Add TACACS+

Author: alandekok

configure

@@ -755,6 +755,7 @@ with_ascend_binary
 with_tcp
 with_vmps
 with_dhcp
+with_tacacs
 with_udpfromto
 with_static_modules
 with_shared_libs
@@ -1444,6 +1445,7 @@ Optional Packages:
   --with-tcp              compile in support for tcp (default=yes)
   --with-vmps             compile in support for vmps (default=yes)
   --with-dhcp             compile in support for dhcp (default=yes)
+  --with-tacacs           compile in support for tacacs (default=yes)
   --with-udpfromto        compile in support for udpfromto (default=yes)
   --with-static-modules=QUOTED-MODULE-LIST
   --with-shared-libs      build dynamic libraries and link against them.
@@ -5555,6 +5557,34 @@ $as_echo "#define WITH_DHCP /**/" >>confdefs.h
     fi
 
 
+    WITH_TACACS=yes
+
+
+# Check whether --with-tacacs was given.
+if test "${with_tacacs+set}" = set; then :
+  withval=$with_tacacs; case "$withval" in
+            yes|no|'')
+                ;;
+            no|'')
+                ;;
+            *)
+                as_fn_error $? "--with[out]-tacacs expects yes|no" "$LINENO" 5
+                ;;
+        esac
+fi
+
+
+    if test x"$withval" == x"yes"; then
+
+$as_echo "#define WITH_TACACS 1" >>confdefs.h
+
+    else
+
+$as_echo "#define WITH_TACACS /**/" >>confdefs.h
+
+    fi
+
+
     WITH_UDPFROMTO=yes
 
 

configure.ac

@@ -483,6 +483,7 @@ fi
 AX_WITH_FEATURE_ARGS([tcp],[yes])
 AX_WITH_FEATURE_ARGS([vmps],[yes])
 AX_WITH_FEATURE_ARGS([dhcp],[yes])
+AX_WITH_FEATURE_ARGS([tacacs],[yes])
 AX_WITH_FEATURE_ARGS([udpfromto],[yes])
 
