1.\" Copyright (c) 1998, 2001, 2002, Juniper Networks, Inc. 2.\" All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 13.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 14.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 15.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 16.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 17.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 18.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 19.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 20.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 21.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 22.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 23.\" SUCH DAMAGE. 24.\" 25.\" $FreeBSD$ 26.\" 27.Dd December 11, 2009 28.Dt LIBTACPLUS 3 29.Os 30.Sh NAME 31.Nm libtacplus 32.Nd TACACS+ client library 33.Sh SYNOPSIS 34.In taclib.h 35.Ft int 36.Fn tac_add_server "struct tac_handle *h" "const char *host" "int port" "const char *secret" "int timeout" "int flags" 37.Ft void 38.Fn tac_clear_avs "struct tac_handle *h" 39.Ft void 40.Fn tac_close "struct tac_handle *h" 41.Ft int 42.Fn tac_config "struct tac_handle *h" "const char *path" 43.Ft int 44.Fn tac_create_authen "struct tac_handle *h" "int action" "int type" "int service" 45.Ft int 46.Fn tac_create_author "struct tac_handle *h" "int method" "int type" "int service" 47.Ft int 48.Fn tac_create_acct "struct tac_handle *h" "int acct" "int action" "int type" "int service" 49.Ft char * 50.Fn tac_get_av "struct tac_handle *h" "u_int index" 51.Ft char * 52.Fn tac_get_av_value "struct tac_handle *h" "const char *attribute" 53.Ft void * 54.Fn tac_get_data "struct tac_handle *h" "size_t *len" 55.Ft char * 56.Fn tac_get_msg "struct tac_handle *h" 57.Ft struct tac_handle * 58.Fn tac_open "void" 59.Ft int 60.Fn tac_send_authen "struct tac_handle *h" 61.Ft int 62.Fn tac_send_author "struct tac_handle *h" 63.Ft int 64.Fn tac_send_acct "struct tac_handle *h" 65.Ft int 66.Fn tac_set_av "struct tac_handle *h" "u_int index" "const char *av_pair" 67.Ft int 68.Fn tac_set_data "struct tac_handle *h" "const void *data" "size_t data_len" 69.Ft int 70.Fn tac_set_msg "struct tac_handle *h" "const char *msg" 71.Ft int 72.Fn tac_set_port "struct tac_handle *h" "const char *port" 73.Ft int 74.Fn tac_set_priv "struct tac_handle *h" "int priv" 75.Ft int 76.Fn tac_set_rem_addr "struct tac_handle *h" "const char *addr" 77.Ft int 78.Fn tac_set_user "struct tac_handle *h" "const char *user" 79.Ft const char * 80.Fn tac_strerror "struct tac_handle *h" 81.Sh DESCRIPTION 82The 83.Nm 84library implements the client side of the TACACS+ network access 85control protocol. 86TACACS+ allows clients to perform authentication, 87authorization, and accounting by means of network requests to remote 88servers. 89This library currently supports only the authentication 90and authorization portion of the protocol. 91.Sh INITIALIZATION 92To use the library, an application must first call 93.Fn tac_open 94to obtain a 95.Va struct tac_handle * , 96which provides context for subsequent operations. 97Calls to 98.Fn tac_open 99always succeed unless insufficient virtual memory is available. 100If 101the necessary memory cannot be allocated, 102.Fn tac_open 103returns 104.Dv NULL . 105.Pp 106Before issuing any TACACS+ requests, the library must be made aware 107of the servers it can contact. 108The easiest way to configure the 109library is to call 110.Fn tac_config . 111.Fn tac_config 112causes the library to read a configuration file whose format is 113described in 114.Xr tacplus.conf 5 . 115The pathname of the configuration file is passed as the 116.Va file 117argument to 118.Fn tac_config . 119This argument may also be given as 120.Dv NULL , 121in which case the standard configuration file 122.Pa /etc/tacplus.conf 123is used. 124.Fn tac_config 125returns 0 on success, or \-1 if an error occurs. 126.Pp 127The library can also be configured programmatically by calls to 128.Fn tac_add_server . 