search

kravietz / pam_tacplus

TACACS+ protocol client library and PAM module in C. This PAM module support authentication, authorization (account management) and accounting (session management)performed using TACACS+ protocol designed by Cisco.
GNU Lesser General Public License v3.0
132 stars 101 forks source link

vendor specific attributes #114

Open ketkulka opened 6 years ago

ketkulka commented 6 years ago

Not a bug; but a support request.

Is there any support for including vendor specific attributes in authorization requests? e.g. some tacacs server might need extra or special attributes in authorization request, does this library support such thing?

Is there any plan around this?

Thanks Ketan

daveolson53 commented 6 years ago

Ketan Kulkarni notifications@github.com wrote:

Not a bug; but a support request.

Is there any support for including vendor specific attributes in authorization requests? e.g. some tacacs server might need extra or special attributes in authorization request, does this library support such thing?

Is there any plan around this?

I don't see any current support, and I don't remember any discussions or requests to add it.

What kind of VSAs did you have in mind? There is some support for attributes in the code, and I added more to get the privilege level in my fork, so it shouldn't be hard to look for other attributes.

The bigger question is what do you do with the attributes; are they strictly part of login, or do they need to be preserved in some way for the login process, and if so, how will you do that?

Dave Olson olson@cumulusnetworks.com

ketkulka commented 6 years ago

Yes, indeed it is easy to add a new attributes. I looked into the code seems fairly straightforward.

the attribute 'service-argument' that we need is part of authorization request. server needs it in order to do some identification based on it. Few similar examples are listed here -

https://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115926-tacacs-radius-devices-00.html#r

HTH

Thanks Ketan

daveolson53 commented 6 years ago

Ketan Kulkarni notifications@github.com wrote:

Yes, indeed it is easy to add a new attributes. I looked into the code seems fairly straightforward.

the attribute 'service-argument' that we need is part of authorization request. server needs it in order to do some identification based on it. Few similar examples are listed here -

https://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115926-tacacs-radius-devices-00.html#r

I misread your earlier mail as the server needing to send it to the client.

You are correct, adding attributes to send to the server is very easy. Just use tac_add_attrib() as is done for service, protocol, etc.

Dave Olson olson@cumulusnetworks.com

ketkulka commented 6 years ago

i was inclined towards giving any such attributes as configuration parameters. just like service and protocol today are; add another parameter 'service-argument' in this case which if passed as an argument will be added in authorization request.

if its ok; i can create PR for this.

Thanks Ketan

daveolson53 commented 6 years ago

Ketan Kulkarni notifications@github.com wrote:

i was inclined towards giving any such attributes as configuration parameters. just like service and protocol today are; add another parameter 'service-argument' in this case which if passed as an argument will be added in authorization request.

if its ok; i can create PR for this.

Sure. May as well make it generic, so something like extra_attribute=your_attribute_name=yourvalue so people can add whatever extra attributes they want with no further code changes.

Dave Olson olson@cumulusnetworks.com