1tac_plus.conf(5) File Formats Manual tac_plus.conf(5)
2
6 tac_plus.conf - tacacs+ daemon configuration file
7
9 This page is a work in progress.
10 tac_plus.conf contains configuration information for the tac_plus
12 (tacacs+) daemon.
13 Each line contains either one of the directives documented below,
15 white-space (blanks or tabs), or a comment.
16 Syntax enclosed in angle brackets (<>) below, refer to syntax
18 documented elsewhere in this manual page.
19
21 # Comments begin with a '#' character and extend to the end of the
22 line. Comments may appear anywhere in the configuration file.
23 To disable the special meaning of the '#' character, enclose the
24 string containing it in double quotes ("#").
25 accounting
27 Only one configurable account parameter exists, the destination.
28 All accounting records are either written to a file, syslog(3)
29 at priority info, or both.
30 accounting syslog;
32 accounting file = <filename>
33 The default filename is /var/log/tac_plus.acct.
35 Since accounting requests occur (and are serviced)
37 asynchronously, it is necessary to lock the accounting file so
38 that two writers do not simultaneously write to it. The daemon
39 uses fcntl(2) to lock the file. Although fcntl(2) locking over
40 NFS is supported on some implementations, it is notoriously
41 unreliable. Even if it is reliable, locking is likely to be
42 extremely inefficient over NFS. The file is best located on a
43 local file system.
44 acl If compiled with acl support (--enable-acls), Access Control
46 Lists can be defined to limit user's (or group's) login and/or
47 enable access by daemon client IP address or hostname. An acl
48 is referenced by its name, but must be defined before it can be
49 referenced.
50 The acl is a series of permit or deny statements applied to the
52 source IP address that the client used to connected to the
53 daemon. The first <regex> that matches ends the evaluation and
54 the result is the permit or deny on left. If no entry of the
55 acl matches a given address, the result is an implicit deny.
56 acl = <name> {
58 <permission> = <regex>
59 # deny 66.1.255/24, allow all else in 66.1/16
61 deny = ^66\.1\.255\.
62 permit = ^66\.1\.
63 # implicit deny (ie: anything else)
64 }
65 Briefly, if a company had all their loopback interfaces numbered
67 from 66.1/16 (and thus all the tacacs clients are within
68 66.1/16), this acl might be used to dis-allow a user to login to
69 (or enable on) any router whose loopback interface is in
70 66.1.255/24.
71 Note: because acls match against the daemon client's source IP
73 address, the client should be configured to use a stable source
74 such as a loopback interface. For example:
75 ip tacacs-server source-interface loopback 0
76 default authentication
78 By default, authentication fails for users that do not appear in
79 the configuration file. This overrides that behavior, thus
80 permitting all authentication requests for such users.
81 default authentication = file <filename>
83 Such users will be authentication via the <user> "DEFAULT".
85 Also see "user = DEFAULT", <default service>, and <default
87 attribute>.
88 group Analogous to a <user> and accepting the same syntax, a group
90 provides a template of which a <user> or another group can be a
91 member.
92 group = <name> {
94 <user_decl>
95 }
96 A group may be recursive; that is a group may be a member of one
98 other group (which may be a member of yet another group, and so
99 on).
100 host The host clause allows the configuration values noted below to
102 be set for the client named by IP address. If tac_plus is
103 started with the -L option, the name can also be name as
104 resolved from the address with the gethostbyaddr(3) system call,
105 which may be the FQDN (Fully Qualified Domain Name) if DNS is
106 used. It is recommended that the IP address be used, since the
107 resolver can be slow to timeout when network faults exist.
108 host = <IP address> {
110 key = <string>
111 prompt = <string>
112 enable = <password_spec>
113 }
114 key specifics the packet encryption <key> for this host.
116 prompt specifies the username prompt that will be presented to a
118 user.
119 key Specifies an encryption key used to encrypt packets between the
121 daemon and clients. This key must match the key configured on
122 the clients.
123 key = <string>
125 The double quotes are only necessary if your key contains white-
127 space, key-words, or special characters.
128 Note: encryption is highly recommended.
130 logging
132 Specifies the syslog(3) facility used. By default, logs are
133 posted to the daemon facility.
134 logging = <syslog_fac>
136 user Define a user whose username is <name>.
138 user = <name> {
140 [ <default service> ]
141 <user_attr>
142 <svc>
143 }
144 Note: seventeen special usernames exist: "DEFAULT", "$enable$",
146 and "$enabN$" (where N is a privilege level number, normally in
147 the range 0-15 on a Cisco). The "$enable$" user is for backward
148 compatibility with previous versions of tacacs that is queried
149 for privilege level 15 in addition to "$enab15$".
150 Also see the "priv-lvl" AV pair in the "AV Pairs" section below
152 and the <default authentication> directive.
153 service
155 user = <string> {
156 [ default service = <permission> ]
157 <user_attr>*
158 <svc>*
159 }
160 Also see the <default service> directive.
162
164 attr_value_pair
165 Specify an AV (Attribute Value) pair. The "optional" keyword
166 specifies that the AV pair is optional.
167 [ optional ] <string> = <string>
169 Optional AV pairs are only sent to the client if it requests
171 them. That is, the client must have included the given AV pair
172 as a mandatory or optional pair in the request.
173 Some clients react incorrectly and negatively to receiving AV
175 pairs that it did not solicit. Optional AV pairs should be
176 ignored if they are not recognized or not supported in any given
177 context.
178 Also see the "Configuring Authorization" and "AV Pairs" sections
180 below.
181 cmd_auth
183 Specify command authorization.
184 For command authorization, the device should expand all
186 abbreviated commands to their full names and compress adjacent
187 white-space. For example, when the command "config t" is
188 entered it will be expanded to "configure terminal".
