# etacacs_plus

A simple TACACS+ server.

TACACS+ is described in RFC 8907 and is as a general Authentication,
Authorization, and Accounting (AAA) protocol (similar to Radius).

`etacacs_plus` is a simple implementation of a TACACS+ server and 
is primarily intended for testing of TACACS+ enabled applications.

## Build

    $ rebar3 compile
## Run

    $ rebar3 shell
Or by first building a release:

    # Build release
    $ rebar3 release
    # Run start script
    $ ./_build/default/rel/etacacs_plus/bin/etacacs_plus
    # Run start script with interative shell
    $ ./_build/default/rel/etacacs_plus/bin/etacacs_plus console
## Configuration

Configuration of IP/Port, the secret TACACS+ key and the user DB config file
is done in the `config/etacacs_plus.config` file.

    # Example of etacacs_plus.config content:
       [{key, "tacacs123"},
        {listen_ip, {0,0,0,0}},
        {port, 5049},
        {db_conf_file, "config/db.conf"}

User data is configured in the `db.conf` file. The User/Password is
used for Authentiation and the User/Service is used for Authorization.

    # Example of db.conf content:
    {user, tacadmin,                           % the User
     [{login, {cleartext, "tacadmin"}},        % the user Password
      {service, nso,                           % for Authorization
       [{groups, [admin, netadmin, private]},  % returned data at success
        {uid, 1000},
        {gid, 100},
        {home, "/tmp"}
      {member, [netadmin]}                     % not used

## Example usage

Using the TACACS+ Python client in:

    # Authenticate
    $ tacacs_client -v -H -p 5049 -k tacacs123 \
                    -u tacadmin authenticate 
    password for tacadmin: 
    status: PASS

    # Authorize the use of service: nso
    $ tacacs_client -v -H -p 5049 -k tacacs123 \
                    -u tacadmin authorize  -c service=nso 
    status: PASS
      groups=admin netadmin private

    # Authorize the use of (the unknown) service: hello
    $ tacacs_client -v -H -p 5049 -k tacacs123 \
                    -u tacadmin authorize  -c service=hello
    status: FAIL

## Logging

If you run the `etacacs_plus` release script then logging
works out of the box. To get logging to work with the
`rebar3 shell` command you need to start it as:

    ERL_FLAGS="-kernel logger_level info" rebar3 shell

Under the `log` directory you will find disk_log
files named: `etacacs_plus.log`. The logged content
will look like this (some date info abbreviated here,
and with some new line formatting):

    2023-09-29T08:53:27.979046+02:00 info: msg: etacacs_plus starting
    2023-... info: authentication: PASS, user: tacadmin
    2023-... info: authentication: FAIL, user: tacadmin
    2023-... info: authorization: PASS, in_data: service=nso, \
                                        out_data: groups=admin netadmin private \
                                                  uid=1000 gid=100 home=/tmp, \
                                        user: tacadmin
    2023-... info: authorization: FAIL, in_data: service=hello, user: tacadmin

## Resources