1 .\" Copyright (c) 1998, 2001, 2002, Juniper Networks, Inc.
2 .\" All rights reserved.
4 .\" Redistribution and use in source and binary forms, with or without
5 .\" modification, are permitted provided that the following conditions
7 .\" 1. Redistributions of source code must retain the above copyright
8 .\" notice, this list of conditions and the following disclaimer.
9 .\" 2. Redistributions in binary form must reproduce the above copyright
10 .\" notice, this list of conditions and the following disclaimer in the
11 .\" documentation and/or other materials provided with the distribution.
13 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
14 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
17 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
19 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
20 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
21 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
22 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 .Nd TACACS+ client library
34 .Fn tac_add_server "struct tac_handle *h" "const char *host" "int port" "const char *secret" "int timeout" "int flags"
36 .Fn tac_clear_avs "struct tac_handle *h"
38 .Fn tac_close "struct tac_handle *h"
40 .Fn tac_config "struct tac_handle *h" "const char *path"
42 .Fn tac_create_authen "struct tac_handle *h" "int action" "int type" "int service"
44 .Fn tac_create_author "struct tac_handle *h" "int method" "int type" "int service"
46 .Fn tac_create_acct "struct tac_handle *h" "int acct" "int action" "int type" "int service"
48 .Fn tac_get_av "struct tac_handle *h" "u_int index"
50 .Fn tac_get_av_value "struct tac_handle *h" "const char *attribute"
52 .Fn tac_get_data "struct tac_handle *h" "size_t *len"
54 .Fn tac_get_msg "struct tac_handle *h"
55 .Ft struct tac_handle *
58 .Fn tac_send_authen "struct tac_handle *h"
60 .Fn tac_send_author "struct tac_handle *h"
62 .Fn tac_send_acct "struct tac_handle *h"
64 .Fn tac_set_av "struct tac_handle *h" "u_int index" "const char *av_pair"
66 .Fn tac_set_data "struct tac_handle *h" "const void *data" "size_t data_len"
68 .Fn tac_set_msg "struct tac_handle *h" "const char *msg"
70 .Fn tac_set_port "struct tac_handle *h" "const char *port"
72 .Fn tac_set_priv "struct tac_handle *h" "int priv"
74 .Fn tac_set_rem_addr "struct tac_handle *h" "const char *addr"
76 .Fn tac_set_user "struct tac_handle *h" "const char *user"
78 .Fn tac_strerror "struct tac_handle *h"
82 library implements the client side of the TACACS+ network access
84 TACACS+ allows clients to perform authentication,
85 authorization, and accounting by means of network requests to remote
87 This library currently supports only the authentication
88 and authorization portion of the protocol.
90 To use the library, an application must first call
93 .Va struct tac_handle * ,
94 which provides context for subsequent operations.
97 always succeed unless insufficient virtual memory is available.
99 the necessary memory cannot be allocated,
104 Before issuing any TACACS+ requests, the library must be made aware
105 of the servers it can contact.
106 The easiest way to configure the
110 causes the library to read a configuration file whose format is
113 The pathname of the configuration file is passed as the
117 This argument may also be given as
119 in which case the standard configuration file
120 .Pa /etc/tacplus.conf
123 returns 0 on success, or \-1 if an error occurs.
125 The library can also be configured programmatically by calls to
129 parameter specifies the server host, either as a fully qualified
130 domain name or as a dotted-quad IP address in text form.
133 parameter specifies the TCP port to contact on the server.
136 is given as 0, the library uses port 49, the standard TACACS+ port.
137 The shared secret for the server host is passed to the
140 It may be any null-terminated string of bytes.
141 The timeout for receiving replies from the server is passed to the
143 parameter, in units of seconds.
146 parameter is a bit mask of flags to specify various characteristics of
150 .It Dv TAC_SRVR_SINGLE_CONNECT
151 Causes the library to attempt to negotiate single connection mode
152 when communicating with the server.
153 In single connection mode, the
154 original TCP connection is held open for multiple TACACS+ sessions.
155 Older servers do not support this mode, and some of them become
156 confused if the client attempts to negotiate it.
160 returns 0 on success, or \-1 if an error occurs.
