Provided by: tacacs+_4.0.4.27a-3_amd64 bug

NAME

       tac_plus.conf - tacacs+ daemon configuration file

DESCRIPTION

       This page is a work in progress.

       tac_plus.conf contains configuration information for the tac_plus (tacacs+) daemon.

       Each  line  contains either one of the directives documented below, white-space (blanks or
       tabs), or a comment.

       Syntax enclosed in angle brackets (<>) below, refer to syntax documented elsewhere in this
       manual page.

TOP-LEVEL DIRECTIVES

       #      Comments  begin  with  a '#' character and extend to the end of the line.  Comments
              may appear anywhere in the configuration file.  To disable the special  meaning  of
              the '#' character, enclose the string containing it in double quotes ("#").

       accounting
              Only  one  configurable  account parameter exists, the destination.  All accounting
              records are either written to a file, syslog(3) at priority info, or both.

                  accounting syslog;
                  accounting file = <filename>

              The default filename is /var/log/tac_plus.acct.

              Since accounting requests occur (and are serviced) asynchronously, it is  necessary
              to  lock the accounting file so that two writers do not simultaneously write to it.
              The daemon uses fcntl(2) to lock the file.  Although fcntl(2) locking over  NFS  is
              supported  on  some  implementations,  it is notoriously unreliable.  Even if it is
              reliable, locking is likely to be extremely inefficient over NFS.  The file is best
              located on a local file system.

       acl    If  compiled  with acl support (--enable-acls), Access Control Lists can be defined
              to limit user's (or group's) login and/or enable access by daemon client IP address
              or  hostname.   An acl is referenced by its name, but must be defined before it can
              be referenced.

              The acl is a series of permit or deny statements applied to the source  IP  address
              that  the  client  used to connected to the daemon.  The first <regex> that matches
              ends the evaluation and the result is the permit or deny on left.  If no  entry  of
              the acl matches a given address, the result is an implicit deny.

                  acl = <name> {
                      <permission> = <regex>

                      # deny 66.1.255/24, allow all else in 66.1/16
                      deny = ^66\.1\.255\.
                      permit = ^66\.1\.
                      # implicit deny (ie: anything else)
                  }

              Briefly,  if a company had all their loopback interfaces numbered from 66.1/16 (and
              thus all the tacacs clients are within 66.1/16), this acl might  be  used  to  dis-
              allow  a  user to login to (or enable on) any router whose loopback interface is in
              66.1.255/24.

              Note: because acls match against the daemon client's source IP address, the  client
              should  be  configured  to  use  a stable source such as a loopback interface.  For
              example:
                  ip tacacs-server source-interface loopback 0

       default authentication
              By default, authentication fails for users that do not appear in the  configuration
              file.   This  overrides  that behavior, thus permitting all authentication requests
              for such users.

                  default authentication = file <filename>

              Such users will be authentication via the <user> "DEFAULT".

              Also see "user = DEFAULT", <default service>, and <default attribute>.

       group  Analogous to a <user> and accepting the same syntax, a group provides a template of
              which a <user> or another group can be a member.

                  group = <name> {
                      <user_decl>
                  }

              A group may be recursive; that is a group may be a member of one other group (which
              may be a member of yet another group, and so on).

       host   The host clause allows the configuration values noted  below  to  be  set  for  the
              client  named  by  IP address.  If tac_plus is started with the -L option, the name
              can also be name as resolved from the  address  with  the  gethostbyaddr(3)  system
              call,  which  may  be the FQDN (Fully Qualified Domain Name) if DNS is used.  It is
              recommended that the IP address be used, since the resolver can be slow to  timeout
              when network faults exist.

                  host = <IP address> {
                   key = <string>
                   prompt = <string>
                   enable = <password_spec>
                  }

              key specifics the packet encryption <key> for this host.

              prompt specifies the username prompt that will be presented to a user.

       key    Specifies an encryption key used to encrypt packets between the daemon and clients.
              This key must match the key configured on the clients.

              key = <string>

              The double quotes are only necessary if your key contains  white-space,  key-words,
              or special characters.

              Note: encryption is highly recommended.

       logging
              Specifies  the  syslog(3) facility used.  By default, logs are posted to the daemon
              facility.

                  logging = <syslog_fac>

       user   Define a user whose username is <name>.

                  user = <name> {
                      [ <default service> ]
                      <user_attr>
                      <svc>
                  }

              Note: seventeen special  usernames  exist:  "DEFAULT",  "$enable$",  and  "$enabN$"
              (where  N is a privilege level number, normally in the range 0-15 on a Cisco).  The
              "$enable$" user is for backward compatibility with previous versions of tacacs that
              is queried for privilege level 15 in addition to "$enab15$".

              Also  see  the  "priv-lvl" AV pair in the "AV Pairs" section below and the <default
              authentication> directive.

       service
                  user = <string> {
                      [ default service = <permission> ]
                      <user_attr>*
                      <svc>*
                  }

              Also see the <default service> directive.

ADDITIONAL DIRECTIVE SYNTAX

       attr_value_pair
              Specify an AV (Attribute Value) pair.  The "optional" keyword specifies that the AV
              pair is optional.

                  [ optional ] <string> = <string>

              Optional  AV  pairs  are only sent to the client if it requests them.  That is, the
              client must have included the given AV pair as a mandatory or optional pair in  the
              request.

              Some clients react incorrectly and negatively to receiving AV pairs that it did not
              solicit.  Optional AV pairs should be ignored if they are  not  recognized  or  not
              supported in any given context.

              Also see the "Configuring Authorization" and "AV Pairs" sections below.

       cmd_auth
              Specify command authorization.

