TacacsPlus Variable Group Additions

The following entries get added to the variable group (packet/response) as part of a successful TacacsPlus packet decode.

Name Description

Name: TACACSPLUS-Major-Version
Group Name: request
The First half byte of the TacacsPlus request packet converted to an unsigned decimal value.
Example

TACACSPLUS-Major-Version = 0xc

Name: TACACSPLUS-Minor-Version
Group Name: request
The second half of first byte of the TacacsPlus request packet converted to an unsigned decimal value.
Example

TACACSPLUS-Minor-Version = 0x0

Name: TACACSPLUS-Type
Group Name: request
The second byte of the TacacsPlus request packet which contains the type of requests like Authentication, Authorization or Accounting. Valid values are AUTHEN, AUTHOR and ACCT.
Example

TACACSPLUS-Type = AUTHEN

Name: TACACSPLUS-Sequence-Num
Group Name: request
The third byte of the TacacsPlus request packet. First tacacsPlus packet (START) should have the sequence number as 1 and CONTINUE packets have 3 or more (3, 5, 7 etc.. odd numbers).

Name: TACACSPLUS-Flags
Group Name: request
This holds various bitmapped flags. The unencrypted flag bit says whether encryption is being used on the body of the TACACS+ packet. If this flag is set, the packet is not encrypted. If this flag is cleared, the packet is encrypted. Valid value are NONE, UNENCRYPTED, SINGLE-CONNECT etc...

Name: TACACSPLUS-Session-Id
Group Name: request
The fifth through eight byte of TacacsPlus request packet contains the sessionId for the particular transaction.

Name: TACACSPLUS-Action
Group Name: request
This describes the authentication action to be performed. Valid values are LOGIN, CHPASS, SENDAUTH.
Example

TACACSPLUS-Action = LOGIN

Name: TACACSPLUS-Priv-Level
Group Name: request
This indicates the privilege level that the user is authenticating as. Privilege levels are ordered values from 0 to 15 with each level representing a privilege level that is a superset of the next lower value. Same is used for Authorization and Accounting requests. Pre-defined values : MIN, USER, ROOT, MAX.
Example

TACACSPLUS-Priv-Level = USER

Name: TACACSPLUS-Authen-Type
Group Name: request
The type of authentication that is being performed. Valid values are ASCII, PAP, CHAP, MSCHAP, ARAP. Same is used for Authorization and Accounting requests.
Example

TACACSPLUS-Authen-Type = MSCHAP

Name: TACACSPLUS-Service
Group Name: request
This is the service that is requesting the authentication. Same is used for Authorization and Accounting requests. Valid values are NONE, LOGIN, ENABLE, PPP, ARAP, PT, RCMD, X25, NASI, FWPROXY.
Example

TACACSPLUS-Service = LOGIN

Name: TACACSPLUS-Authen-Method
Group Name: request
This indicates the authentication method used by the client to acquire the user information. This is used in Authorization and Accounting requests. Valid values are NOT-SET, NONE, KRB5, LINE, ENABLE, LOCAL, TACACSPLUS, GUEST, RADIUS, KRB4, RCMD
Example

TACACSPLUS-Authen-Method = TACACSPLUS

Name: TACACSPLUS-Acct-Flags
Group Name: request
This is the type of Accounting request. Valid values are MORE, START, STOP, WATCHDOG.
Example

TACACSPLUS-Acct-Flags = START

Name: TACACSPLUS-User-Message
Group Name: request
It holds the Challenege user message.

Name: TACACSPLUS-Continue-Flags
Group Name: request
It holds the ChallenegeFlag which has set along with the Challenge reply. Valid values are NONE, ABORT. If this is set to ABORT, then the session is terminated and no REPLY message is sent to the client.
Example

TACACSPLUS-Continue-Flags = NONE

Name: TACACSPLUS-Data
Group Name: request
This holds a data which is passed in the request. It holds a Challenge data in case if it is a CONTINUE packet.

Name: User-Password
Group Name: request
This holds a user password sent in a client request and it is hidden.

Name: TACACSPLUS-Remote-Addr
Group Name: request
It holds an ASCII string that describes the user's remote location. This field is optional. It is intended to hold a network address if the user is connected via a network, a caller ID is the user is connected via ISDN or a POTS, or any other remote location information that is available.

Name: TACACSPLUS-Port
Group Name: request
This holds the ASCII name of the client port on which the authentication is taking place. The value of this field is client specific. (For example,Cisco uses "tty10" to denote the tenth tty line and "Async10" to denote the tenth async interface).
Example

TACACSPLUS-Port = "tty10"

Name: Receipt-Time
Group Name: packet
This holds the time at which Packet has received.

Name: Protocol
Group Name: packet
This holds the protocol name.
Example

Protocol = "tacacsPlus"

Name: Client-Name
Group Name: packet
This holds the name of the client connected.

Name: Source-Address
Group Name: packet
This holds the client's source address.