129The 130.Va host 131parameter specifies the server host, either as a fully qualified 132domain name or as a dotted-quad IP address in text form. 133The 134.Va port 135parameter specifies the TCP port to contact on the server. 136If 137.Va port 138is given as 0, the library uses port 49, the standard TACACS+ port. 139The shared secret for the server host is passed to the 140.Va secret 141parameter. 142It may be any null-terminated string of bytes. 143The timeout for receiving replies from the server is passed to the 144.Va timeout 145parameter, in units of seconds. 146The 147.Va flags 148parameter is a bit mask of flags to specify various characteristics of 149the server. 150It may contain: 151.Pp 152.Bl -tag -width Fl 153.It Dv TAC_SRVR_SINGLE_CONNECT 154Causes the library to attempt to negotiate single connection mode 155when communicating with the server. 156In single connection mode, the 157original TCP connection is held open for multiple TACACS+ sessions. 158Older servers do not support this mode, and some of them become 159confused if the client attempts to negotiate it. 160.El 161.Pp 162.Fn tac_add_server 163returns 0 on success, or \-1 if an error occurs. 164.Pp 165.Fn tac_add_server 166may be called multiple times, and it may be used together with 167.Fn tac_config . 168At most 10 servers may be specified. 169When multiple servers are given, they are tried in round-robin 170fashion until a working, accessible server is found. 171Once the 172library finds such a server, it continues to use it as long as it 173works. 174.Sh CREATING A TACACS+ AUTHENTICATION REQUEST 175To begin constructing a new authentication request, call 176.Fn tac_create_authen . 177The 178.Va action , 179.Va type , 180and 181.Va service 182arguments must be set to appropriate values as defined in the 183TACACS+ protocol specification. 184The 185.In taclib.h 186header file contains symbolic constants for these values. 187.Sh CREATING A TACACS+ AUTHORIZATION REQUEST 188To begin constructing a new authorization request, call 189.Fn tac_create_author . 190The 191.Va method , 192.Va type , 193and 194.Va service 195arguments must be set to appropriate values as defined in the 196TACACS+ protocol specification. 197The 198.In taclib.h 199header file contains symbolic constants for these values. 200.Sh CREATING A TACACS+ ACCOUNTING REQUEST 201To begin constructing a new accounting request, call 202.Fn tac_create_acct . 203The 204.Va acct , 205.Va action , 206.Va type , 207and 208.Va service 209arguments must be set to appropriate values as defined in the 210TACACS+ protocol specification. 211The 212.In taclib.h 213header file contains symbolic constants for these values. 214.Sh SETTING OPTIONAL PARAMETERS ON A REQUEST 215After creating a request, 216various optional parameters may be attached to it through calls to 217.Fn tac_set_av , 218.Fn tac_set_data , 219.Fn tac_set_port , 220.Fn tac_set_priv , 221.Fn tac_set_rem_addr , 222and 223.Fn tac_set_user . 224The library creates its own copies of any strings provided to these 225functions, so that it is not necessary for the caller to preserve 226them. 227By default, each of these parameters is empty except for the 228privilege level, which defaults to 229.Ql USER 230privilege. 231.Pp 232.Fn tac_set_av 233only applies to the context of an authorization request. 234The format 235for an attribute value pair is defined in the TACACS+ protocol 236specification. 237The index specified can be any value between 0 and 238255 inclusive and indicates the position in the list to place the 239attribute value pair. 240Calling 241.Fn tac_set_av 242with same index twice effectively replaces the value at that position. 243Use 244.Fn tac_clear_avs 245to clear all attribute value pairs that may have been set. 246.Sh SENDING THE AUTHENTICATION REQUEST AND RECEIVING THE RESPONSE 247After the TACACS+ authentication request has been constructed, it is 248sent by means of 249.Fn tac_send_authen . 