              For  command  authorization,  the  device should expand all abbreviated commands to
              their full names and compress adjacent white-space.  For example, when the  command
              "config t" is entered it will be expanded to "configure terminal".

                  cmd = <string> {
                      <cmd-match>
                  }

       cmd-match
              Specify a command argument match.

                  <permission> <regex>
                  <permission> <regex>
                   ...
                  <permission>

              The  <regex> matches arguments of the command <string>.  For example, to allow show
              diag but no other show commands:

                  cmd = show {
                      permit diag
                      deny
                  }

              The end of the <cmd-match> has an  implicit  <permission>  determined  by  <default
              service>.   So,  if the 'deny' had been omitted in the example above, the result of
              the authorization would be the value of <default service>.

              Note: 'cmd-arg' should never appear in a configuration file.  It is used internally
              by  the  daemon  to  construct  a  string which is then matched against the regular
              expressions which appear in a cmd clause in the configuration file.

              Note: when a command has multiple arguments, they may be entered in many  different
              permutations.   It  can  be  cumbersome  to  create  regular expressions which will
              reliably authorize commands under these conditions.   Administrators  may  wish  to
              consider other methods of performing authorization.

       default service
              Specifies the default <permission> for service authorization.

                  default service = <permission>

              If omitted, the default is 'deny'.

              Note:  if  used,  <default  service>  must  precede all other <svc> directives in a
              <user> clause.

       default attribute
              Specifies the default attribute <permission> for service authorization.

                  default attribute = <permission>

              Note: if used, <default attribute> must precede all other <svc_attr> directives  in
              a <svc> clause.

       des_string
              Represents  the one-way encryption of a password <string>.  For example, a password
              might encrypt to the string 0AmUKnIT2gheo.

              DES is the encryption historically used  in  Unix  passwd(5)  files.   The  crypt()
              function  of the system's libcrypt is used to perform the encryption.  The libcrypt
              of modern Unicies tend to support additional  encryption  algorithms  and  thus  so
              would  tac_plus.   See  the system's crypt manual page.  To utilize another format,
              use the des keyword followed by the  crypt  in  the  format  as  described  in  the
              manpage.   Typically  it will have a "$1" prefix for MD5, "$2" for blowfish, and so
              on.

              tac_pwd(8) is a utility  supplied  with  tac_plus  to  assist  in  performing  this
              encryption.

       expires
              Causes  the  <user>'s  password  to  become  invalid,  starting  on  the  specified
              expiration date.

                  expires "May 23 2005"

              A expiry warning message is sent to the user at login time,  starting  at  14  days
              before the expiration date.

              If  the  <user>'s  <login>  <password_spec>  is  "file", the "expires" field of the
              configuration file is not consulted.  Instead, the daemon looks at the the  "shell"
              field of the password file entry for a valid expiration date.

              If  Solaris  shadow password files are used for authentication, the "expires" field
              of the configuration file is not  consulted.  The  expiry  field  from  the  shadow
              password file (if it exists) is used as the expiration date.

              Case is not significant.

       filename
              A <string> specifying a file located in the filesystem.

              While  the daemon does change directories to / (root) when it starts, it is best to
              specify files by their FQPN (Fully Qualified Path Name).   That  is,  a  path  that
              begins   with  /.   For  example,  /var/log/file  rather  than  the  relative  path
              var/log/file.

       IP address
              A <string> representing an IPv4 address in dotted-quad notation.  For example:

                  192.168.1.1

       name   A <string> by which to refer to a configuration element, such  as  an  <acl>  or  a
              <group>.

              In  general,  a  <name>  must be defined before it can be referenced.  For example,
              before a <user> can be a specified as a member of a <group>, the <group> has to  be
              defined.

       password_spec
              There  are  five  authentication mechanisms available: no password, cleartext, DES,
              PAM, a file in passwd(5) format, and skey.

                  file <filename>
                  cleartext <string>
                  des <des_string>
                  PAM
                  skey
                  nopassword

              skey is an OTP (One Time Password) facility.  The daemon must be  built  with  skey
              (--enable-skey) support.

              PAM  (Pluggable  Authentication  Modules  framework) is an authentication mechanism
              (and much more) capable of various types of authentication methods that are  chosen
              by  a configuration file.  The PAM service name is the name of tac_plus executable,
              normally "tac_plus".  PAM can be used only for  login  authentication,  it  is  not
              implemented  for  enable  authorization,  and  does  not support OTP-like challenge
              system (ie: no additional prompting).  The daemon must be built with  PAM  support,
              which is included by default if libpam is found.

              Note: some cases of <password_spec> do not accept all of these mechanisms.

       permission
              Specifies that some match (for example a <service> or <cmd-match>) is to be allowed
              or denied.

                  (permit | deny)

       proto  A protocol is a subset of a service.  Typical NAS supported values are atalk,  bap,
              bridging,  ccp,  cdp, deccp, ip, ipx, lat, lcp, multilink, nbf, osicp, pad, rlogin,
              telnet, tn3270, vines, vpdn, xns, xremote, and unknown.  Note  that  'protocol'  is
              actually an AV pair.

       string A  series of characters, not including white-space or tac_plus key-words or special
              characters (ie: A-Za-z0-9_).  To include  any  of  those  exceptions,  enclose  the
              string in double quotes ("this has whitespace").

       svc         XXX:

                  <svc_auth> | <cmd_auth>

       svc_auth
                   XXX:           service = ( arap | connection | exec | ppp protocol = <proto> |
                             shell  |  slip  |  system  |  tty-daemon  |   <client   defined>   )
                             {                [ <default attribute> ]
                                      <attr_value_pair>*
                                  }

              The service AV pair is required.

       syslog_fac
              syslog(3)  normally  has 16 well-known channels, called facilities.  syslogd(8) can
              be configured  to  direct  each  of  these  facilities  to  different  files.   The
              facilities  are  named:  auth,  cron,  daemon, local[0-7], lpr, mail, news, syslog,
              user, and uucp.

       user_attr
                   XXX:

                  user = bart {
                      arap = cleartext "arap password"
                      chap = cleartext "chap password"
                      enable = <password_spec>
                      pap  = cleartext "inbound pap password"
                      opap = cleartext "outbound pap password"
                      pap  = des <des_string>
                      pap  = file <filename>
                      pap  = PAM
                      login = <password_spec>
                      global = cleartext "outbound pap password"
                  }

              global specifies the authentication method for  all  services.   login  applies  to
              normal  logins  (exec).  arap, chap, pap, and opap (outbound PAP) service passwords
              may be defined separately.