163 may be called multiple times, and it may be used together with
165 At most 10 servers may be specified.
166 When multiple servers are given, they are tried in round-robin
167 fashion until a working, accessible server is found.
169 library finds such a server, it continues to use it as long as it
171 .Sh CREATING A TACACS+ AUTHENTICATION REQUEST
172 To begin constructing a new authentication request, call
173 .Fn tac_create_authen .
179 arguments must be set to appropriate values as defined in the
180 TACACS+ protocol specification.
183 header file contains symbolic constants for these values.
184 .Sh CREATING A TACACS+ AUTHORIZATION REQUEST
185 To begin constructing a new authorization request, call
186 .Fn tac_create_author .
192 arguments must be set to appropriate values as defined in the
193 TACACS+ protocol specification.
196 header file contains symbolic constants for these values.
197 .Sh CREATING A TACACS+ ACCOUNTING REQUEST
198 To begin constructing a new accounting request, call
199 .Fn tac_create_acct .
206 arguments must be set to appropriate values as defined in the
207 TACACS+ protocol specification.
210 header file contains symbolic constants for these values.
211 .Sh SETTING OPTIONAL PARAMETERS ON A REQUEST
212 After creating a request,
213 various optional parameters may be attached to it through calls to
218 .Fn tac_set_rem_addr ,
221 The library creates its own copies of any strings provided to these
222 functions, so that it is not necessary for the caller to preserve
224 By default, each of these parameters is empty except for the
225 privilege level, which defaults to
230 only applies to the context of an authorization request.
232 for an attribute value pair is defined in the TACACS+ protocol
234 The index specified can be any value between 0 and
235 255 inclusive and indicates the position in the list to place the
236 attribute value pair.
239 with same index twice effectively replaces the value at that position.
242 to clear all attribute value pairs that may have been set.
243 .Sh SENDING THE AUTHENTICATION REQUEST AND RECEIVING THE RESPONSE
244 After the TACACS+ authentication request has been constructed, it is
246 .Fn tac_send_authen .
247 This function connects to a server if not already connected, sends
248 the request, and waits for a reply.
252 Otherwise, it returns the TACACS+ status code and flags,
253 packed into an integer value.
254 The status can be extracted using the
256 .Fn TAC_AUTHEN_STATUS .
257 Possible status codes, defined in
261 .Bl -item -compact -offset indent
263 .Dv TAC_AUTHEN_STATUS_PASS
265 .Dv TAC_AUTHEN_STATUS_FAIL
267 .Dv TAC_AUTHEN_STATUS_GETDATA
269 .Dv TAC_AUTHEN_STATUS_GETUSER
271 .Dv TAC_AUTHEN_STATUS_GETPASS
273 .Dv TAC_AUTHEN_STATUS_RESTART
275 .Dv TAC_AUTHEN_STATUS_ERROR
277 .Dv TAC_AUTHEN_STATUS_FOLLOW
280 The only flag is the no-echo flag, which can be tested using the
282 .Fn TAC_AUTHEN_NOECHO .
283 .Sh EXTRACTING INFORMATION FROM THE SERVER'S AUTHENTICATION RESPONSE
284 An authentication response packet from the server may contain a
285 server message, a data string, or both.
286 After a successful call to
287 .Fn tac_send_authen ,
288 this information may be retrieved from the response by calling
292 These functions return dynamically-allocated copies of the
293 information from the packet.
294 The caller is responsible for freeing
295 the copies when it no longer needs them.
296 The data returned from
297 these functions is guaranteed to be terminated by a null byte.
303 argument points to a location into which the library will store the
304 actual length of the received data, not including the null
306 This argument may be given as
308 if the caller is not interested in the length.
309 .Sh SENDING AUTHENTICATION CONTINUE PACKETS
312 returns a value containing one of the status codes
313 .Dv TAC_AUTHEN_STATUS_GETDATA ,
314 .Dv TAC_AUTHEN_STATUS_GETUSER ,
316 .Dv TAC_AUTHEN_STATUS_GETPASS ,
317 then the client must provide additional information to the server by
318 means of a TACACS+ CONTINUE packet.
319 To do so, the application must
320 first set the packet's user message and/or data fields using
324 The client then sends the CONTINUE packet with
325 .Fn tac_send_authen .
