ClearBox Server™ v1.2 Developer's Guide

TACACS+ Specific Authentication

This artcile gives an explanation of how ClearBox Server processes TACACS+ authentication request packets. Read more about authentication concepts and TACACS+ concepts.

Before packet is processed, realm stripping and forwarding is performed.

First, server determines type of the packet - START (i.e. the first request in requests series) or CONTINUE.

START packet processing

Authentication method is selected first by authentication type field from the packet.

Authentication action is selected.

  • If action is TAC_PLUS_AUTHEN_CHPASS (that is "password change" request) and authentication method is not AT_ASCII, ERROR packet is returned back to TACACS+ client.
    If authentication method is AT_ASCII and
    a) If there's no user name in the packet, TAC_PLUS_AUTHEN_STATUS_GETUSER packet is sent back with a string promting a user to input his name.
    b) If there's user name in the packet, TAC_PLUS_AUTHEN_STATUS_GETDATA packet is sent back with prompt to a user requesting his old password.
  • If action is TAC_PLUS_AUTHEN_SENDPASS (that is "send clear text password to NAS" request) and TACACS+ minor version 0 support is turned off (defined by server configuration), ERROR packet is sent back.
    If no user name is present in the packet, ERROR packet is sent back.
    ICommonAuthentication::GetUserPassword is called next. If it indicates that there is no user known to server extension with such name, TAC_PLUS_AUTHEN_STATUS_FAIL packet is sent, and user is rejected.
    If user is found, but his password is not available in clear text or ignorePassword parameter is set to VARIANT_TRUE, TAC_PLUS_AUTHEN_STATUS_FAIL packet is sent, and user is rejected. Otherwise, TAC_PLUS_AUTHEN_STATUS_PASS packet is sent back with user's password.
  • If action is TAC_PLUS_AUTHEN_SENDAUTH and authentication type is AT_ASCII, ERROR packet is sent back.
    Then server calls ICommonAuthentication::GetUserPassword to get user's password. If it is not available in clear text or no user exists with such name, TAC_PLUS_AUTHEN_STATUS_FAIL response is sent back, TAC_PLUS_AUTHEN_STATUS_PASS response is sent otherwise with authentication data dependant on authentication method.
  • If action is TAC_PLUS_AUTHEN_LOGIN, common authentication process is initiated.

CONTINUE packet processing

If authentication method is not AT_ASCII, ERROR packet is sent back.

If TAC_PLUS_CONTINUE_FLAG_ABORT flag is set, authentication process terminates.

  • If action is TAC_PLUS_AUTHEN_CHPASS
    a) If server extension does not know user name, old password or new password yet, it issues appropriate response with prompt to a user.
    b) If all authentication information is collected, server calls ICommonAuthentication::SetUserPassword.
  • If action is TAC_PLUS_AUTHEN_LOGIN
    a) If there's no user name in the packet, TAC_PLUS_AUTHEN_STATUS_GETUSER packet is sent back prompting auser to input his name.
    b) If there's user name in the packet, TAC_PLUS_AUTHEN_STATUS_GETPASS response is sent back with prompt to a user requesting his password.
    c) If server has both user name and password, common authentication process is initiated.

© 2001-2003 XPerience Technologies. www.xperiencetech.com

Created by chm2web html help conversion utility.