              NOTE: a global user password cannot be used  for  outbound  PAP.  This  is  because
              outbound  PAP is implemented by sending the password from the daemon to the client.
              This is a security issue if the <key> is ever compromised.

              enable specifies the enable password.  The <password_spec>  may  only  be  of  type
              cleartext,  des,  nopassword  or  file.   If  the daemon was compiled with per-user
              enable support (--enable-uenable), the host enable password will be  evaluated  iff
              the user does not have a personal enable password.

              login name member    - can only be 1 default service = permit expires "May 23 2005"
                  arap = cleartext "Fred's arap secret"
                  chap = cleartext "Fred's chap secret" acl = <string> enableacl = <string>

              In  the  case of recursion, the first match is returned.  host enable is cleartext,
              des, nopassword or file only.  arap chap expires May 23 2005 login member  password
                   user_attr :=           name     = <string> |
                                       login    = <password_spec> |
                                       member   = <string> |
                                       expires  = <string> |
                                       arap     = cleartext <string> |
                                       chap     = cleartext <string> |      #ifdef MSCHAP
                                       ms-chap  = cleartext <string> |      #endif
                                       pap      = cleartext <string> |
                                       pap      = des <string> |
                                       pap      = file <filename> |      #ifdef PAM
                                       pap      = PAM |      #endif
                                       opap     = cleartext <string> |
                                       global   = cleartext <string> |
                                       msg      = <string>
                                       before authorization = <string> |
                                       after authorization = <string>

CONFIGURING AUTHORIZATION

       Authorizing  a  single  session  can result in multiple requests being sent to the daemon.
       For example, to authorize a dialin ppp user for IP, the following  authorization  requests
       would be made from the client:

       1)     An  initial  authorization request to startup ppp from the exec, using the AV pairs
              service=ppp protocol=ip, will be made (Note: this initial request will  be  omitted
              if you are autoselecting ppp, since username will not be known yet).

              This  request is really done to find the address for dumb PPP (or SLIP) clients who
              cannot do address negotiation. Instead, they expect you to tell them  what  address
              to use before PPP starts up, via a text message.

       2)     Next,  an  authorization request is made from the PPP subsystem to see if ppp's LCP
              layer is authorized. LCP parameters can be set at this time (e.g.  callback).  This
              request contains the AV pairs service=ppp protocol=lcp.

       3)     Next  an  authorization  request  to  startup ppp's IPCP layer is made using the AV
              pairs service=ppp protocol=ipcp. Any parameters returned by the daemon are cached.

       4)     Next, during PPP's address negotiation phase, each time the remote peer requests  a
              specific  address,  if  that  address  isn't in the cache obtained in step 3, a new
              authorization request is made to see if the peers requested address  is  allowable.
              This  step  can  be  repeated  multiple  times until both sides agree on the remote
              peer's address or until the NAS (or client) decide they're never going to agree and
              they shut down PPP instead.

       As  you can see from the above, a program which plans to handle authorization must be able
       to handle a variety of requests and respond appropriately.

       Authorization must be configured on both the client and the daemon to  operate  correctly.
       By  default,  the  client  will  allow  everything  until configured to make authorization
       requests to the daemon.

       With the daemon, the opposite is true; by default, the daemon will deny  authorization  of
       anything that isn't explicitly permitted.

       Authorization  allows  the  daemon  to  deny  commands and services outright, or to modify
       commands and services on a per-user basis.  Authorization on the daemon  is  divided  into
       two separate parts: commands and services.

       Authorizing:

       commands
              Exec  commands  are  those  commands  which  are typed at a Cisco exec prompt. When
              authorization is requested by the NAS, the entire command is sent to the daemon for
              authorization.

              Command  authorization  is  configured  by  specifying  a list of <regex>s to match
              command arguments and an action which is a <permission>.

              The following permits user Fred to run these commands:

                  telnet 131.108.13.<any number> and
                  telnet 128.<any number>.12.3 and
                  show <anything>

              All other commands are denied (by default).

                  user=fred {
                      cmd = telnet {
                          # permit specified telnets
                          permit 131\.108\.13\.[0-9]+
                          permit 128\.[0-9]+\.12\.3
                      }
                      cmd = show {
                          # permit show commands
                          permit .*
                      }
                  }

              The command and  arguments  which  the  user  types  are  matched  to  the  regular
              expressions  specified  in  the  configuration  file (in order of appearance).  The
              first successful match performs the associated action (<permission>). If  there  is
              no match, the command is denied by default.

              Also   see   the   <default   authentication>,  <default  authorization>,  <default
              attribute>, and <default service> directives.

AUTHORIZATION SCRIPTS

       There are some limitations to the authorization that can be  done  using  a  configuration
       file.  One solution is to arrange for the daemon to call user-supplied programs to control
       authorization.  These  "callouts"  permit  almost  complete  control  over  authorization,
       allowing  you  to  read  all  the  fields  in the authorization packet sent by the client,
       including all its AV pairs, and to set authorization status and send a new set of AV pairs
       to the client in response.