189 cmd = <string> {
191 <cmd-match>
192 }
193 cmd-match
196 Specify a command argument match.
197 <permission> <regex>
199 <permission> <regex>
200 ...
201 <permission>
202 The <regex> matches arguments of the command <string>. For
204 example, to allow show diag but no other show commands:
205 cmd = show {
207 permit diag
208 deny
209 }
210 The end of the <cmd-match> has an implicit <permission>
212 determined by <default service>. So, if the 'deny' had been
213 omitted in the example above, the result of the authorization
214 would be the value of <default service>.
215 Note: 'cmd-arg' should never appear in a configuration file. It
217 is used internally by the daemon to construct a string which is
218 then matched against the regular expressions which appear in a
219 cmd clause in the configuration file.
220 Note: when a command has multiple arguments, they may be entered
222 in many different permutations. It can be cumbersome to create
223 regular expressions which will reliably authorize commands under
224 these conditions. Administrators may wish to consider other
225 methods of performing authorization.
226 default service
228 Specifies the default <permission> for service authorization.
229 default service = <permission>
231 If omitted, the default is 'deny'.
233 Note: if used, <default service> must precede all other <svc>
235 directives in a <user> clause.
236 default attribute
238 Specifies the default attribute <permission> for service
239 authorization.
240 default attribute = <permission>
242 Note: if used, <default attribute> must precede all other
244 <svc_attr> directives in a <svc> clause.
245 des_string
247 Represents the one-way encryption of a password <string>. For
248 example, a password might encrypt to the string 0AmUKnIT2gheo.
249 DES is the encryption historically used in Unix passwd(5) files.
251 The crypt() function of the system's libcrypt is used to perform
252 the encryption. The libcrypt of modern Unicies tend to support
253 additional encryption algorithms and thus so would tac_plus.
254 See the system's crypt manual page. To utilize another format,
255 use the des keyword followed by the crypt in the format as
256 described in the manpage. Typically it will have a "$1" prefix
257 for MD5, "$2" for blowfish, and so on.
258 tac_pwd(8) is a utility supplied with tac_plus to assist in
260 performing this encryption.
261 expires
263 Causes the <user>'s password to become invalid, starting on the
264 specified expiration date.
265 expires "May 23 2005"
267 A expiry warning message is sent to the user at login time,
269 starting at 14 days before the expiration date.
270 If the <user>'s <login> <password_spec> is "file", the "expires"
272 field of the configuration file is not consulted. Instead, the
273 daemon looks at the the "shell" field of the password file entry
274 for a valid expiration date.
275 If Solaris shadow password files are used for authentication,
277 the "expires" field of the configuration file is not consulted.
278 The expiry field from the shadow password file (if it exists) is
279 used as the expiration date.
280 Case is not significant.
282 filename
284 A <string> specifying a file located in the filesystem.
285 While the daemon does change directories to / (root) when it
287 starts, it is best to specify files by their FQPN (Fully
288 Qualified Path Name). That is, a path that begins with /. For
289 example, /var/log/file rather than the relative path
290 var/log/file.
291 IP address
293 A <string> representing an IPv4 address in dotted-quad notation.
294 For example:
295 192.168.1.1
297 name A <string> by which to refer to a configuration element, such as
299 an <acl> or a <group>.
300 In general, a <name> must be defined before it can be
302 referenced. For example, before a <user> can be a specified as
303 a member of a <group>, the <group> has to be defined.
304 password_spec
306 There are five authentication mechanisms available: no password,
307 cleartext, DES, PAM, a file in passwd(5) format, and skey.
308 file <filename>
310 cleartext <string>
311 des <des_string>
312 PAM
313 skey
314 nopassword
315 skey is an OTP (One Time Password) facility. The daemon must be
317 built with skey (--enable-skey) support.
318 PAM (Pluggable Authentication Modules framework) is an
320 authentication mechanism (and much more) capable of various
321 types of authentication methods that are chosen by a
322 configuration file. The PAM service name is the name of
323 tac_plus executable, normally "tac_plus". PAM can be used only
324 for login authentication, it is not implemented for enable
325 authorization, and does not support OTP-like challenge system
326 (ie: no additional prompting). The daemon must be built with
327 PAM support, which is included by default if libpam is found.
328 Note: some cases of <password_spec> do not accept all of these
330 mechanisms.
331 permission
333 Specifies that some match (for example a <service> or <cmd-
334 match>) is to be allowed or denied.
335 (permit | deny)
337 proto A protocol is a subset of a service. Typical NAS supported
339 values are atalk, bap, bridging, ccp, cdp, deccp, ip, ipx, lat,
340 lcp, multilink, nbf, osicp, pad, rlogin, telnet, tn3270, vines,
341 vpdn, xns, xremote, and unknown. Note that 'protocol' is
342 actually an AV pair.
343 string A series of characters, not including white-space or tac_plus
345 key-words or special characters (ie: A-Za-z0-9_). To include
346 any of those exceptions, enclose the string in double quotes
347 ("this has whitespace").
348 svc XXX:
350 <svc_auth> | <cmd_auth>
352 svc_auth
356 XXX: service = ( arap | connection | exec | ppp
357 protocol = <proto> | shell | slip | system | tty-
358 daemon | <client defined> ) { [
359 <default attribute> ]
360 <attr_value_pair>*
361 }
362 The service AV pair is required.
364 syslog_fac
366 syslog(3) normally has 16 well-known channels, called
367 facilities. syslogd(8) can be configured to direct each of
368 these facilities to different files. The facilities are named:
369 auth, cron, daemon, local[0-7], lpr, mail, news, syslog, user,
370 and uucp.
