TACACS+ Realm Stripping and Forwarding Process

ClearBox Server performs realm stripping and forwarding on TACACS+ authentication, authorization and accounting packets before it processes them, if ITACACSRealmStripping interface is supported by the server extension. If this interface is not supported and user name is empty, authentication or authorization packet are rejected (an exception is made for ASCII login authentication requests, when user name can be empty and can be collected by the server during following negotiations with a user).

See also Realms and Packet Forwarding concepts.

Authentication Realm Stripping

If user name is not empty and "Enable TACACS+ proxy" option in server configuration is not checked, realms are not used.

Server makes a call to ITACACSRealmStripping::TACACSRealmStripAuthen. If this method sets nameOK parameter to VARIANT_FALSE, specifying that user name has invalid form, user is rejected. If server extension instructs server to forward the packet, proxy policy is applied. For this purpose ITACACSProxyPolicy::CheckAuthentication is called to check if the packet can be forwarded or should be rejected, if ITACACSProxyPolicy is supported by server extension. If the packet can be and should be forwarded, TAC_PLUS_AUTHEN_STATUS_FOLLOW response is sent back, with TACACS+ host address got from call to ITACACSRealmStripping::TACACSRealmStripAuthen.

Authorization and Accounting Realm Stripping

Then server makes a call to ITACACSRealmStripping::TACACSRealmStripAuthorAcct. If this method sets nameOK parameter to VARIANT_FALSE, specifying that user name has invalid form, user authorization is denied (if it authorization), ERROR response is sent for accounting packets.

If server extension instructs server to forward the packet, and type of packet is "authorization", proxy policy is applied. For this purpose ITACACSProxyPolicy::GetAutorejectAttributes is called, requesting list of AutoReject Attribute-Value (AV) pairs. These pairs are compared with AV pairs from the packet, and if any of them match, packet is not forwarded, and authorization is denied. This is used to check if the packet can be forwarded or should be rejected, if ITACACSProxyPolicy is supported by server extension. If the packet can be and should be forwarded, TAC_PLUS_AUTHEN_STATUS_FOLLOW response is sent back, with TACACS+ host address got from call to ITACACSRealmStripping::TACACSRealmStripAuthorAcct.