       Pre  and post authorization programs are invoked by handing the command line to the Bourne
       shell. On most Unix systems, if the shell doesn't find the specified program it returns  a
       status  of  one,  which  denies  authorization.  However,  at least one Unix system (BSDI)
       returns a status code of 2 under these circumstances, which will permit authorization, and
       probably isn't what you intended.

       Note:  if  your  program hangs, the authorization will time out and return an error on the
       client, and you'll tie up a process slot on the daemon host,  eventually  running  out  of
       resources. There is no special code to detect this in the daemon.

       The daemon communicates with pre and post (before and after) authorization programs over a
       pair of pipes. Programs using the standard i/o library will use full  buffering  in  these
       circumstances.   This  should  not  be a problem, since AV pairs will be read until end of
       file (EOF) is seen on input, and output will be flushed when they exit.

       Fields from the authorization packet can be supplied to the programs as arguments  on  the
       command  line  by  using  the appropriate dollar-sign variables in the configuration file.
       These fields are:

           user    -- user name
           name    -- client/NAS name
           ip      -- client/NAS IP
           port    -- client/NAS port
           address -- user address (remote user location)
           priv    -- privilege level number (0-15)
           method  -- a digit (1-4)
           type    -- digit (1-4)
           service -- digit (1-7)
           status  -- (pass, fail, error, unknown)

       Unrecognized variables will appear as the string "unknown".

       AV pairs from the authorization packet are fed to the program's standard  input,  one  per
       line.  The  program  is  expected  to  process the AV pairs and write them to its standard
       output, one per line. What happens then is determined by the exit status of the program.

       Note: when AV pairs containing spaces are listed in the configuration file,  you  need  to
       enclose  them  in  double  quotes  so  that  they are parsed correctly. AV pairs which are
       returned via standard output do not need delimiters and  so  should  not  be  enclosed  in
       double quotes.

       Note:  unless  special  arrangements  are  made, the daemon will run as root and hence the
       programs it invokes will also run as root, which is a security weakness.  It  is  strongly
       recommended  that  FQPNs are used when specifying programs to execute, and that the daemon
       is compiled with unprivileged user and group IDs  (--with-userid  and  --with-groupid)  so
       that the daemon is not running as root when calling these programs,

       Calling scripts

       before authorization
              Specify  a  per-user program to be called before any other authorization attempt is
              made by using a "before" clause.

                  user = auth1 {
                      before authorization "/path/pre_authorize $user $port $address"
                  }

              The AV pairs sent from the NAS will be supplied to the program standard input,  one
              pair per line.

              If  the  program returns a status of 0, authorization is unconditionally permitted.
              No further processing is done on this request and no AV pairs are returned  to  the
              client.

              If  the  program returns a status of 1, authorization is unconditionally denied. No
              further processing is done on this request and no AV  pairs  are  returned  to  the
              client.

              If  the  program returns a status of 2, authorization is permitted.  The program is
              expected to modify the AV pairs that it receives  on  its  standard  input  (or  to
              create  entirely new ones) and to write them, one per line, to its standard output.
              The  new  AV  pairs   will   be   sent   to   the   client   with   a   status   of
              AUTHOR_STATUS_PASS_REPL.  No further processing takes place on this request.

              If  the  program returns a status of 3, authorization is denied, but all attributes
              returned by the program via stdout are returned to the client. Also,  whatever  the
              program  returns  on stderr is placed into the server-msg field and returned to the
              client.

              Any other status value returned from the program will cause an error to be returned
              to the client.

              Note: a status of 2 is not acceptable when doing command authorization.

       after authorization
              Specify  a  per-user  program  to be called after authorization processing has been
              performed by the default, but before the authorization status  and  AV  pairs  have
              been transmitted to the client, by using a "after" clause.

                  group = auth1 {
                      after authorization "/path/post_authorize $user $port $status"
                  }

              The AV pairs resulting from the authorization algorithm that the daemon proposes to
              return to the NAS, are supplied to the program on standard input, one AV  pair  per
              line, so they can be modified if required.

              The  program  is  expected  to  process the AV pairs and write them to its standard
              output, one per line. What happens then is determined by the  exit  status  of  the
              program:

              If the program returns a status of 0, authorization continues as if the program had
              never been  called.   Use  this  if  (for  example)  to  just  send  mail  when  an
              authorization occurs, without otherwise affecting normal authorization.

              If  the  program returns a status of 1, authorization is unconditionally denied. No
              AV pairs are returned to the NAS. No further  authorization  processing  occurs  on
              this request.

              If  the  program returns a status of 2, authorization is permitted and any AV pairs
              returned from the program on its standard output are sent to the NAS  in  place  of
              any AV pairs that the daemon may have constructed.

              Any other value will cause an error to be returned to the NAS by the daemon.

       Current attributes are:

           "unknown"
           "service"
           "start_time"
           "port"
           "elapsed_time"
           "status"
           "priv_level"
           "cmd"
           "protocol"
           "cmd-arg"
           "bytes_in"
           "bytes_out"
           "paks_in"
           "paks_out"
           "address"
           "task_id"
           "callback-dialstring"
           "nocallback-verify"
           "callback-line"
           "callback-rotary"

       Also see the "AV Pairs" section below.

AV PAIRS

       AV (Attribute Value) pairs are text strings exchanged between the client and server of the
       form "attribute=value".  The value  may  not  appear  in  authorization  request  packets,
       indicating  that  it  is  null  or unspecified.  The equal sign ('=') means that this is a
       mandatory attribute.  An asterisk ('*') may appear in place of the equal sign,  indicating
       that  it  is an optional attribute which either the client or server may not understand or
       may ignore.