371 user_attr
373 XXX:
374 user = bart {
376 arap = cleartext "arap password"
377 chap = cleartext "chap password"
378 enable = <password_spec>
379 pap = cleartext "inbound pap password"
380 opap = cleartext "outbound pap password"
381 pap = des <des_string>
382 pap = file <filename>
383 pap = PAM
384 login = <password_spec>
385 global = cleartext "outbound pap password"
386 }
387 global specifies the authentication method for all services.
389 login applies to normal logins (exec). arap, chap, pap, and
390 opap (outbound PAP) service passwords may be defined separately.
391 NOTE: a global user password cannot be used for outbound PAP.
393 This is because outbound PAP is implemented by sending the
394 password from the daemon to the client. This is a security issue
395 if the <key> is ever compromised.
396 enable specifies the enable password. The <password_spec> may
398 only be of type cleartext, des, nopassword or file. If the
399 daemon was compiled with per-user enable support (--enable-
400 uenable), the host enable password will be evaluated iff the
401 user does not have a personal enable password.
402 login name member - can only be 1 default service = permit
406 expires "May 23 2005"
407 arap = cleartext "Fred's arap secret"
408 chap = cleartext "Fred's chap secret" acl = <string>
409 enableacl = <string>
410 In the case of recursion, the first match is returned. host
412 enable is cleartext, des, nopassword or file only. arap chap
413 expires May 23 2005 login member password user_attr :=
414 name = <string> |
415 login = <password_spec> |
416 member = <string> |
417 expires = <string> |
418 arap = cleartext <string> |
419 chap = cleartext <string> |
420 #ifdef MSCHAP
421 ms-chap = cleartext <string> |
422 #endif
423 pap = cleartext <string> |
424 pap = des <string> |
425 pap = file <filename> |
426 #ifdef PAM
427 pap = PAM | #endif
428 opap = cleartext <string> |
429 global = cleartext <string> |
430 msg = <string>
431 before authorization = <string> |
432 after authorization = <string>
433
436 Authorizing a single session can result in multiple requests being sent
437 to the daemon. For example, to authorize a dialin ppp user for IP, the
438 following authorization requests would be made from the client:
439 1) An initial authorization request to startup ppp from the exec,
441 using the AV pairs service=ppp protocol=ip, will be made (Note:
442 this initial request will be omitted if you are autoselecting
443 ppp, since username will not be known yet).
444 This request is really done to find the address for dumb PPP (or
446 SLIP) clients who cannot do address negotiation. Instead, they
447 expect you to tell them what address to use before PPP starts
448 up, via a text message.
449 2) Next, an authorization request is made from the PPP subsystem to
451 see if ppp's LCP layer is authorized. LCP parameters can be set
452 at this time (e.g. callback). This request contains the AV pairs
453 service=ppp protocol=lcp.
454 3) Next an authorization request to startup ppp's IPCP layer is
456 made using the AV pairs service=ppp protocol=ipcp. Any
457 parameters returned by the daemon are cached.
458 4) Next, during PPP's address negotiation phase, each time the
460 remote peer requests a specific address, if that address isn't
461 in the cache obtained in step 3, a new authorization request is
462 made to see if the peers requested address is allowable. This
463 step can be repeated multiple times until both sides agree on
464 the remote peer's address or until the NAS (or client) decide
465 they're never going to agree and they shut down PPP instead.
466 As you can see from the above, a program which plans to handle
468 authorization must be able to handle a variety of requests and respond
469 appropriately.
470 Authorization must be configured on both the client and the daemon to
472 operate correctly. By default, the client will allow everything until
473 configured to make authorization requests to the daemon.
474 With the daemon, the opposite is true; by default, the daemon will deny
476 authorization of anything that isn't explicitly permitted.
477 Authorization allows the daemon to deny commands and services outright,
479 or to modify commands and services on a per-user basis. Authorization
480 on the daemon is divided into two separate parts: commands and
481 services.
482 Authorizing:
484 commands
486 Exec commands are those commands which are typed at a Cisco exec
487 prompt. When authorization is requested by the NAS, the entire
488 command is sent to the daemon for authorization.
489 Command authorization is configured by specifying a list of
491 <regex>s to match command arguments and an action which is a
492 <permission>.
493 The following permits user Fred to run these commands:
495 telnet 131.108.13.<any number> and
497 telnet 128.<any number>.12.3 and
498 show <anything>
499 All other commands are denied (by default).
501 user=fred {
503 cmd = telnet {
504 # permit specified telnets
505 permit 131\.108\.13\.[0-9]+
506 permit 128\.[0-9]+\.12\.3
507 }
508 cmd = show {
509 # permit show commands
510 permit .*
511 }
512 }
513 The command and arguments which the user types are matched to
515 the regular expressions specified in the configuration file (in
516 order of appearance). The first successful match performs the
517 associated action (<permission>). If there is no match, the
518 command is denied by default.
519 Also see the <default authentication>, <default authorization>,
524 <default attribute>, and <default service> directives.
525
527 There are some limitations to the authorization that can be done using
528 a configuration file. One solution is to arrange for the daemon to
529 call user-supplied programs to control authorization. These "callouts"
530 permit almost complete control over authorization, allowing you to read
531 all the fields in the authorization packet sent by the client,
532 including all its AV pairs, and to set authorization status and send a
533 new set of AV pairs to the client in response.
534 Pre and post authorization programs are invoked by handing the command
536 line to the Bourne shell. On most Unix systems, if the shell doesn't
537 find the specified program it returns a status of one, which denies
538 authorization. However, at least one Unix system (BSDI) returns a
539 status code of 2 under these circumstances, which will permit
540 authorization, and probably isn't what you intended.
541 Note: if your program hangs, the authorization will time out and return
543 an error on the client, and you'll tie up a process slot on the daemon
544 host, eventually running out of resources. There is no special code to
545 detect this in the daemon.
546 The daemon communicates with pre and post (before and after)
548 authorization programs over a pair of pipes. Programs using the
549 standard i/o library will use full buffering in these circumstances.
