TACACS+ Specific Authentication
This artcile gives an explanation of how ClearBox Server processes TACACS+
authentication request packets. Read more about authentication
concepts and TACACS+ concepts.
Before packet is processed, realm stripping and
forwarding is performed.
First, server determines type of the packet - START (i.e. the first request
in requests series) or CONTINUE.
START packet processing
Authentication method is selected first by authentication type field
from the packet.
Authentication action is selected.
- If action is TAC_PLUS_AUTHEN_CHPASS (that is "password change"
request) and authentication method is not AT_ASCII, ERROR packet is
returned back to TACACS+ client.
If authentication method is AT_ASCII and
a) If there's no user name in the packet, TAC_PLUS_AUTHEN_STATUS_GETUSER
packet is sent back with a string promting a user to input his name.
b) If there's user name in the packet, TAC_PLUS_AUTHEN_STATUS_GETDATA
packet is sent back with prompt to a user requesting his old password.
- If action is TAC_PLUS_AUTHEN_SENDPASS (that is "send clear text
password to NAS" request) and TACACS+ minor version 0 support is
turned off (defined by server configuration), ERROR packet is sent back.
If no user name is present in the packet, ERROR packet is sent back.
ICommonAuthentication::GetUserPassword
is called next. If it indicates that there is no user known to server
extension with such name, TAC_PLUS_AUTHEN_STATUS_FAIL packet is sent,
and user is rejected.
If user is found, but his password is not available in clear text or
ignorePassword parameter is set to VARIANT_TRUE, TAC_PLUS_AUTHEN_STATUS_FAIL
packet is sent, and user is rejected. Otherwise, TAC_PLUS_AUTHEN_STATUS_PASS
packet is sent back with user's password.
- If action is TAC_PLUS_AUTHEN_SENDAUTH and authentication type is AT_ASCII,
ERROR packet is sent back.
Then server calls ICommonAuthentication::GetUserPassword
to get user's password. If it is not available in clear text or no user
exists with such name, TAC_PLUS_AUTHEN_STATUS_FAIL response is sent
back, TAC_PLUS_AUTHEN_STATUS_PASS response is sent otherwise with authentication
data dependant on authentication method.
- If action is TAC_PLUS_AUTHEN_LOGIN, common
authentication process is initiated.
CONTINUE packet processing
If authentication method is not AT_ASCII, ERROR packet is sent back.
If TAC_PLUS_CONTINUE_FLAG_ABORT flag is set, authentication process terminates.
- If action is TAC_PLUS_AUTHEN_CHPASS
a) If server extension does not know user name, old password or new
password yet, it issues appropriate response with prompt to a user.
b) If all authentication information is collected, server calls ICommonAuthentication::SetUserPassword.
- If action is TAC_PLUS_AUTHEN_LOGIN
a) If there's no user name in the packet, TAC_PLUS_AUTHEN_STATUS_GETUSER
packet is sent back prompting auser to input his name.
b) If there's user name in the packet, TAC_PLUS_AUTHEN_STATUS_GETPASS
response is sent back with prompt to a user requesting his password.
c) If server has both user name and password, common
authentication process is initiated.
© 2001-2003 XPerience Technologies. www.xperiencetech.com
|