       Optional attributes are preceded by the "optional" key-word  in  the  configuration.   For
       example:

           priv_lvl = 15
           optional allow-shell = true

           service=ppp
           protocol=ip
           addr*131.108.12.44

       The  following  AV  pairs  specify  which  service is being authorized. They are typically
       accompanied by protocol AV pairs and other, additional pairs from the lists below.

       service=arap

       service=shell       for exec startup, and also for command authorizations.  Requires:

                               aaa authorization exec tacacs+

       service=ppp

       service=slip

       service=system      not used.

       service=raccess     Used for managing reverse telnet connections e.g.

                               user = jim {
                                   login = cleartext lab
                                   service = raccess {
                                       port#1 = clientname1/tty2
                                       port#2 = clientname2/tty5
                                   }
                               }

                           Requires IOS configuration

                               aaa authorization reverse-access tacacs+

       protocol=lcp        The lower layer of PPP, always brought up before  IP,  IPX,  etc.   is
                           brought up.

       protocol=ip         Used  with  service=ppp  and  service=slip  to indicate which protocol
                           layer is being authorized.

       protocol=ipx        Used with service=ppp  to  indicate  which  protocol  layer  is  being
                           authorized.

       protocol=atalk      with service=ppp or service=arap

       protocol=vines      For vines over ppp.

       protocol=ccp        Authorization  of  CCP.   Compression  Control Protocol). No other AV-
                           pairs associated with this.

       protocol=cdp        Authorization of CDP (Cisco Discovery  Protocol).  No  other  av-pairs
                           associated with this.

       protocol=multilink  Authorization of multilink PPP.

       protocol=unknown    For  undefined/unsupported  conditions.  Should not occur under normal
                           circumstances.

       Incomplete list of Cisco AV pairs.  Other vendors may provide additional AV pairs specific
       to their products.

       acl    For  EXEC  authorization  this  contains  an  access-class  number (acl=2) which is
              applied to the line (tty) as the output access class.   The  specified  access-list
              must be predefined.

              ARAP, EXEC.

       addr   The  IP address the remote host should be assigned when a slip or PPP/IP connection
              is made.  For example: addr=1.2.3.4

              SLIP, PPP/IP.

       autocmd
              During exec startup, this specifies an autocommand, like the autocommand option  to
              the username configuration command.  For example: autocmd="telnet foo.com"

              EXEC.

       callback-line
              The  number  of  a TTY line to use for the callback.  Used with service=arap, slip,
              ppp, or shell.  Does not work for ISDN.

       callback-rotary
              The number of a rotary group (0 through 100) to use for the  callback.   Used  with
              service=arap, slip, ppp, and shell.  Does not work for ISDN.

       cmd    If  the  value  of  cmd  is  NULL (cmd=), then this is an authorization request for
              starting an exec.

              If cmd is non-null, this is a command authorization request.  It contains the  name
              of the command being authorized.  For example: cmd=telnet

              EXEC.

       cmd-arg
              During  command  authorization, the name of the command is given by an accompanying
              "cmd=" AV pair, and each command argument is represented by a cmd-arg AV pair  e.g.
              cmd-arg=archie.sura.net

              NOTE: 'cmd-arg' should never appear in a configuration file.  It is used internally
              by the daemon to construct a string which  is  then  matched  against  the  regular
              expressions which appear in a cmd clause in the configuration file.

              EXEC.

       dns-servers
              Identifies  a  primary  or backup DNS server that can be requested by Microsoft PPP
              clients during IPCP negotiation.  Used with service=ppp and protocol=ip.

       gw-password
              Specifies the password for the home gateway during L2F tunnel authentication.  Used
              with service=ppp and protocol=vpdn.

       idletime
              Sets a value, in minutes, after which an IDLE session will be terminated.  Does NOT
              work for PPP.

              EXEC, 11.1 onward.

       inacl  This AV pair contains an IP or IPX  input  access  list  number  for  slip  or  PPP
              (inacl=2). The access list itself must be pre-configured on the Cisco box. Per-user
              access lists do not work with ISDN interfaces unless you also configure  a  virtual
              interface. After 11.2(5.1)F, you can also use the name of a predefined named access
              list, instead of a number, for the value of this attribute.

              Note: For IPX, inacl is only valid after 11.2(4)F.

              PPP/IP/IPX.

       inacl#<n>
              This AV pair contains the definition of an input access list to  be  installed  and
              applied to an interface for the duration of the current connection, e.g.

                  inacl#1="permit ip any any precedence immediate"
                  inacl#2="deny igrp 0.0.1.2 255.255.0.0 any"

              Attributes  are  sorted  numerically  before they are applied.  For IP, standard OR
              extended access list syntax may be used, but it is an error to mix the two within a
              given access-list.

              For IPX, only extended access list syntax may be used.

              PPP/IP/PPP/IPX, 11.2(4)F.

       interface-config
              Specifies  user-specific  AAA  interface  configuration  information  with  Virtual
              Profiles.  The information that follows the equal sign (=) can  be  any  Cisco  IOS
              interface configuration command.

       ip-address
              List  of  possible IP addresses, separated by spaces, that can be used for the end-
              point of a tunnel.  Used with service=ppp and protocol=vpdn.

       link-compression
              Defines whether to turn on or turn off Stac compression over  a  PPP  link.   Valid
              values are:

                   0    None
                   1    Stac
                   2    Stac Draft-9
                   3    MS-Stac

       load-threshold
              This AV pair sets the load threshold at which an additional multilink link is added
              to the bundle (if load goes above) or deleted (if load goes below).

                  service=ppp protocol=multilink {
                      load-threshold=<n>
                  }

              The range of <n> is [1-255].

              PPP/multilink - Multilink parameter, 11.3.

       max-links
              This AV pair restricts the number of multilink bundle links that a user can have.

                  service=ppp protocol=multilink {
                      max-links=<n>
                  }

              The range of <n> is [1-255].