550 This should not be a problem, since AV pairs will be read until end of
551 file (EOF) is seen on input, and output will be flushed when they exit.
552 Fields from the authorization packet can be supplied to the programs as
554 arguments on the command line by using the appropriate dollar-sign
555 variables in the configuration file. These fields are:
556 user -- user name
558 name -- client/NAS name
559 ip -- client/NAS IP
560 port -- client/NAS port
561 address -- user address (remote user location)
562 priv -- privilege level number (0-15)
563 method -- a digit (1-4)
564 type -- digit (1-4)
565 service -- digit (1-7)
566 status -- (pass, fail, error, unknown)
567 Unrecognized variables will appear as the string "unknown".
569 AV pairs from the authorization packet are fed to the program's
571 standard input, one per line. The program is expected to process the AV
572 pairs and write them to its standard output, one per line. What happens
573 then is determined by the exit status of the program.
574 Note: when AV pairs containing spaces are listed in the configuration
576 file, you need to enclose them in double quotes so that they are parsed
577 correctly. AV pairs which are returned via standard output do not need
578 delimiters and so should not be enclosed in double quotes.
579 Note: unless special arrangements are made, the daemon will run as root
581 and hence the programs it invokes will also run as root, which is a
582 security weakness. It is strongly recommended that FQPNs are used when
583 specifying programs to execute, and that the daemon is compiled with
584 unprivileged user and group IDs (--with-userid and --with-groupid) so
585 that the daemon is not running as root when calling these programs,
586 Calling scripts
588 before authorization
590 Specify a per-user program to be called before any other
591 authorization attempt is made by using a "before" clause.
592 user = auth1 {
594 before authorization "/path/pre_authorize $user $port $address"
595 }
596 The AV pairs sent from the NAS will be supplied to the program
598 standard input, one pair per line.
599 If the program returns a status of 0, authorization is
601 unconditionally permitted. No further processing is done on this
602 request and no AV pairs are returned to the client.
603 If the program returns a status of 1, authorization is
605 unconditionally denied. No further processing is done on this
606 request and no AV pairs are returned to the client.
607 If the program returns a status of 2, authorization is
609 permitted. The program is expected to modify the AV pairs that
610 it receives on its standard input (or to create entirely new
611 ones) and to write them, one per line, to its standard output.
612 The new AV pairs will be sent to the client with a status of
613 AUTHOR_STATUS_PASS_REPL. No further processing takes place on
614 this request.
615 If the program returns a status of 3, authorization is denied,
617 but all attributes returned by the program via stdout are
618 returned to the client. Also, whatever the program returns on
619 stderr is placed into the server-msg field and returned to the
620 client.
621 Any other status value returned from the program will cause an
623 error to be returned to the client.
624 Note: a status of 2 is not acceptable when doing command
626 authorization.
627 after authorization
629 Specify a per-user program to be called after authorization
630 processing has been performed by the default, but before the
631 authorization status and AV pairs have been transmitted to the
632 client, by using a "after" clause.
633 group = auth1 {
635 after authorization "/path/post_authorize $user $port $status"
636 }
637 The AV pairs resulting from the authorization algorithm that the
639 daemon proposes to return to the NAS, are supplied to the
640 program on standard input, one AV pair per line, so they can be
641 modified if required.
642 The program is expected to process the AV pairs and write them
644 to its standard output, one per line. What happens then is
645 determined by the exit status of the program:
646 If the program returns a status of 0, authorization continues as
648 if the program had never been called. Use this if (for example)
649 to just send mail when an authorization occurs, without
650 otherwise affecting normal authorization.
651 If the program returns a status of 1, authorization is
653 unconditionally denied. No AV pairs are returned to the NAS. No
654 further authorization processing occurs on this request.
655 If the program returns a status of 2, authorization is permitted
657 and any AV pairs returned from the program on its standard
658 output are sent to the NAS in place of any AV pairs that the
659 daemon may have constructed.
660 Any other value will cause an error to be returned to the NAS by
662 the daemon.
663 Current attributes are:
665 "unknown"
667 "service"
668 "start_time"
669 "port"
670 "elapsed_time"
671 "status"
672 "priv_level"
673 "cmd"
674 "protocol"
675 "cmd-arg"
676 "bytes_in"
677 "bytes_out"
678 "paks_in"
679 "paks_out"
680 "address"
681 "task_id"
682 "callback-dialstring"
683 "nocallback-verify"
684 "callback-line"
685 "callback-rotary"
686 Also see the "AV Pairs" section below.
688
690 AV (Attribute Value) pairs are text strings exchanged between the
691 client and server of the form "attribute=value". The value may not
692 appear in authorization request packets, indicating that it is null or
693 unspecified. The equal sign ('=') means that this is a mandatory
694 attribute. An asterisk ('*') may appear in place of the equal sign,
695 indicating that it is an optional attribute which either the client or
696 server may not understand or may ignore.
697 Optional attributes are preceded by the "optional" key-word in the
699 configuration. For example:
700 priv_lvl = 15
702 optional allow-shell = true
703 service=ppp
705 protocol=ip
706 addr*131.108.12.44
707 The following AV pairs specify which service is being authorized. They
709 are typically accompanied by protocol AV pairs and other, additional
710 pairs from the lists below.
711 service=arap
714 service=shell for exec startup, and also for command
716 authorizations. Requires:
717 aaa authorization exec tacacs+
719 service=ppp
721 service=slip
723 service=system not used.
725 service=raccess Used for managing reverse telnet connections e.g.
727 user = jim {
729 login = cleartext lab
730 service = raccess {
731 port#1 = clientname1/tty2
732 port#2 = clientname2/tty5
733 }
734 }
735 Requires IOS configuration
737 aaa authorization reverse-access tacacs+
739 protocol=lcp The lower layer of PPP, always brought up before
741 IP, IPX, etc. is brought up.
742 protocol=ip Used with service=ppp and service=slip to indicate
744 which protocol layer is being authorized.
