1221                           accounting stop records.
1222
1223       pre-bytes-out       Records   the   number   of   output  bytes  before
1224                           authentication.   This   attribute   is   sent   in
1225                           accounting stop records.
1226
1227       pre-paks-in         Records   the   number   of  input  packets  before
1228                           authentication.   This   attribute   is   sent   in
1229                           accounting stop records.
1230
1231       pre-paks-out        Records   the   number  of  output  packets  before
1232                           authentication.   This   attribute   is   sent   in
1233                           accounting stop records as Pre-Output-Packets.
1234
1235       pre-session-time    Specifies the length of time, in seconds, from when
1236                           a  call  first  connects  to  when   it   completes
1237                           authentication.
1238
1239       priv_level          The privilege level associated with the action.
1240
1241       protocol            The protocol associated with the action.
1242
1243       reason              Information  included in the accounting packet that
1244                           describes the event that caused  a  system  change.
1245                           Events   described   are   system   reload,  system
1246                           shutdown, or accounting reconfiguration (turned  on
1247                           or off).
1248
1249       service             The service the user used.
1250
1251       start_time          The  time,  in  seconds since 12:00 a.m. January 1,
1252                           1970, that the action started.  The clock  must  be
1253                           configured to receive this information.
1254
1255       stop_time           The  time,  in  seconds since 12:00 a.m. January 1,
1256                           1970, that the action stopped.  The clock  must  be
1257                           configured to receive this information.
1258
1259       task_id             Start and stop records for the same event must have
1260                           matching (unique) task_id numbers.
1261
1262       timezone            The  time  zone  abbreviation  for  all  timestamps
1263                           included in this packet.
1264
1265       xmit-rate           This AV pair has been renamed nas-tx-speed.
1266

EXAMPLE CLIENT CONFIGURATION

1268       Example Cisco configuration for tacacs+:
1269
1270           aaa new-model
1271           aaa authentication login default tacacs+ local
1272           aaa authentication enable default tacacs+ enable
1273           aaa authorization exec default tacacs+
1274           aaa accounting exec default start-stop tacacs+
1275           !
1276           username root privilege 15 password 0 <root's password>
1277           !
1278           tacacs-server key <your key here>
1279           tacacs-server host <ip_address>
1280           ip tacacs source-interface loopback0
1281           !
1282           enable secret 0 <enable password>
1283
1284       Note  that the aaa command syntax varies slightly between some versions
1285       of Cisco IOS and CatOS (Catalyst OS) also varies.
1286
1287       Example Juniper configuration for tacacs+:
1288
1289           system {
1290               authentication-order [ password tacplus ];
1291               tacplus-server {
1292                   <ip_address> secret <your key here>;
1293                   <ip_address> {
1294                       secret <your key here>;
1295                       timeout 90;
1296                   }
1297               }
1298           }
1299
1300       Both of these examples are brief.  See the vendor's documentation for a
1301       description  of  what  these  configuration  commands  specify  and for
1302       additional commands and arguments.
1303
1304       WARNING:  If not properly configured, it may not be possible  to  login
1305       to the device!
1306

EXAMPLE TAC_PLUS CONFIGURATION

1308       key = "your key here"
1309       accounting file = /var/log/tac.acct
1310       # authentication users not appearing elsewhere via
1311       # the file /etc/passwd
1312       default authentication = file /etc/passwd
1313
1314       acl = dial_only {
1315           # All access routers are in 192.168/16, but except for
1316           # 192.168.0.1 all backbone router are in 198.168.0/24.
1317           # deny access to the backbone routers.
1318           permit = ^192\.168\.0\.1$
1319           deny   = ^192\.168\.0\.
1320           permit = ^192\.168\.
1321       }
1322
1323       group = no_backbone {
1324           # permit an exec to start and permit all commands and
1325           # services by default
1326           default service = permit
1327
1328           service = exec {
1329               # When an exec is started, its connection access list
1330               # will be 4. "acl" is quoted because it is a keyword.
1331               # It also has an autocmd
1332               "acl" = 4
1333               autocmd = "telnet duffhost"
1334           }
1335
1336           # group will only be allowed to login on NASes
1337           acl = dial_only
1338       }
1339       group = admin {
1340           # group members who don't have their own login password will be
1341           # looked up in /etc/passwd
1342           login = file /etc/passwd
1343
1344           # group members who have no expiry date set will use this one
1345           expires = "Jan 1 1997"
1346
1347           # deny access to backbone routers
1348           acl = dial_only
1349       }
1350
1351       user = DEFAULT {
1352           service = ppp protocol = ip {
1353               addr-pool=foobar
1354           }
1355       }
1356       user = homer {
1357           default service = permit
1358
1359           member = no_backbone
1360       }
1361       user = fred {
1362           login = des mEX027bHtzTlQ
1363           name = "Fred Flintstone"
1364           member = admin
1365           expires = "May 23 2005"
1366           arap = cleartext "Fred's arap secret"
1367           chap = cleartext "Fred's chap secret"
1368
1369           service = exec {
1370               # When Fred starts an exec, his connection access
1371               # list is 5
1372               "acl" = 5
1373
1374               # We require this autocmd to be done at startup
1375               autocmd = "telnet foo"
1376           }
1377
1378           # All commands except show system are denied for Fred
1379           cmd = show {
1380               # Fred can run the following show command
1381
1382               permit system
1383               deny .*
1384           }
1385
1386           service = ppp protocol = ip {
1387               # Fred can run ip over ppp only if he uses one
1388               # of the following mandatory addresses. If he
1389               # supplies no address, the first one here will
1390               # be mandated
1391
1392               addr=131.108.12.11
1393               addr=131.108.12.12
1394               addr=131.108.12.13
1395               addr=131.108.12.14
1396
1397               # Fred's mandatory input access list number is 101
1398               inacl=101
1399
1400               # We will suggest an output access list of 102, but the NAS may
1401               # choose to ignore or override it
1402
1403               optional outacl=102
1404           }
1405
1406           service = slip {
1407               # Fred can run slip. When he does, he will have to use
1408               # these mandatory access lists
1409
1410               inacl=101
1411               outacl=102
1412           }
1413       }
1414
1415       user = wilma {
1416           # Wilma has no password of her own, but she's a group member so
1417           # she'll use the group password if there is one. Same for her
1418           # password expiry date
1419
1420           member = admin
1421       }
1422

FILES

1424       /etc/tac_plus.conf            Configuration file.
1425
1426       /var/log/tac_plus.acct        The default accounting file.
1427
1428       /var/log/tac_plus.log         The default log file.
1429

SEE ALSO

1431       gethostbyaddr(3), passwd(5), regexp(3), tac_plus(8), tac_pwd(8)
1432
1433       Also  see  the  tac_plus  User  Guide  (user_guide)  that came with the
1434       distribution.  The user guide does not cover all the  modifications  to
1435       the  original  Cisco version nor does this manual page cover everything
1436       that is in the user guide (callback configuration, for example).
1437

AUTHOR

1439       The tac_plus (tacacs+) developer's kit is a product of  Cisco  Systems.
1440       Made  available  at  no cost and with no warranty of any kind.  See the
1441       file COPYING and source files  that  came  with  the  distribution  for
1442       specifics.
1443

HISTORY

1445       This  manual page was adapted from code inspection and Cisco's tac_plus
1446       user guide.
1447

BUGS

1449       This manual page is incomplete.
1450
1451
1452
1453                                 1 August 2013                tac_plus.conf(5)
Impressum