              PPP/multilink, 11.3.

       nas-password
              Specifies the password for the NAS during L2F  tunnel  authentication.   Used  with
              service=ppp and protocol=vpdn.

       nocallback-verify
              Indicates  that no callback verification is required. The only valid value for this
              parameter is the digit  one,   i.e.   nocallback-verify=1.   Not  valid  for  ISDN.
              ARAP/EXEC, 11.1 onward.

       noescape
              During  exec  startup,  this  specifies "noescape", like the noescape option to the
              username configuration command.  Can  have  as  its  value  the  string  "true"  or
              "false".  For example: noescape=true

              EXEC.

       nohangup
              During  exec  startup,  this  specifies "nohangup", like the nohangup option to the
              username configuration command.  Can  have  as  its  value  the  string  "true"  or
              "false".  For example: nohangup=true

              EXEC.

       old-prompts
              Allows  the  prompts  in  TACACS+  to  appear identical to those of earlier systems
              (TACACS and Extended TACACS).  This allows the  upgrade  from  TACACS  or  Extended
              TACACS to TACACS+ to be transparent to users.

       outacl This  AV  pair  contains an IP or IPX output access list number for SLIP. PPP/IP or
              PPP/IPX connections (outacl=4). The access  list  itself  must  be  pre-configured.
              Per-user  access lists do not work with ISDN interfaces unless you also configure a
              virtual interface.  PPP/IPX is supported in 11.1 onward only. After 11.2(5.1)F, you
              can  also  use the name of a predefined named access list, as well as a number, for
              the value of this attribute.

              PPP/IP, PPP/IPX.

       outacl#<n>
              This AV pair contains an output access list definition to be installed and  applied
              to an interface for the duration of the current connection.

                  outacl#1="permit ip any any precedence immediate"
                  outacl#2="deny igrp 0.0.9.10 255.255.0.0 any"

              Attributes  are  sorted  numerically  before they are applied.  For IP, standard OR
              extended access list syntax may be used, but it is an error to mix the two within a
              given access-list.

              For IPX, only extended access list syntax may be used.

              PPP/IP/PPP/IPX, 11.2(4)F.

       pool-def#
              Defines IP address pools on the NAS.  Used with service=ppp and protocol=ip.

       pool-timeout
              In  conjunction  with  pool-def,  defines IP address pools on the NAS.  During IPCP
              address negotiation, if an IP pool name is specified for a user (see the  addr-pool
              attribute),  a  check is made that the named pool is defined on the NAS.  If it is,
              the pool is consulted for an IP address.

       ppp-vj-slot-compression
              Instructs the Cisco router not to use slot compression when  sending  VJ-compressed
              packets over a PPP link.

       priv-lvl
              Specifies  the  current  privilege  level for command authorizations, a number from
              zero to 15.  For example: priv_lvl=5.

              Note: in 10.3 this attribute was priv_lvl, i.e.  it contained an underscore instead
              of a hyphen.

              EXEC.

       route  This  AV pair specifies a temporary static route to be applied, which expunged once
              the connection terminates.  The daemon side declaration is:

                  service=ppp protocol=ip {
                      route="<dst_addr> <mask> [ <gateway> ]"
                  }

              <dst_address>, <mask>, and  <gateway>  are  <IP  address>'s.   If  the  gateway  is
              omitted, the peer's address is assumed.

              PPP/IP/SLIP, 11.1 onward.

       route#<n>
              Same  as  the "route" attribute, except that these are valid for IPX as well as IP,
              and they are numbered, allowing multiple routes to be applied.  For example:

                  route#1="3.0.0.0 255.0.0.0 1.2.3.4"
                  route#2="4.0.0.0 255.0.0.0"

              or, for IPX,

                  route#1="4C000000 ff000000 30.12.3.4"
                  route#2="5C000000 ff000000 30.12.3.5"

              PPP/IP/IPX, 11.2(4)F.

       routing
              Equivalent to the /routing flag in slip and ppp commands. Can have as its value the
              string "true" or "false".

              SLIP/PPP/IP.

       rte-ftr-in#
              Specifies  an  input  access list definition to be installed and applied to routing
              updates on the current interface for the duration of the current connection.   Used
              with service=ppp protocol=ip or protocol=ipx.

       rte-ftr-out#
              Output version of rte-ftr-in#.

       sap#<n>
              This  AV  pair specifies static SAPs (Service Advertising Protocol) to be installed
              for the duration of a connection.  For example:

                  sap#1="4 CE1-LAB 1234.0000.0000.0001 451 4"
                  sap#2="5 CE3-LAB 2345.0000.0000.0001 452 5"

              The syntax of static saps is the same as that used by the IOS  "ipx  sap"  command.
              Used with service=ppp protocol=ipx.

              PPP/IPX, 11.2(4)F.

       sap-fltr-in#<n>
              This  AV  pair specifies an input SAP filter access list definition to be installed
              and applied to the current interface, for the duration of the current connection.

              Only Cisco extended access list syntax is legal  (ipx  input-sap-filter  <number>).
              For example:

                  sap-fltr-in#1="deny 6C01.0000.0000.0001"
                  sap-fltr-in#2="permit -1"

              Attributes  are  sorted  numerically  before  being applied.  Used with service=ppp
              protocol=ipx.

              PPP/IPX, 11.2(4)F.

       sap-fltr-out#<n>
              This AV pair specifies an output sap filter access list definition to be  installed
              and applied on the current interface, for the duration of the current connection.

              Only  Cisco  extended access list syntax is legal (ipx output-sap-filter <number>),
              e.g

                  sap-fltr-out#1="deny 6C01.0000.0000.0001"
                  sap-fltr-out#2="permit -1"

              Attributes are sorted numerically before  being  applied.   Used  with  service=ppp
              protocol=ipx.