745 protocol=ipx Used with service=ppp to indicate which protocol
747 layer is being authorized.
748 protocol=atalk with service=ppp or service=arap
750 protocol=vines For vines over ppp.
752 protocol=ccp Authorization of CCP. Compression Control
754 Protocol). No other AV-pairs associated with this.
755 protocol=cdp Authorization of CDP (Cisco Discovery Protocol). No
757 other av-pairs associated with this.
758 protocol=multilink Authorization of multilink PPP.
760 protocol=unknown For undefined/unsupported conditions. Should not
762 occur under normal circumstances.
763 Incomplete list of Cisco AV pairs. Other vendors may provide
765 additional AV pairs specific to their products.
766 acl For EXEC authorization this contains an access-class number
769 (acl=2) which is applied to the line (tty) as the output access
770 class. The specified access-list must be predefined.
771 ARAP, EXEC.
773 addr The IP address the remote host should be assigned when a slip or
775 PPP/IP connection is made. For example: addr=1.2.3.4
776 SLIP, PPP/IP.
778 autocmd
780 During exec startup, this specifies an autocommand, like the
781 autocommand option to the username configuration command. For
782 example: autocmd="telnet foo.com"
783 EXEC.
785 callback-line
787 The number of a TTY line to use for the callback. Used with
788 service=arap, slip, ppp, or shell. Does not work for ISDN.
789 callback-rotary
791 The number of a rotary group (0 through 100) to use for the
792 callback. Used with service=arap, slip, ppp, and shell. Does
793 not work for ISDN.
794 cmd If the value of cmd is NULL (cmd=), then this is an
796 authorization request for starting an exec.
797 If cmd is non-null, this is a command authorization request. It
799 contains the name of the command being authorized. For example:
800 cmd=telnet
801 EXEC.
803 cmd-arg
805 During command authorization, the name of the command is given
806 by an accompanying "cmd=" AV pair, and each command argument is
807 represented by a cmd-arg AV pair e.g. cmd-arg=archie.sura.net
808 NOTE: 'cmd-arg' should never appear in a configuration file. It
810 is used internally by the daemon to construct a string which is
811 then matched against the regular expressions which appear in a
812 cmd clause in the configuration file.
813 EXEC.
815 dns-servers
817 Identifies a primary or backup DNS server that can be requested
818 by Microsoft PPP clients during IPCP negotiation. Used with
819 service=ppp and protocol=ip.
820 gw-password
822 Specifies the password for the home gateway during L2F tunnel
823 authentication. Used with service=ppp and protocol=vpdn.
824 idletime
826 Sets a value, in minutes, after which an IDLE session will be
827 terminated. Does NOT work for PPP.
828 EXEC, 11.1 onward.
830 inacl This AV pair contains an IP or IPX input access list number for
832 slip or PPP (inacl=2). The access list itself must be pre-
833 configured on the Cisco box. Per-user access lists do not work
834 with ISDN interfaces unless you also configure a virtual
835 interface. After 11.2(5.1)F, you can also use the name of a
836 predefined named access list, instead of a number, for the value
837 of this attribute.
838 Note: For IPX, inacl is only valid after 11.2(4)F.
840 PPP/IP/IPX.
842 inacl#<n>
844 This AV pair contains the definition of an input access list to
845 be installed and applied to an interface for the duration of the
846 current connection, e.g.
847 inacl#1="permit ip any any precedence immediate"
849 inacl#2="deny igrp 0.0.1.2 255.255.0.0 any"
850 Attributes are sorted numerically before they are applied. For
852 IP, standard OR extended access list syntax may be used, but it
853 is an error to mix the two within a given access-list.
854 For IPX, only extended access list syntax may be used.
856 PPP/IP/PPP/IPX, 11.2(4)F.
858 interface-config
860 Specifies user-specific AAA interface configuration information
861 with Virtual Profiles. The information that follows the equal
862 sign (=) can be any Cisco IOS interface configuration command.
863 ip-address
865 List of possible IP addresses, separated by spaces, that can be
866 used for the end-point of a tunnel. Used with service=ppp and
867 protocol=vpdn.
868 link-compression
870 Defines whether to turn on or turn off Stac compression over a
871 PPP link. Valid values are:
872 0 None
874 1 Stac
875 2 Stac Draft-9
876 3 MS-Stac
877 load-threshold
879 This AV pair sets the load threshold at which an additional
880 multilink link is added to the bundle (if load goes above) or
881 deleted (if load goes below).
882 service=ppp protocol=multilink {
884 load-threshold=<n>
885 }
886 The range of <n> is [1-255].
888 PPP/multilink - Multilink parameter, 11.3.
890 max-links
892 This AV pair restricts the number of multilink bundle links that
893 a user can have.
894 service=ppp protocol=multilink {
896 max-links=<n>
897 }
898 The range of <n> is [1-255].
900 PPP/multilink, 11.3.
902 nas-password
904 Specifies the password for the NAS during L2F tunnel
905 authentication. Used with service=ppp and protocol=vpdn.
906 nocallback-verify
908 Indicates that no callback verification is required. The only
909 valid value for this parameter is the digit one, i.e.
910 nocallback-verify=1. Not valid for ISDN. ARAP/EXEC, 11.1
911 onward.
912 noescape
914 During exec startup, this specifies "noescape", like the
915 noescape option to the username configuration command. Can have
916 as its value the string "true" or "false". For example:
917 noescape=true
918 EXEC.
920 nohangup
922 During exec startup, this specifies "nohangup", like the
923 nohangup option to the username configuration command. Can have
924 as its value the string "true" or "false". For example:
925 nohangup=true
926 EXEC.
928 old-prompts
930 Allows the prompts in TACACS+ to appear identical to those of
931 earlier systems (TACACS and Extended TACACS). This allows the
932 upgrade from TACACS or Extended TACACS to TACACS+ to be
933 transparent to users.
