# etacacs_plus
A simple TACACS+ server.
TACACS+ is described in RFC 8907 and is as a general Authentication,
Authorization, and Accounting (AAA) protocol (similar to Radius).
`etacacs_plus` is a simple implementation of a TACACS+ server and
is primarily intended for testing of TACACS+ enabled applications.
## Build
$ rebar3 compile
## Run
$ rebar3 shell
Or by first building a release:
# Build release
$ rebar3 release
# Run start script
$ ./_build/default/rel/etacacs_plus/bin/etacacs_plus
# Run start script with interative shell
$ ./_build/default/rel/etacacs_plus/bin/etacacs_plus console
## Configuration
Configuration of IP/Port, the secret TACACS+ key and the user DB config file
is done in the `config/etacacs_plus.config` file.
# Example of etacacs_plus.config content:
[{etacacs_plus,
[{key, "tacacs123"},
{listen_ip, {0,0,0,0}},
{port, 5049},
{db_conf_file, "config/db.conf"}
]
}
].
User data is configured in the `db.conf` file. The User/Password is
used for Authentiation and the User/Service is used for Authorization.
# Example of db.conf content:
{user, tacadmin, % the User
[{login, {cleartext, "tacadmin"}}, % the user Password
{service, nso, % for Authorization
[{groups, [admin, netadmin, private]}, % returned data at success
{uid, 1000},
{gid, 100},
{home, "/tmp"}
]
},
{member, [netadmin]} % not used
]
}.
## Example usage
Using the TACACS+ Python client in: https://github.com/ansible/tacacs_plus
# Authenticate
$ tacacs_client -v -H 127.0.0.1 -p 5049 -k tacacs123 \
-u tacadmin authenticate
password for tacadmin:
status: PASS
# Authorize the use of service: nso
$ tacacs_client -v -H 127.0.0.1 -p 5049 -k tacacs123 \
-u tacadmin authorize -c service=nso
status: PASS
av-pairs:
groups=admin netadmin private
uid=1000
gid=100
home=/tmp
# Authorize the use of (the unknown) service: hello
$ tacacs_client -v -H 127.0.0.1 -p 5049 -k tacacs123 \
-u tacadmin authorize -c service=hello
status: FAIL
## Logging
Under the `log` directory you will find disk_log
files named: `etacacs_plus.log`. The logged content
will look like this (some date info abbreviated here,
and with some new line formatting):
2023-09-29T08:53:27.979046+02:00 info: msg: etacacs_plus starting
2023-... info: authentication: PASS, user: tacadmin
2023-... info: authentication: FAIL, user: tacadmin
2023-... info: authorization: PASS, in_data: service=nso, \
out_data: groups=admin netadmin private \
uid=1000 gid=100 home=/tmp, \
user: tacadmin
2023-... info: authorization: FAIL, in_data: service=hello, user: tacadmin
## Resources
* https://datatracker.ietf.org/doc/html/rfc8907
* https://github.com/ansible/tacacs_plus
* https://ferd.ca/erlang-otp-21-s-new-logger.html
* https://rebar3.org/docs/