              PPP/IPX, 11.2(4)F.

       source-ip
              This  specifies  a  single  ip  address that will be used as the source of all VPDN
              packets generated as part of the VPDN tunnel (see the equivalent source-ip  keyword
              in the IOS vpdn outgoing command).

              PPP/VPDN, now deprecated, only existed in releases 11.2(1.4) thru 11.2(4.0.2).

       timeout
              Sets  the  time  until  an  ARAP  or  exec  session disconnects unconditionally (in
              minutes).  For example: timeout=60

              ARAP/EXEC, 11.0 onward.

       tunnel-id
              This AV pair specifies the username that will be used to  authenticate  the  tunnel
              over  which  the  individual  user MID will be projected.  This is analogous to the
              "NAS name" in the "vpdn outgoing" command.

              PPP/VPDN, 11.2 onward.

       zonelist
              An Appletalk zonelist for arap (ARAP) equivalent to the line configuration  command
              "arap zonelist".  For example: zonelist=5.

       AV pairs reserved for future use (this list may be out-dated):

           ppp-vj-slot-compression
           link-compression
           asyncmap
           x25-addresses (PPP/VPDN)
           frame-relay (PPP/VPDN)

       Note: this AV pair list is NOT complete and not all AV pairs are supported by all vendors.
       See the vendor's documentation.  When a client (or server) receives a  mandatory  AV  pair
       that it does not understand, the authorization FAILS!

       Also  see  the  tac_plus  user  guide.   Some  of  the callback, appletalk, IPX, VPDN, PPP
       routing, and address pool related AV pairs found in the user guide have been omitted.

ACCOUNTING AV PAIRS

       bytes_in            The number of input bytes transferred during this connection.

       bytes_out           The number of output bytes transferred during this connection.

       cmd                 The command the user executed.

       data-rate           This AV pair has been renamed. See nas-rx-speed.

       disc-cause          Specifies the reason a connection was taken off-line.  The Disconnect-
                           Cause  attribute  is  sent in accounting stop records.  This attribute
                           also causes stop records to  be  generated  without  first  generating
                           start records if disconnected before authentication.

                                1    User request
                                2    Lost carrier
                                3    Lost service
                                4    Idle timeout
                                5    Session timeout
                                6    Admin reset
                                7    Admin reboot
                                8    Port error
                                9    NAS error
                                10   NAS request
                                11   NAS reboot
                                12   Port unneeded
                                13   Port pre-empted
                                14   Port suspended
                                15   Service unavailable
                                16   Callback
                                17   User error
                                18   Host request

       disc-cause-ext      Extends  the  disc-cause  attribute to support vendor-specific reasons
                           that a connection was taken off-line.

                                1000 Session timed out. This value applies to all session types.
                                1002 Reason unknown.
                                1004 Failure to authenticate calling-party number.
                                1010 No carrier detected. This value applies to modem connections.
                                1011 Loss of carrier. This value applies to modem connections.
                                1012 Failure to detect modem result codes. This value applies to modem connections.
                                1020 User terminates a session. This value applies to EXEC sessions.
                                1021 Timeout waiting for user input. This value applies to all session types.
                                1022 Disconnect due to exiting Telnet session. This value applies to EXEC sessions.
                                1023 Could not switch to SLIP/PPP; the remote end has no IP address. This value applies to EXEC sessions.
                                1024 Disconnect due to exiting raw TCP. This value applies to EXEC sessions.
                                1025 Bad passwords. This value applies to EXEC sessions.
                                1026 Raw TCP disabled. This value applies to EXEC sessions.
                                1027 Control-C detected. This value applies to EXEC sessions.
                                1028 EXEC process destroyed. This value applies to EXEC sessions.
                                1040 PPP LCP negotiation timed out. This value applies to PPP sessions.
                                1041 PPP LCP negotiation failed.
                                1042 PPP PAP authentication failed.
                                1043 PPP CHAP authentication failed.
                                1044 PPP remote authentication failed.
                                1045 PPP received a Terminate Request from remote end.
                                1046 Upper layer requested that the session be closed.  This value applies to PPP sessions.
                                1101 Session failed for security reasons. This value applies to all session types.
                                1102 Session terminated due to callback. This value applies to all session types.
                                1120 Call refused because the detected protocol is disabled. This value applies to all session types.

       elapsed_time        The elapsed time in seconds for the action.  Useful  when  the  device
                           does not keep real time.

       event               Information  included  in the accounting packet that describes a state
                           change in the router.  Events described are  accounting  starting  and
                           accounting stopping.

       mlp-links-max       Gives  the  count  of  links  known  to have been in a given multilink
                           session at the time the accounting record is generated.

       mlp-sess-id         Reports the identification number of the  multilink  bundle  when  the
                           session closes.  This attribute applies to sessions that are part of a
                           multilink bundle.  This attribute is sent  in  authentication-response
                           packets.

       nas-rx-speed        Specifies the average number of bits per second over the course of the
                           connection's lifetime.  This attribute  is  sent  in  accounting  stop
                           records.

       nas-tx-speed        Reports the transmit speed negotiated by the two modems.

       paks_in             The number of input packets transferred during this connection.

       paks_out            The number of output packets transferred during this connection.

       port                The port into which the user was logged.

       pre-bytes-in        Records  the  number  of  input  bytes  before  authentication.   This
                           attribute is sent in accounting stop records.

       pre-bytes-out       Records the  number  of  output  bytes  before  authentication.   This
                           attribute is sent in accounting stop records.

       pre-paks-in         Records  the  number  of  input  packets  before  authentication. This
                           attribute is sent in accounting stop records.