250This function connects to a server if not already connected, sends 251the request, and waits for a reply. 252On failure, 253.Fn tac_send_authen 254returns \-1. 255Otherwise, it returns the TACACS+ status code and flags, 256packed into an integer value. 257The status can be extracted using the 258macro 259.Fn TAC_AUTHEN_STATUS . 260Possible status codes, defined in 261.In taclib.h , 262include: 263.Pp 264.Bl -item -compact -offset indent 265.It 266.Dv TAC_AUTHEN_STATUS_PASS 267.It 268.Dv TAC_AUTHEN_STATUS_FAIL 269.It 270.Dv TAC_AUTHEN_STATUS_GETDATA 271.It 272.Dv TAC_AUTHEN_STATUS_GETUSER 273.It 274.Dv TAC_AUTHEN_STATUS_GETPASS 275.It 276.Dv TAC_AUTHEN_STATUS_RESTART 277.It 278.Dv TAC_AUTHEN_STATUS_ERROR 279.It 280.Dv TAC_AUTHEN_STATUS_FOLLOW 281.El 282.Pp 283The only flag is the no-echo flag, which can be tested using the 284macro 285.Fn TAC_AUTHEN_NOECHO . 286.Sh EXTRACTING INFORMATION FROM THE SERVER'S AUTHENTICATION RESPONSE 287An authentication response packet from the server may contain a 288server message, a data string, or both. 289After a successful call to 290.Fn tac_send_authen , 291this information may be retrieved from the response by calling 292.Fn tac_get_msg 293and 294.Fn tac_get_data . 295These functions return dynamically-allocated copies of the 296information from the packet. 297The caller is responsible for freeing 298the copies when it no longer needs them. 299The data returned from 300these functions is guaranteed to be terminated by a null byte. 301.Pp 302In the case of 303.Fn tac_get_data , 304the 305.Va len 306argument points to a location into which the library will store the 307actual length of the received data, not including the null 308terminator. 309This argument may be given as 310.Dv NULL 311if the caller is not interested in the length. 312.Sh SENDING AUTHENTICATION CONTINUE PACKETS 313If 314.Fn tac_send_authen 315returns a value containing one of the status codes 316.Dv TAC_AUTHEN_STATUS_GETDATA , 317.Dv TAC_AUTHEN_STATUS_GETUSER , 318or 319.Dv TAC_AUTHEN_STATUS_GETPASS , 320then the client must provide additional information to the server by 321means of a TACACS+ CONTINUE packet. 322To do so, the application must 323first set the packet's user message and/or data fields using 324.Fn tac_set_msg 325and 326.Fn tac_set_data . 327The client then sends the CONTINUE packet with 328.Fn tac_send_authen . 329N.B., 330.Fn tac_create_authen 331should 332.Em not 333be called to construct a CONTINUE packet; it is used only for the 334initial authentication request. 335.Pp 336When it receives the CONTINUE packet, the server may again request 337more information by returning 338.Dv TAC_AUTHEN_STATUS_GETDATA , 339.Dv TAC_AUTHEN_STATUS_GETUSER , 340or 341.Dv TAC_AUTHEN_STATUS_GETPASS . 342The application should send further CONTINUEs until some other 343status is received from the server. 344.Sh SENDING THE AUTHORIZATION REQUEST AND RECEIVING THE RESPONSE 345After the TACACS+ authorization request has been constructed, it 346is sent by means of 347.Fn tac_send_author . 348This function connects to a server if not already connected, sends 349the request, and waits for a reply. 350On failure, 351.Fn tac_send_author 352returns \-1. 353Otherwise, it returns the TACACS+ status code and 354number of attribute value (AV) pairs received packed into an 355integer value. 356The status can be extracted using the macro 357.Fn TAC_AUTHOR_STATUS . 358Possible status codes, defined in 359.In taclib.h , 360include: 361.Pp 362.Bl -item -compact -offset indent 363.It 364.Dv TAC_AUTHOR_STATUS_PASS_ADD 365.It 366.Dv TAC_AUTHOR_STATUS_PASS_REPL 367.It 368.Dv TAC_AUTHOR_STATUS_FAIL 369.It 370.Dv TAC_AUTHOR_STATUS_ERROR 371.El 372.Pp 373The number of AV pairs received is obtained using 374.Fn TAC_AUTHEN_AV_COUNT . 375.Sh SENDING THE ACCOUNTING REQUEST AND RECEIVING THE RESPONSE 376After the TACACS+ authorization request has been constructed, it 377is sent by means of 378.Fn tac_send_acct . 