 dnl #

raddb/sites-available/tacacs

@@ -0,0 +1,263 @@
+# -*- text -*-
+######################################################################
+#
+#	As of version 4.0.0, the server also supports the TACACS+
+#	protocol.
+#
+#	$Id$
+#
+######################################################################
+
+server tacacs {
+#	namespace = tacacs
+
+	listen {
+		ipaddr = *
+
+		# TACACS+ runs over TCP only
+		proto = tcp
+
+		#  Port on which to listen.
+		#  Allowed values are:
+		#	integer port number
+		#	49 is the default TACACS+ port.
+		port = 49
+
+		#  Type of packets to listen for.  Here, it is TACACS+.
+		type = tacacs
+
+		#  Some systems support binding to an interface, in addition
+		#  to the IP address.  This feature isn't strictly necessary,
+		#  but for sites with many IP addresses on one interface,
+		#  it's useful to say "listen on all addresses for
+		#  eth0".
+		#
+		#  If your system does not support this feature, you will
+		#  get an error if you try to use it.
+		#
+		#	interface = eth0
+	}
+
+	#
+	#  This section is called when it receives an Authentication.
+	#
+	recv Authentication {
+		if (&TACACS-Sequence-Number > 1) {
+			update request {
+				TACACS-Authentication-Type = &session-state:TACACS-Authentication-Type
+			}
+		}
+
+		# draft-ietf-opsawg-tacacs section 4.4.2
+		switch &TACACS-Authentication-Type {
+			# ASCII is very generic and driven via unlang so go wild!
+			case "ASCII" {
+				if (&TACACS-Sequence-Number == 1) {
+					update request {
+						&User-Name = &TACACS-User-Name
+					}
+				} else {
+					update request {
+						User-Name = &session-state:User-Name
+						User-Password = &session-state:User-Password
+					}
+				}
+
+				if (!&User-Name) {
+					if (&TACACS-User-Message) {
+						update request {
+							&User-Name = &TACACS-User-Message
+							&TACACS-User-Message !* "*"
+						}
+					} else {
+						update reply {
+							TACACS-Authentication-Status = Get-User
+							TACACS-Server-Message = "username: "
+						}
+						handled
+					}
+				}
+				if (!&User-Password) {
+					if (&TACACS-User-Message) {
+						update request {
+							&User-Password = &TACACS-User-Message
+							&TACACS-User-Message !* "*"
+						}
+					} else {
+						update reply {
+							TACACS-Authentication-Status = Get-Pass
+							TACACS-Server-Message = "password: "
+						}
+						handled
+					}
+				}
+				#if (&User-Name && &User-Password) {
+				#	if (!&TACACS-User-Message) {
+				#		update reply {
+				#			TACACS-Authentication-Status = Get-Data
+				#			TACACS-Authentication-Flags = No-Echo
+				#			TACACS-Server-Message = "pin: "
+				#		}
+				#		handled
+				#	}
+				#	if (&TACACS-User-Message != "1234") {
+				#		reject
+				#	}
+				#}
+			}
+			case "PAP" {
+				if (&TACACS-Sequence-Number == 1) {
+					if (!&TACACS-User-Name) {
+						update reply {
+							&TACACS-Server-Message = "missing User-Name field"
+						}
+						invalid
+					}
+
+					update request {
+						&User-Name = &TACACS-User-Name
+						&User-Password = &TACACS-Data
+					}
+				} else {
+					update request {
+						User-Name = &session-state:User-Name
+					}
+				}
+
+				if (!&User-Password) {
+					if (&TACACS-User-Message) {
+						update request {
+							&User-Password = &TACACS-User-Message
+						}
+					} else {
+						update reply {
+							TACACS-Authentication-Status = Get-Pass
+							TACACS-Server-Message = "password: "
+						}
+						handled
+					}
+				}
+			}
+			case "CHAP" {
+				if (&TACACS-Sequence-Number > 1) {
+					invalid
+				}
+
+				if (&TACACS-User-Name && &TACACS-Data =~ /^(.)(.{16})(.{16})$/) {
+					update request {
+						&User-Name = &TACACS-User-Name
+						&CHAP-Challenge = "%{2}"
+						&CHAP-Password = "%{1}%{3}"
+					}
+				} else {
+					update reply {
+						&TACACS-Server-Message = "missing User-Name and/or Data fields"
+					}
+					invalid
+				}
+			}
+			case "MSCHAP" {		# UNTESTED
+				if (&TACACS-Sequence-Number > 1) {
+					invalid
+				}
+
+				if (&TACACS-User-Name && &TACACS-Data =~ /^(.)(.{8})(.{50})$/) {
+					update request {
+						&User-Name = &TACACS-User-Name
+						&MS-CHAP-Challenge = "%{2}"
+						&MS-CHAP-Response = "%{1}%{3}"
+					}
+				} else {
+					update reply {
+						&TACACS-Server-Message = "missing User-Name and/or Data fields"
+					}
+					invalid
+				}
+			}
+			case "MSCHAPv2" {	# UNTESTED
+				if (&TACACS-Sequence-Number > 1) {
+					invalid
+				}
+
+				if (&TACACS-User-Name && &TACACS-Data =~ /^(.)(.{16})(.{50})$/) {
+					update request {
+						&User-Name = &TACACS-User-Name
+						&MS-CHAP-Challenge = "%{2}"
+						&MS-CHAP2-Response = "%{1}%{3}"
+					}
+				} else {
+					update reply {
+						&TACACS-Server-Message = "missing User-Name and/or Data fields"
+					}
+					invalid
+				}
+			}
+			case {
+				update reply {
+					&TACACS-Server-Message = "unsupported authentication type"
+				}
+				invalid
+			}
+		}
+
+		files
+
+		mschap
+
+		chap
+
+		pap
+	}
+
+	#
+	#  This section is called when it sends an Authentication.
+	#
+	send Authentication {
+		switch &TACACS-Authentication-Type {
+			case "ASCII" {
+				update session-state {
+					&TACACS-Authentication-Type := &TACACS-Authentication-Type
+					&User-Name := &User-Name
+					&User-Password := &User-Password
+				}
+			}
+			case {
+				update reply {
+					&reply:TACACS-Server-Message = &reply:Reply-Message
+				}
+			}
+		}
+	}
+
+	recv Authorization {
+		update config {
+			&Auth-Type = Accept
+		}
+	}
+
+	send Authorization {
+	}
+
+	recv Accounting {
+		update config {
+			&Auth-Type = Accept
+		}
+	}
+
+	send Accounting {
+	}
+
+	# Proxying of TACACS+ requests is NOT supported.
+
+	process MSCHAP {
+		mschap
+	}
+
+	process CHAP {
+		chap
+	}
+
+	process PAP {
+		pap
+	}
+}

share/dictionary.freeradius.internal

@@ -378,6 +378,14 @@ ATTRIBUTE	Sigtran-MAP-Version			1230	integer
 ATTRIBUTE	Sigtran-Mobile-Network-Code		1231	integer
 ATTRIBUTE	Sigtran-Mobile-Country-Code		1232	integer
 
+#
+#	For TACACS+, some attribute definitions for database interface
+#
+ATTRIBUTE	TACACS-Root				1240	tlv
+BEGIN-TLV	TACACS-Root
+$INCLUDE dictionary.tacacs
+END-TLV		TACACS-Root
+
 #
 #  Server-side "listen type = foo"
 #