934 outacl This AV pair contains an IP or IPX output access list number for
936 SLIP. PPP/IP or PPP/IPX connections (outacl=4). The access list
937 itself must be pre-configured. Per-user access lists do not
938 work with ISDN interfaces unless you also configure a virtual
939 interface. PPP/IPX is supported in 11.1 onward only. After
940 11.2(5.1)F, you can also use the name of a predefined named
941 access list, as well as a number, for the value of this
942 attribute.
943 PPP/IP, PPP/IPX.
945 outacl#<n>
947 This AV pair contains an output access list definition to be
948 installed and applied to an interface for the duration of the
949 current connection.
950 outacl#1="permit ip any any precedence immediate"
952 outacl#2="deny igrp 0.0.9.10 255.255.0.0 any"
953 Attributes are sorted numerically before they are applied. For
955 IP, standard OR extended access list syntax may be used, but it
956 is an error to mix the two within a given access-list.
957 For IPX, only extended access list syntax may be used.
959 PPP/IP/PPP/IPX, 11.2(4)F.
961 pool-def#
963 Defines IP address pools on the NAS. Used with service=ppp and
964 protocol=ip.
965 pool-timeout
967 In conjunction with pool-def, defines IP address pools on the
968 NAS. During IPCP address negotiation, if an IP pool name is
969 specified for a user (see the addr-pool attribute), a check is
970 made that the named pool is defined on the NAS. If it is, the
971 pool is consulted for an IP address.
972 ppp-vj-slot-compression
974 Instructs the Cisco router not to use slot compression when
975 sending VJ-compressed packets over a PPP link.
976 priv-lvl
978 Specifies the current privilege level for command
979 authorizations, a number from zero to 15. For example:
980 priv_lvl=5.
981 Note: in 10.3 this attribute was priv_lvl, i.e. it contained an
983 underscore instead of a hyphen.
984 EXEC.
986 route This AV pair specifies a temporary static route to be applied,
988 which expunged once the connection terminates. The daemon side
989 declaration is:
990 service=ppp protocol=ip {
992 route="<dst_addr> <mask> [ <gateway> ]"
993 }
994 <dst_address>, <mask>, and <gateway> are <IP address>'s. If the
996 gateway is omitted, the peer's address is assumed.
997 PPP/IP/SLIP, 11.1 onward.
999 route#<n>
1001 Same as the "route" attribute, except that these are valid for
1002 IPX as well as IP, and they are numbered, allowing multiple
1003 routes to be applied. For example:
1004 route#1="3.0.0.0 255.0.0.0 1.2.3.4"
1006 route#2="4.0.0.0 255.0.0.0"
1007 or, for IPX,
1009 route#1="4C000000 ff000000 30.12.3.4"
1011 route#2="5C000000 ff000000 30.12.3.5"
1012 PPP/IP/IPX, 11.2(4)F.
1014 routing
1016 Equivalent to the /routing flag in slip and ppp commands. Can
1017 have as its value the string "true" or "false".
1018 SLIP/PPP/IP.
1020 rte-ftr-in#
1022 Specifies an input access list definition to be installed and
1023 applied to routing updates on the current interface for the
1024 duration of the current connection. Used with service=ppp
1025 protocol=ip or protocol=ipx.
1026 rte-ftr-out#
1028 Output version of rte-ftr-in#.
1029 sap#<n>
1031 This AV pair specifies static SAPs (Service Advertising
1032 Protocol) to be installed for the duration of a connection. For
1033 example:
1034 sap#1="4 CE1-LAB 1234.0000.0000.0001 451 4"
1036 sap#2="5 CE3-LAB 2345.0000.0000.0001 452 5"
1037 The syntax of static saps is the same as that used by the IOS
1039 "ipx sap" command. Used with service=ppp protocol=ipx.
1040 PPP/IPX, 11.2(4)F.
1042 sap-fltr-in#<n>
1044 This AV pair specifies an input SAP filter access list
1045 definition to be installed and applied to the current interface,
1046 for the duration of the current connection.
1047 Only Cisco extended access list syntax is legal (ipx input-sap-
1049 filter <number>). For example:
1050 sap-fltr-in#1="deny 6C01.0000.0000.0001"
1052 sap-fltr-in#2="permit -1"
1053 Attributes are sorted numerically before being applied. Used
1055 with service=ppp protocol=ipx.
1056 PPP/IPX, 11.2(4)F.
1058 sap-fltr-out#<n>
1060 This AV pair specifies an output sap filter access list
1061 definition to be installed and applied on the current interface,
1062 for the duration of the current connection.
1063 Only Cisco extended access list syntax is legal (ipx output-sap-
1065 filter <number>), e.g
1066 sap-fltr-out#1="deny 6C01.0000.0000.0001"
1068 sap-fltr-out#2="permit -1"
1069 Attributes are sorted numerically before being applied. Used
1071 with service=ppp protocol=ipx.
1072 PPP/IPX, 11.2(4)F.
1074 source-ip
1076 This specifies a single ip address that will be used as the
1077 source of all VPDN packets generated as part of the VPDN tunnel
1078 (see the equivalent source-ip keyword in the IOS vpdn outgoing
1079 command).
1080 PPP/VPDN, now deprecated, only existed in releases 11.2(1.4)
1082 thru 11.2(4.0.2).