327 .Fn tac_create_authen
330 be called to construct a CONTINUE packet; it is used only for the
331 initial authentication request.
333 When it receives the CONTINUE packet, the server may again request
334 more information by returning
335 .Dv TAC_AUTHEN_STATUS_GETDATA ,
336 .Dv TAC_AUTHEN_STATUS_GETUSER ,
338 .Dv TAC_AUTHEN_STATUS_GETPASS .
339 The application should send further CONTINUEs until some other
340 status is received from the server.
341 .Sh SENDING THE AUTHORIZATION REQUEST AND RECEIVING THE RESPONSE
342 After the TACACS+ authorization request has been constructed, it
344 .Fn tac_send_author .
345 This function connects to a server if not already connected, sends
346 the request, and waits for a reply.
350 Otherwise, it returns the TACACS+ status code and
351 number of attribute value (AV) pairs received packed into an
353 The status can be extracted using the macro
354 .Fn TAC_AUTHOR_STATUS .
355 Possible status codes, defined in
359 .Bl -item -compact -offset indent
361 .Dv TAC_AUTHOR_STATUS_PASS_ADD
363 .Dv TAC_AUTHOR_STATUS_PASS_REPL
365 .Dv TAC_AUTHOR_STATUS_FAIL
367 .Dv TAC_AUTHOR_STATUS_ERROR
370 The number of AV pairs received is obtained using
371 .Fn TAC_AUTHEN_AV_COUNT .
372 .Sh SENDING THE ACCOUNTING REQUEST AND RECEIVING THE RESPONSE
373 After the TACACS+ authorization request has been constructed, it
376 This function connects to a server if not already connected, sends
377 the request, and waits for a reply.
381 Otherwise, it returns the TACACS+ status code.
382 Possible status codes, defined in
386 .Bl -item -compact -offset indent
388 .Dv TAC_ACCT_STATUS_SUCCESS
390 .Dv TAC_ACCT_STATUS_ERROR
392 .Dv TAC_ACCT_STATUS_FOLLOW
394 .Sh EXTRACTING INFORMATION FROM THE SERVER'S AUTHORIZATION RESPONSE
395 Like an authentication response packet, an authorization
396 response packet from the
397 server may contain a server message, a data string, or both.
399 to EXTRACTING INFORMATION FROM THE SERVER'S AUTHENTICATION RESPONSE
400 for instruction on extraction of those values.
402 An authorization response packet from the server may also contain
403 attribute value (AV) pairs.
404 To extract these, use
407 .Fn tac_get_av_value .
409 takes the index of the AV pair as it is positioned in the list.
410 The indexes start at 0 (use
411 .Fn TAC_AUTHEN_AV_COUNT
412 on the return value of
414 to get the total number of items in this list).
419 takes the attribute name and returns the
420 corresponding value only, not the AV pair.
421 These functions return
422 dynamically-allocated copies of the information from the packet.
423 The caller is responsible for freeing the copies when it no longer
425 The data returned from these functions is guaranteed
426 to be terminated by a null byte.
427 .Sh OBTAINING ERROR MESSAGES
428 Those functions which accept a
429 .Va struct tac_handle *
430 argument record an error message if they fail.
432 can be retrieved by calling
434 The message text is overwritten on each new error for the given
435 .Va struct tac_handle * .
436 Thus the message must be copied if it is to be preserved through
437 subsequent library calls using the same handle.
439 To free the resources used by the TACACS+ library, call
442 The following functions return a non-negative value on success.
444 they detect an error, they return \-1 and record an error message
445 which can be retrieved using
448 .Bl -item -offset indent -compact
454 .Fn tac_create_authen
456 .Fn tac_create_author
481 The following functions return a
484 If they are unable to allocate sufficient
485 virtual memory, they return
487 and record an error message which can be retrieved using
490 .Bl -item -offset indent -compact
501 The following functions return a
504 If they are unable to allocate sufficient
505 virtual memory, they return
507 without recording an error message.
509 .Bl -item -offset indent -compact
515 .It Pa /etc/tacplus.conf
522 .%T The TACACS+ Protocol, Version 1.78
523 .%O draft-grant-tacacs-02.txt (Internet Draft)
527 This software was written by
533 project by Juniper Networks, Inc.