bionic (8) do_auth.8.gz

Provided by: tacacs+_4.0.4.27a-3_amd64 bug

NAME
       do_auth - Program allowing more granular control than tac_plus.


SYNOPSIS
       do_auth -u user [-i Ip Address] [-d Device address] [-f Config filename] [-l Log file] [-D Debug mode]


DESCRIPTION
       do_auth  is  a  python  program  written  to  work as an authorization script for tacacs to allow greater
       flexability in tacacs authentication.  It allows a user to be part of many  predefined  groups  that  can
       allow different access to different devices based on ip, user, and source address.

       Groups  are assigned to users in the [users] section.  A user must be assigned to one or more groups, one
       per line.  Groups are defined in brackets, but can be any name.  Each group can have up to 6  options  as
       defined below.

        host_deny          Deny any user coming from this host.  Optional.
        host_allow         Allow users from this range. Mandatory with -i.
        device_deny        Deny any device with this IP.  Optional.
        device_permit      Allow this range. Mandatory if -d is specified.
        command_deny       Deny these commands.  Optional.
        command_permit     Allow these commands.  Mandatory.

       The options are parsed in order till a match is found.  Obviously, for login, the commands section is not
       parsed.  If a match is not found, or a deny is found, we move on to the next group.  At the end, we  have
       an  implicit  deny if no groups match.  All tacacs keys passed on login to do_auth are returned.  (except
       cmd*)  It is possible to modify them, but I haven't implemented this yet as  I  don't  need  it.   Future
       versions may have an av_pair & append_av_pair option.


OPTIONS
       -u     Username.  Mandatory.  $user

       -i     Ip  address  of  user.   Optional.   If  not  specified,  all host_ entries are ignored and can be
              omitted. $address

       -d     Device address.  Optional.  If not specified, all device_ entries are ignored and can be  omitted.
              $name

       -f     Config Filename.  Default is do_auth.ini.

       -l     Logfile. Default is log.txt.

       -D     Activate debug mode.


EXAMPLES
       do_auth -i $address -u $user -d $name -l /var/log/do_auth.log -f /etc/tacacs+/do_auth.ini


EXIT STATUS
       do_auth returns 0 to allow, 1 to deny authorization.


AUTHOR
       Henry-Nicolas Tourneur from the do_auth file written by Dan Schmidt.


SEE ALSO
       tac_plus(8), tac_plus.conf(5)