379This function connects to a server if not already connected, sends 380the request, and waits for a reply. 381On failure, 382.Fn tac_send_acct 383returns \-1. 384Otherwise, it returns the TACACS+ status code 385Possible status codes, defined in 386.In taclib.h , 387include: 388.Pp 389.Bl -item -compact -offset indent 390.It 391.Dv TAC_ACCT_STATUS_SUCCESS 392.It 393.Dv TAC_ACCT_STATUS_ERROR 394.It 395.Dv TAC_ACCT_STATUS_FOLLOW 396.El 397.Pp 398.Sh EXTRACTING INFORMATION FROM THE SERVER'S AUTHORIZATION RESPONSE 399Like an authentication response packet, an authorization 400response packet from the 401server may contain a server message, a data string, or both. 402Refer 403to EXTRACTING INFORMATION FROM THE SERVER'S AUTHENTICATION RESPONSE 404for instruction on extraction of those values. 405.Pp 406An authorization response packet from the server may also contain 407attribute value (AV) pairs. 408To extract these, use 409.Fn tac_get_av 410or 411.Fn tac_get_av_value . 412.Fn tac_get_av 413takes the index of the AV pair as it is positioned in the list. 414The indexes start at 0 (use 415.Fn TAC_AUTHEN_AV_COUNT 416on the return value of 417.Fn tac_send_author 418to get the total number of items in this list). 419Alternatively, 420.Fn tac_get_av_value 421can be used. 422.Fn tac_get_av_value 423takes the attribute name and returns the 424corresponding value only, not the AV pair. 425These functions return 426dynamically-allocated copies of the information from the packet. 427The caller is responsible for freeing the copies when it no longer 428needs them. 429The data returned from these functions is guaranteed 430to be terminated by a null byte. 431.Sh OBTAINING ERROR MESSAGES 432Those functions which accept a 433.Va struct tac_handle * 434argument record an error message if they fail. 435The error message 436can be retrieved by calling 437.Fn tac_strerror . 438The message text is overwritten on each new error for the given 439.Va struct tac_handle * . 440Thus the message must be copied if it is to be preserved through 441subsequent library calls using the same handle. 442.Sh CLEANUP 443To free the resources used by the TACACS+ library, call 444.Fn tac_close . 445.Sh RETURN VALUES 446The following functions return a non-negative value on success. 447If 448they detect an error, they return \-1 and record an error message 449which can be retrieved using 450.Fn tac_strerror . 451.Pp 452.Bl -item -offset indent -compact 453.It 454.Fn tac_add_server 455.It 456.Fn tac_config 457.It 458.Fn tac_create_authen 459.It 460.Fn tac_create_author 461.It 462.Fn tac_create_acct 463.It 464.Fn tac_send_authen 465.It 466.Fn tac_send_author 467.It 468.Fn tac_send_acct 469.It 470.Fn tac_set_av 471.It 472.Fn tac_set_data 473.It 474.Fn tac_set_msg 475.It 476.Fn tac_set_port 477.It 478.Fn tac_set_priv 479.It 480.Fn tac_set_rem_addr 481.It 482.Fn tac_set_user 483.El 484.Pp 485The following functions return a 486.No non- Ns Dv NULL 487pointer on success. 488If they are unable to allocate sufficient 489virtual memory, they return 490.Dv NULL 491and record an error message which can be retrieved using 492.Fn tac_strerror . 493.Pp 494.Bl -item -offset indent -compact 495.It 496.Fn tac_get_av 497.It 498.Fn tac_get_av_value 499.It 500.Fn tac_get_data 501.It 502.Fn tac_get_msg 503.El 504.Pp 505The following functions return a 506.No non- Ns Dv NULL 507pointer on success. 508If they are unable to allocate sufficient 509virtual memory, they return 510.Dv NULL , 511without recording an error message. 512.Pp 513.Bl -item -offset indent -compact 514.It 515.Fn tac_open 516.El 517.Sh FILES 518.Pa /etc/tacplus.conf 519.Sh SEE ALSO 520.Xr tacplus.conf 5 521.Rs 522.%A D. Carrel 523.%A Lol Grant 524.%T The TACACS+ Protocol, Version 1.78 525.%O draft-grant-tacacs-02.txt (Internet Draft) 526.Re 527.Sh AUTHORS 528.An -nosplit 529This software was written by 530.An John Polstra 531and 532.An Paul Fraley , 533and donated to the 534.Fx 535project by Juniper Networks, Inc. 536