1083 timeout
1085 Sets the time until an ARAP or exec session disconnects
1086 unconditionally (in minutes). For example: timeout=60
1087 ARAP/EXEC, 11.0 onward.
1089 tunnel-id
1091 This AV pair specifies the username that will be used to
1092 authenticate the tunnel over which the individual user MID will
1093 be projected. This is analogous to the "NAS name" in the "vpdn
1094 outgoing" command.
1095 PPP/VPDN, 11.2 onward.
1097 zonelist
1099 An Appletalk zonelist for arap (ARAP) equivalent to the line
1100 configuration command "arap zonelist". For example: zonelist=5.
1101 AV pairs reserved for future use (this list may be out-dated):
1103 ppp-vj-slot-compression
1105 link-compression
1106 asyncmap
1107 x25-addresses (PPP/VPDN)
1108 frame-relay (PPP/VPDN)
1109 Note: this AV pair list is NOT complete and not all AV pairs are
1111 supported by all vendors. See the vendor's documentation. When a
1112 client (or server) receives a mandatory AV pair that it does not
1113 understand, the authorization FAILS!
1114 Also see the tac_plus user guide. Some of the callback, appletalk,
1116 IPX, VPDN, PPP routing, and address pool related AV pairs found in the
1117 user guide have been omitted.
1118
1120 bytes_in The number of input bytes transferred during this
1121 connection.
1122 bytes_out The number of output bytes transferred during this
1124 connection.
1125 cmd The command the user executed.
1127 data-rate This AV pair has been renamed. See nas-rx-speed.
1129 disc-cause Specifies the reason a connection was taken off-
1131 line. The Disconnect-Cause attribute is sent in
1132 accounting stop records. This attribute also
1133 causes stop records to be generated without first
1134 generating start records if disconnected before
1135 authentication.
1136 1 User request
1138 2 Lost carrier
1139 3 Lost service
1140 4 Idle timeout
1141 5 Session timeout
1142 6 Admin reset
1143 7 Admin reboot
1144 8 Port error
1145 9 NAS error
1146 10 NAS request
1147 11 NAS reboot
1148 12 Port unneeded
1149 13 Port pre-empted
1150 14 Port suspended
1151 15 Service unavailable
1152 16 Callback
1153 17 User error
1154 18 Host request
1155 disc-cause-ext Extends the disc-cause attribute to support vendor-
1157 specific reasons that a connection was taken off-
1158 line.
1159 1000 Session timed out. This value applies to all session types.
1161 1002 Reason unknown.
1162 1004 Failure to authenticate calling-party number.
1163 1010 No carrier detected. This value applies to modem connections.
1164 1011 Loss of carrier. This value applies to modem connections.
1165 1012 Failure to detect modem result codes. This value applies to modem connections.
1166 1020 User terminates a session. This value applies to EXEC sessions.
1167 1021 Timeout waiting for user input. This value applies to all session types.
1168 1022 Disconnect due to exiting Telnet session. This value applies to EXEC sessions.
1169 1023 Could not switch to SLIP/PPP; the remote end has no IP address. This value applies to EXEC sessions.
1170 1024 Disconnect due to exiting raw TCP. This value applies to EXEC sessions.
1171 1025 Bad passwords. This value applies to EXEC sessions.
1172 1026 Raw TCP disabled. This value applies to EXEC sessions.
1173 1027 Control-C detected. This value applies to EXEC sessions.
1174 1028 EXEC process destroyed. This value applies to EXEC sessions.
1175 1040 PPP LCP negotiation timed out. This value applies to PPP sessions.
1176 1041 PPP LCP negotiation failed.
1177 1042 PPP PAP authentication failed.
1178 1043 PPP CHAP authentication failed.
1179 1044 PPP remote authentication failed.
1180 1045 PPP received a Terminate Request from remote end.
1181 1046 Upper layer requested that the session be closed. This value applies to PPP sessions.
1182 1101 Session failed for security reasons. This value applies to all session types.
1183 1102 Session terminated due to callback. This value applies to all session types.
1184 1120 Call refused because the detected protocol is disabled. This value applies to all session types.
1185 elapsed_time The elapsed time in seconds for the action. Useful
1187 when the device does not keep real time.
1188 event Information included in the accounting packet that
1190 describes a state change in the router. Events
1191 described are accounting starting and accounting
1192 stopping.
1193 mlp-links-max Gives the count of links known to have been in a
1195 given multilink session at the time the accounting
1196 record is generated.
1197 mlp-sess-id Reports the identification number of the multilink
1199 bundle when the session closes. This attribute
1200 applies to sessions that are part of a multilink
1201 bundle. This attribute is sent in authentication-
1202 response packets.
1203 nas-rx-speed Specifies the average number of bits per second
1205 over the course of the connection's lifetime. This
1206 attribute is sent in accounting stop records.
1207 nas-tx-speed Reports the transmit speed negotiated by the two
1209 modems.
1210 paks_in The number of input packets transferred during this
1212 connection.
1213 paks_out The number of output packets transferred during
1215 this connection.
1216 port The port into which the user was logged.
1218 pre-bytes-in Records the number of input bytes before
1220 authentication. This attribute is sent in
1221 accounting stop records.
1222 pre-bytes-out Records the number of output bytes before
1224 authentication. This attribute is sent in
1225 accounting stop records.
1226 pre-paks-in Records the number of input packets before
1228 authentication. This attribute is sent in
1229 accounting stop records.
1230 pre-paks-out Records the number of output packets before
1232 authentication. This attribute is sent in
1233 accounting stop records as Pre-Output-Packets.
1234 pre-session-time Specifies the length of time, in seconds, from when
1236 a call first connects to when it completes
1237 authentication.
1238 priv_level The privilege level associated with the action.
1240 protocol The protocol associated with the action.
1242 reason Information included in the accounting packet that
1244 describes the event that caused a system change.
1245 Events described are system reload, system
1246 shutdown, or accounting reconfiguration (turned on
1247 or off).