Name: TACACSPLUS-Authen-Status
Group Name: reply
This holds the Authentication Status. Valid values are PASS, FAIL, GETDATA, GETUSER, GETPASS, RESTART, ERROR, FOLLOW.
Example

TACACSPLUS-Authen-Status = PASS

Name: TACACSPLUS-Author-Status
Group Name: reply
This holds the Authorization Status. Valid values are PASS-ADD, PASS-REPL, FAIL, ERROR, FOLLOW.
Example

TACACSPLUS-Author-Status = PASS-ADD

Name: TACACSPLUS-Acct-Status
Group Name: reply
This holds the Accounting Status. Valid values are SUCCESS, ERROR, FOLLOW.
Example

TACACSPLUS-Acct-Status = SUCCESS

Name: TACACSPLUS-Data
Group Name: reply
This holds the data which needs to be delivered to the client. This is mainly used in the scenario's like FOLLOW, RESTART, SENDAUTH etc. In case of FOLLOW it holds alternate server host details. This is used during the Authentication/Authorization/Accounting FOLLOW scenario's. Whenever there is a need of FOLLOW, server can specify the alternate hosts details like mentioned in the example. First parameter specifies the protocol to be used. Second is a destination address. And the third is a secret key. Delimiter used here is '@'. In case of RESTART it holds authentication types supported. Whenever there is a need of RESTART, server can specify the list of supported authentication types seperated by semicolon.
Example

Incase of FOLLOW, TACACSPLUS-Data = "@KRB5@123.125.110.23@Key", In case of RESTART TACACSPLUS-Data = "ASCII;CHAP;MSCHAP;PAP".

Name: TACACSPLUS-Authen-Flags
Group Name: reply
This holds bitmapped flags that modify the action to be taken. Valid values are NONE, NO-ECHO.
Example

TACACSPLUS-Authen-Flags = "NO-ECHO"

Name: TACACSPLUS-Server-Message
Group Name: reply
This holds the server message which needs to be delivered to the client.
Example

TACACSPLUS-Server-Message = "Confirm your location"

Name: Session-Timeout
Group Name: reply
This holds the session timeout value.
Example

Session-Timeout = 180

Name: TACACSPLUS-AVPair
Group Name: request or reply
This variable represents an Argument/Value pair from a request or response. A '=' or a '*' character separates the argument name from its value. '=' indicates a required value, '*' optional.
Examples

TACACSPLUS-AVPair = "addr-pool=123"

TACACSPLUS-AVPair = "addr-pool*123"

Name: TACACSPLUS-Arg-name
Group Name: request or reply
This variable represents an Argument/Value pair from a request or response. The argument name is appended to TACACSPLUS-Arg-. This representation is added as a convenience to the policy flow writer, but is ignored when encoding a response to a TACACS+ request, or forwarding a request through the TacacsPlus plug-in.
Example

