ClearBox Server™ v1.2 Developer's Guide

TACACS+ Authorization Packet Processing

This article gives an explanation of how ClearBox Server processes TACACS+ authorization request packets. Read more about authorization concepts and TACACS+ concepts. See also full List of TACACS+ Attribute-Value Pairs.

Before packet is processed, realm stripping and forwarding is performed.

First, server obtains Attribute-Value (AV) pairs from server extension calling ITACACSAuthorization::GetAVPairs. These pairs are put into two lists: MAND list containing pairs with mandType set to M_MANDATORY, and OPT list containing pairs with mandType set to M_OPTIONAL. If server extension returns an error, ERROR response is sent back. If extension returns TAC_PLUS_AUTHOR_STATUS_FAIL result, this response is sent immediately back to client.

Second, server gets authorization POLICY from extension calling ITACACSAuthorization::DefaultBehavior to use in authorization algorithm further.

OUTPUT is the list of AV pairs (both optional and mandatory), which will be returned by server to client in authorization response packet.

For each AV pair sent from the NAS ClearBox Server uses the following standard algorithm:

If the AV pair from the NAS is mandatory:

a) look for an exact attribute-value match in MAND list. If found

- add the AV pair to the OUTPUT if MAND pair's access type is A_PERMIT.
- deny user's authorization if pair's access type is A_DENY.

b) If an exact match doesn't exist, look in the OPT list for the first attribute match. If found

- add the NAS AV pair to the OUTPUT if OPT pair's access type is A_PERMIT.
- deny user's authorization if pair's access type is A_DENY.

c) If no attribute match exists, deny the command if POLICY prescribes to deny or

d) Add the NAS AV pair to the OUTPUT, if POLICY prescribes to permit.

If the AV pair from the NAS is optional:

e) Look for an exact attribute-value match in MAND list. If found

- add MAND AV pair to OUTPUT if MAND pair's access type is A_PERMIT
- deny user's authorization if pair's access type is A_DENY.

f) If not found, look for the first attribute match in the MAND list. If found,

- add MAND AV pair to OUTPUT if MAND pair's access type is A_PERMIT
- deny user's authorization if pair's access type is A_DENY.

g) If no mandatory match exists, look for an exact attribute-value pair match among OPT pairs. If found,

- add the OPT matching AV pair to the OUTPUT if OPT pair's access type is A_PERMIT
- deny user's authorization if pair's access type is A_DENY.

h) If no exact match exists, locate the first attribute match among the OPT AV pairs. If found,

- add the OPT matching AV pair to the OUTPUT if OPT pair's access type is A_PERMIT,
- deny user's authorization if pair's access type is A_DENY.

i) If no match is found delete the AV pair if POLICY prescribes to deny or

j) Add the NAS AV pair to the OUTPUT, if POLICY prescribes to permit.

k) After all AV pairs have been processed, for each MAND AV pair, if there is no attribute match already in the OUTPUT list and pair has A_PERMIT access type, add the MAND AV pair (but add only ONE AV pair for each mandatory attribute).

When this process ends and user's authorization has not been denied, TAC_PLUS_AUTHOR_STATUS_PASS_REPL or TAC_PLUS_AUTHOR_STATUS_PASS_ADD response is returned to client depending on changes in original request AV pairs.


© 2001-2003 XPerience Technologies. www.xperiencetech.com

Created by chm2web html help conversion utility.