1248 service The service the user used.
1250 start_time The time, in seconds since 12:00 a.m. January 1,
1252 1970, that the action started. The clock must be
1253 configured to receive this information.
1254 stop_time The time, in seconds since 12:00 a.m. January 1,
1256 1970, that the action stopped. The clock must be
1257 configured to receive this information.
1258 task_id Start and stop records for the same event must have
1260 matching (unique) task_id numbers.
1261 timezone The time zone abbreviation for all timestamps
1263 included in this packet.
1264 xmit-rate This AV pair has been renamed nas-tx-speed.
1266
1268 Example Cisco configuration for tacacs+:
1269 aaa new-model
1271 aaa authentication login default tacacs+ local
1272 aaa authentication enable default tacacs+ enable
1273 aaa authorization exec default tacacs+
1274 aaa accounting exec default start-stop tacacs+
1275 !
1276 username root privilege 15 password 0 <root's password>
1277 !
1278 tacacs-server key <your key here>
1279 tacacs-server host <ip_address>
1280 ip tacacs source-interface loopback0
1281 !
1282 enable secret 0 <enable password>
1283 Note that the aaa command syntax varies slightly between some versions
1285 of Cisco IOS and CatOS (Catalyst OS) also varies.
1286 Example Juniper configuration for tacacs+:
1288 system {
1290 authentication-order [ password tacplus ];
1291 tacplus-server {
1292 <ip_address> secret <your key here>;
1293 <ip_address> {
1294 secret <your key here>;
1295 timeout 90;
1296 }
1297 }
1298 }
1299 Both of these examples are brief. See the vendor's documentation for a
1301 description of what these configuration commands specify and for
1302 additional commands and arguments.
1303 WARNING: If not properly configured, it may not be possible to login
1305 to the device!
1306
1308 key = "your key here"
1309 accounting file = /var/log/tac.acct
1310 # authentication users not appearing elsewhere via
1311 # the file /etc/passwd
1312 default authentication = file /etc/passwd
1313 acl = dial_only {
1315 # All access routers are in 192.168/16, but except for
1316 # 192.168.0.1 all backbone router are in 198.168.0/24.
1317 # deny access to the backbone routers.
1318 permit = ^192\.168\.0\.1$
1319 deny = ^192\.168\.0\.
1320 permit = ^192\.168\.
1321 }
1322 group = no_backbone {
1324 # permit an exec to start and permit all commands and
1325 # services by default
1326 default service = permit
1327 service = exec {
1329 # When an exec is started, its connection access list
1330 # will be 4. "acl" is quoted because it is a keyword.
1331 # It also has an autocmd
1332 "acl" = 4
1333 autocmd = "telnet duffhost"
1334 }
1335 # group will only be allowed to login on NASes
1337 acl = dial_only
1338 }
1339 group = admin {
1340 # group members who don't have their own login password will be
1341 # looked up in /etc/passwd
1342 login = file /etc/passwd
1343 # group members who have no expiry date set will use this one
1345 expires = "Jan 1 1997"
1346 # deny access to backbone routers
1348 acl = dial_only
1349 }
1350 user = DEFAULT {
1352 service = ppp protocol = ip {
1353 addr-pool=foobar
1354 }
1355 }
1356 user = homer {
1357 default service = permit
1358 member = no_backbone
1360 }
1361 user = fred {
1362 login = des mEX027bHtzTlQ
1363 name = "Fred Flintstone"
1364 member = admin
1365 expires = "May 23 2005"
1366 arap = cleartext "Fred's arap secret"
1367 chap = cleartext "Fred's chap secret"
1368 service = exec {
1370 # When Fred starts an exec, his connection access
1371 # list is 5
1372 "acl" = 5
1373 # We require this autocmd to be done at startup
1375 autocmd = "telnet foo"
1376 }
1377 # All commands except show system are denied for Fred
1379 cmd = show {
1380 # Fred can run the following show command
1381 permit system
1383 deny .*
1384 }
1385 service = ppp protocol = ip {
1387 # Fred can run ip over ppp only if he uses one
1388 # of the following mandatory addresses. If he
1389 # supplies no address, the first one here will
1390 # be mandated
1391 addr=131.108.12.11
1393 addr=131.108.12.12
1394 addr=131.108.12.13
1395 addr=131.108.12.14
1396 # Fred's mandatory input access list number is 101
1398 inacl=101
1399 # We will suggest an output access list of 102, but the NAS may
1401 # choose to ignore or override it
1402 optional outacl=102
1404 }
1405 service = slip {
1407 # Fred can run slip. When he does, he will have to use
1408 # these mandatory access lists
1409 inacl=101
1411 outacl=102
1412 }
1413 }
1414 user = wilma {
1416 # Wilma has no password of her own, but she's a group member so
1417 # she'll use the group password if there is one. Same for her
1418 # password expiry date
1419 member = admin
1421 }
1422
1424 /etc/tac_plus.conf Configuration file.
1425 /var/log/tac_plus.acct The default accounting file.
1427 /var/log/tac_plus.log The default log file.
1429
1431 gethostbyaddr(3), passwd(5), regexp(3), tac_plus(8), tac_pwd(8)
1432 Also see the tac_plus User Guide (user_guide) that came with the
1434 distribution. The user guide does not cover all the modifications to
1435 the original Cisco version nor does this manual page cover everything
1436 that is in the user guide (callback configuration, for example).
1437
1439 The tac_plus (tacacs+) developer's kit is a product of Cisco Systems.
1440 Made available at no cost and with no warranty of any kind. See the
1441 file COPYING and source files that came with the distribution for
1442 specifics.
1443
1445 This manual page was adapted from code inspection and Cisco's tac_plus
1446 user guide.
1447
1449 This manual page is incomplete.
1450 1 August 2013 tac_plus.conf(5)