Provided by: tacacs+_4.0.4.27a-1_amd64 bug


       do_auth - Program allowing more granular control than tac_plus.


       do_auth -u user [-i Ip Address] [-d Device address] [-f Config filename] [-l Log file] [-D
       Debug mode]


       do_auth is a python program written to work as an authorization script for tacacs to allow
       greater  flexability  in  tacacs  authentication.   It  allows  a  user to be part of many
       predefined groups that can allow different access to different devices based on ip,  user,
       and source address.

       Groups  are  assigned  to users in the [users] section.  A user must be assigned to one or
       more groups, one per line.  Groups are defined in brackets, but can  be  any  name.   Each
       group can have up to 6 options as defined below.

        host_deny          Deny any user coming from this host.  Optional.
        host_allow         Allow users from this range. Mandatory with -i.
        device_deny        Deny any device with this IP.  Optional.
        device_permit      Allow this range. Mandatory if -d is specified.
        command_deny       Deny these commands.  Optional.
        command_permit     Allow these commands.  Mandatory.

       The options are parsed in order till a match is found.  Obviously, for login, the commands
       section is not parsed.  If a match is not found, or a deny is found, we  move  on  to  the
       next  group.   At  the  end, we have an implicit deny if no groups match.  All tacacs keys
       passed on login to do_auth are returned.  (except cmd*)  It is possible  to  modify  them,
       but  I  haven't  implemented  this  yet  as  I don't need it.  Future versions may have an
       av_pair & append_av_pair option.


       -u     Username.  Mandatory.  $user

       -i     Ip address of user.  Optional.  If not specified, all host_ entries are ignored and
              can be omitted. $address

       -d     Device  address.   Optional.  If not specified, all device_ entries are ignored and
              can be omitted.  $name

       -f     Config Filename.  Default is do_auth.ini.

       -l     Logfile. Default is log.txt.

       -D     Activate debug mode.


       do_auth -i $address -u $user -d $name -l /var/log/do_auth.log -f /etc/tacacs+/do_auth.ini


       do_auth returns 0 to allow, 1 to deny authorization.


       Henry-Nicolas Tourneur from the do_auth file written by Dan Schmidt.


       tac_plus(8), tac_plus.conf(5)