       pre-paks-out        Records the number of  output  packets  before  authentication.   This
                           attribute is sent in accounting stop records as Pre-Output-Packets.

       pre-session-time    Specifies  the  length  of  time,  in  seconds, from when a call first
                           connects to when it completes authentication.

       priv_level          The privilege level associated with the action.

       protocol            The protocol associated with the action.

       reason              Information included in the accounting packet that describes the event
                           that  caused  a  system  change.   Events described are system reload,
                           system shutdown, or accounting reconfiguration (turned on or off).

       service             The service the user used.

       start_time          The time, in seconds since 12:00 a.m. January 1, 1970, that the action
                           started.  The clock must be configured to receive this information.

       stop_time           The time, in seconds since 12:00 a.m. January 1, 1970, that the action
                           stopped.  The clock must be configured to receive this information.

       task_id             Start and stop records for the same event must have matching  (unique)
                           task_id numbers.

       timezone            The time zone abbreviation for all timestamps included in this packet.

       xmit-rate           This AV pair has been renamed nas-tx-speed.

EXAMPLE CLIENT CONFIGURATION

       Example Cisco configuration for tacacs+:

           aaa new-model
           aaa authentication login default tacacs+ local
           aaa authentication enable default tacacs+ enable
           aaa authorization exec default tacacs+
           aaa accounting exec default start-stop tacacs+
           !
           username root privilege 15 password 0 <root's password>
           !
           tacacs-server key <your key here>
           tacacs-server host <ip_address>
           ip tacacs source-interface loopback0
           !
           enable secret 0 <enable password>

       Note  that  the  aaa command syntax varies slightly between some versions of Cisco IOS and
       CatOS (Catalyst OS) also varies.

       Example Juniper configuration for tacacs+:

           system {
               authentication-order [ password tacplus ];
               tacplus-server {
                   <ip_address> secret <your key here>;
                   <ip_address> {
                       secret <your key here>;
                       timeout 90;
                   }
               }
           }

       Both of these examples are brief.  See the vendor's documentation  for  a  description  of
       what these configuration commands specify and for additional commands and arguments.

       WARNING:  If not properly configured, it may not be possible to login to the device!

EXAMPLE TAC_PLUS CONFIGURATION

       key = "your key here"
       accounting file = /var/log/tac.acct
       # authentication users not appearing elsewhere via
       # the file /etc/passwd
       default authentication = file /etc/passwd

       acl = dial_only {
           # All access routers are in 192.168/16, but except for
           # 192.168.0.1 all backbone router are in 198.168.0/24.
           # deny access to the backbone routers.
           permit = ^192\.168\.0\.1$
           deny   = ^192\.168\.0\.
           permit = ^192\.168\.
       }

       group = no_backbone {
           # permit an exec to start and permit all commands and
           # services by default
           default service = permit

           service = exec {
               # When an exec is started, its connection access list
               # will be 4. "acl" is quoted because it is a keyword.
               # It also has an autocmd
               "acl" = 4
               autocmd = "telnet duffhost"
           }

           # group will only be allowed to login on NASes
           acl = dial_only
       }
       group = admin {
           # group members who don't have their own login password will be
           # looked up in /etc/passwd
           login = file /etc/passwd

           # group members who have no expiry date set will use this one
           expires = "Jan 1 1997"

           # deny access to backbone routers
           acl = dial_only
       }

       user = DEFAULT {
           service = ppp protocol = ip {
               addr-pool=foobar
           }
       }
       user = homer {
           default service = permit

           member = no_backbone
       }
       user = fred {
           login = des mEX027bHtzTlQ
           name = "Fred Flintstone"
           member = admin
           expires = "May 23 2005"
           arap = cleartext "Fred's arap secret"
           chap = cleartext "Fred's chap secret"

           service = exec {
               # When Fred starts an exec, his connection access
               # list is 5
               "acl" = 5

               # We require this autocmd to be done at startup
               autocmd = "telnet foo"
           }

           # All commands except show system are denied for Fred
           cmd = show {
               # Fred can run the following show command

               permit system
               deny .*
           }

           service = ppp protocol = ip {
               # Fred can run ip over ppp only if he uses one
               # of the following mandatory addresses. If he
               # supplies no address, the first one here will
               # be mandated

               addr=131.108.12.11
               addr=131.108.12.12
               addr=131.108.12.13
               addr=131.108.12.14

               # Fred's mandatory input access list number is 101
               inacl=101

               # We will suggest an output access list of 102, but the NAS may
               # choose to ignore or override it

               optional outacl=102
           }

           service = slip {
               # Fred can run slip. When he does, he will have to use
               # these mandatory access lists

               inacl=101
               outacl=102
           }
       }

       user = wilma {
           # Wilma has no password of her own, but she's a group member so
           # she'll use the group password if there is one. Same for her
           # password expiry date

           member = admin
       }

FILES

       /etc/tac_plus.conf            Configuration file.

       /var/log/tac_plus.acct        The default accounting file.

       /var/log/tac_plus.log         The default log file.

SEE ALSO

       gethostbyaddr(3), passwd(5), regexp(3), tac_plus(8), tac_pwd(8)

       Also  see  the tac_plus User Guide (user_guide) that came with the distribution.  The user
       guide does not cover all the modifications to the original Cisco  version  nor  does  this
       manual  page  cover  everything  that  is  in  the user guide (callback configuration, for
       example).

AUTHOR

       The tac_plus (tacacs+) developer's kit is a product of Cisco Systems.  Made  available  at
       no cost and with no warranty of any kind.  See the file COPYING and source files that came
       with the distribution for specifics.

HISTORY

       This manual page was adapted from code inspection and Cisco's tac_plus user guide.

BUGS

       This manual page is incomplete.

                                          1 August 2013                          tac_plus.conf(5)