TACACSPLUS-Arg-addr-pool = 123

Name	Description
Name: TACACSPLUS-Major-Version Group Name: request	The First half byte of the TacacsPlus request packet converted to an unsigned decimal value. Example `TACACSPLUS-Major-Version = 0xc`
Name: TACACSPLUS-Minor-Version Group Name: request	The second half of first byte of the TacacsPlus request packet converted to an unsigned decimal value. Example `TACACSPLUS-Minor-Version = 0x0`
Name: TACACSPLUS-Type Group Name: request	The second byte of the TacacsPlus request packet which contains the type of requests like Authentication, Authorization or Accounting. Valid values are AUTHEN, AUTHOR and ACCT. Example `TACACSPLUS-Type = AUTHEN`
Name: TACACSPLUS-Sequence-Num Group Name: request	The third byte of the TacacsPlus request packet. First tacacsPlus packet (START) should have the sequence number as 1 and CONTINUE packets have 3 or more (3, 5, 7 etc.. odd numbers).
Name: TACACSPLUS-Flags Group Name: request	This holds various bitmapped flags. The unencrypted flag bit says whether encryption is being used on the body of the TACACS+ packet. If this flag is set, the packet is not encrypted. If this flag is cleared, the packet is encrypted. Valid value are NONE, UNENCRYPTED, SINGLE-CONNECT etc...
Name: TACACSPLUS-Session-Id Group Name: request	The fifth through eight byte of TacacsPlus request packet contains the sessionId for the particular transaction.
Name: TACACSPLUS-Action Group Name: request	This describes the authentication action to be performed. Valid values are LOGIN, CHPASS, SENDAUTH. Example `TACACSPLUS-Action = LOGIN`
Name: TACACSPLUS-Priv-Level Group Name: request	This indicates the privilege level that the user is authenticating as. Privilege levels are ordered values from 0 to 15 with each level representing a privilege level that is a superset of the next lower value. Same is used for Authorization and Accounting requests. Pre-defined values : MIN, USER, ROOT, MAX. Example `TACACSPLUS-Priv-Level = USER`
Name: TACACSPLUS-Authen-Type Group Name: request	The type of authentication that is being performed. Valid values are ASCII, PAP, CHAP, MSCHAP, ARAP. Same is used for Authorization and Accounting requests. Example `TACACSPLUS-Authen-Type = MSCHAP`
Name: TACACSPLUS-Service Group Name: request	This is the service that is requesting the authentication. Same is used for Authorization and Accounting requests. Valid values are NONE, LOGIN, ENABLE, PPP, ARAP, PT, RCMD, X25, NASI, FWPROXY. Example `TACACSPLUS-Service = LOGIN`
Name: TACACSPLUS-Authen-Method Group Name: request	This indicates the authentication method used by the client to acquire the user information. This is used in Authorization and Accounting requests. Valid values are NOT-SET, NONE, KRB5, LINE, ENABLE, LOCAL, TACACSPLUS, GUEST, RADIUS, KRB4, RCMD Example `TACACSPLUS-Authen-Method = TACACSPLUS`
Name: TACACSPLUS-Acct-Flags Group Name: request	This is the type of Accounting request. Valid values are MORE, START, STOP, WATCHDOG. Example `TACACSPLUS-Acct-Flags = START`
Name: TACACSPLUS-User-Message Group Name: request	It holds the Challenege user message.
Name: TACACSPLUS-Continue-Flags Group Name: request	It holds the ChallenegeFlag which has set along with the Challenge reply. Valid values are NONE, ABORT. If this is set to ABORT, then the session is terminated and no REPLY message is sent to the client. Example `TACACSPLUS-Continue-Flags = NONE`
Name: TACACSPLUS-Data Group Name: request	This holds a data which is passed in the request. It holds a Challenge data in case if it is a CONTINUE packet.
Name: User-Password Group Name: request	This holds a user password sent in a client request and it is hidden.
Name: TACACSPLUS-Remote-Addr Group Name: request	It holds an ASCII string that describes the user's remote location. This field is optional. It is intended to hold a network address if the user is connected via a network, a caller ID is the user is connected via ISDN or a POTS, or any other remote location information that is available.
Name: TACACSPLUS-Port Group Name: request	This holds the ASCII name of the client port on which the authentication is taking place. The value of this field is client specific. (For example,Cisco uses "tty10" to denote the tenth tty line and "Async10" to denote the tenth async interface). Example `TACACSPLUS-Port = "tty10"`
Name: Receipt-Time Group Name: packet	This holds the time at which Packet has received.
Name: Protocol Group Name: packet	This holds the protocol name. Example `Protocol = "tacacsPlus"`
Name: Client-Name Group Name: packet	This holds the name of the client connected.
Name: Source-Address Group Name: packet	This holds the client's source address.
Name: TACACSPLUS-Authen-Status Group Name: reply	This holds the Authentication Status. Valid values are PASS, FAIL, GETDATA, GETUSER, GETPASS, RESTART, ERROR, FOLLOW. Example `TACACSPLUS-Authen-Status = PASS`
Name: TACACSPLUS-Author-Status Group Name: reply	This holds the Authorization Status. Valid values are PASS-ADD, PASS-REPL, FAIL, ERROR, FOLLOW. Example `TACACSPLUS-Author-Status = PASS-ADD`
Name: TACACSPLUS-Acct-Status Group Name: reply	This holds the Accounting Status. Valid values are SUCCESS, ERROR, FOLLOW. Example `TACACSPLUS-Acct-Status = SUCCESS`
Name: TACACSPLUS-Data Group Name: reply	This holds the data which needs to be delivered to the client. This is mainly used in the scenario's like FOLLOW, RESTART, SENDAUTH etc. In case of FOLLOW it holds alternate server host details. This is used during the Authentication/Authorization/Accounting FOLLOW scenario's. Whenever there is a need of FOLLOW, server can specify the alternate hosts details like mentioned in the example. First parameter specifies the protocol to be used. Second is a destination address. And the third is a secret key. Delimiter used here is '@'. In case of RESTART it holds authentication types supported. Whenever there is a need of RESTART, server can specify the list of supported authentication types seperated by semicolon. Example `Incase of FOLLOW, TACACSPLUS-Data = "@KRB5@123.125.110.23@Key", In case of RESTART TACACSPLUS-Data = "ASCII;CHAP;MSCHAP;PAP".`
Name: TACACSPLUS-Authen-Flags Group Name: reply	This holds bitmapped flags that modify the action to be taken. Valid values are NONE, NO-ECHO. Example `TACACSPLUS-Authen-Flags = "NO-ECHO"`
Name: TACACSPLUS-Server-Message Group Name: reply	This holds the server message which needs to be delivered to the client. Example `TACACSPLUS-Server-Message = "Confirm your location"`
Name: Session-Timeout Group Name: reply	This holds the session timeout value. Example `Session-Timeout = 180`
Name: TACACSPLUS-AVPair Group Name: request or reply	This variable represents an Argument/Value pair from a request or response. A '=' or a '' character separates the argument name from its value. '=' indicates a required value, '' optional. Examples `TACACSPLUS-AVPair = "addr-pool=123"` `TACACSPLUS-AVPair = "addr-pool*123"`
Name: TACACSPLUS-Arg-name Group Name: request or reply	This variable represents an Argument/Value pair from a request or response. The argument name is appended to TACACSPLUS-Arg-. This representation is added as a convenience to the policy flow writer, but is ignored when encoding a response to a TACACS+ request, or forwarding a request through the TacacsPlus plug-in. Example `TACACSPLUS-Arg-addr-pool = 123`