Security Settings
Security configuration from the GUI consists of creating the building blocks you can use to establish TLS-secured paths for your signaling traffic. The overall process includes generating certificate requests and certificate import.
The TLS configuration procedures that you can perform from the GUI includes:
- Configure Certificate Records.
- Generate Certificate Request for your CA.
- Import Certificates.
- Upload certificate files.
- Download certificate files.
- Configure TLS Profiles, which utilize your certificate records.
- Apply TLS Profiles to SIP Interfaces, agents and the web-server-config.
The dialogs available from the Security icon allow you to perform all procedures with the exception of applying a TLS profile to a configuration element. You apply TLS profiles to configuration elements using controls within their respective dialogs.
SHA 2 Support
The Oracle Enterprise Communications Broker (OECB) supports Secure Hash Algorithm (SHA) 2 for improved security.
The OECB supports SHA 2 for:
- Generating certificate requests, signing certificates, and verifying certificates.
- Configuring SHA-2 digital certificates on all interfaces through the dashboard, for example, the LDAP, SIP, and web/HTTPS: interfaces.
- Using the 2048 key size as the default for the signing algorithm.
- TLS 1.2 using the SHA-2 algorithm for certificates.
Add a Certificate Record
Use the certificate-record element to add certificate records to the Oracle Enterprise Communications Broker (OECB).
- Confirm that the system displays the Expert mode.
- If this certificate record is used to present an end-entity certificate, associate a private key with this certificate record by using a certificate request.
- If this certificate record is created to hold a CA certificate or certificate in pkcs12 format, a private key is not required.
- Create TLS profiles, using the certificate records to further define the encryption behavior and to provide an entity that you can apply to a SIP interface.
TLS Profile Configuration
Generate a Certificate Request
Use the certificate-record element to select a certificate record and generate a certificate request.
- Confirm that the certificate record exists.
To get a certificate authorized by a Certificate Authority (CA), you must generate a certificate request from the certificate record on the device and send it to the CA.
- When the CA replies with the certificate, import the certificate to the device with the corresponding certificate record.
Import a Certificate
Use the certificate-record element to import a certificate into the Oracle Enterprise Communications Broker (OECB).
Use this procedure to import either a device certificate or an end-station CA certificate for a mutual authentication deployment. You must import the certificate to the corresponding certificate record for the OECB. End-station CA certificates may or may not need to be imported against a pre-configured certificate record.
- Apply the corresponding certificate record to the intended SIP interface.
RADIUS Authentication
The User Authentication and Access control feature supports authentication using one or more RADIUS servers. In addition, you can set two levels of privilege, one for all privileges and more limited set that is read-only.
User authentication configuration also allows you to use local authentication, localizing security to the Oracle Enterprise Communications Broker (OECB) log-in modes. These modes are User and Superuser, each requiring a separate password.
The components involved in the RADIUS-based user authentication architecture are the OECB and your RADIUS servers. In these roles:
- The OECB restricts access and requires authentication through the RADIUS server. The OECB communicates with the RADIUS server using either port 1812 or 1645, but does not know whether or not the RADIUS server listens on these ports
- Your RADIUS server provides
an alternative method for defining
OECB users and
authenticating them through RADIUS. The RADIUS server supports the VSA called
ACME_USER_CLASS, which specifies what kind of user is requesting authentication
and what privileges to grant.
The OECB also supports the use of the Cisco Systems Inc.™ Cisco-AVPair vendor specific attribute (VSA). This attribute allows for successful administrator login to servers that do not support the Oracle authorization VSA. While using RADIUS-based authentication, the OECB authorizes you to enter Superuser mode locally even when your RADIUS server does not return the ACME_USER_CLASS VSA or the Cisco-AVPair VSA. For this VSA, the Vendor-ID is 1 and the Vendor-Type is 9. The following below shows the values this attribute can return, and the result of each:
- shell:priv-lvl=15—User automatically logged in as an administrator
- shell:priv-lvl=1—User logged in at the user level, and not allowed to become an administrator
- Any other value—User rejected
When RADIUS user authentication is enabled, the OECB communicates with one or more configured RADIUS servers that validates the user and specifies privileges. On the OECB, you configure:
- What type of authentication you want to use on the OECB
- If you are using RADIUS authentication, you set the port from which you want the OECB to send messages
- If you are using RADIUS authentication, you also set the protocol type you want the OECB and RADIUS server to use for secure communication
Although most common deployments use two RADIUS servers to support this feature, you may configure up to six. Among other settings for the server, there is a class parameter that specifies whether the OECB should consider a specific server as primary or secondary. As implied by these designations, the primary servers are used first for authentication, and the secondary servers are used as backups. If you configure more than one primary and one secondary server, the OECB chooses servers to which it sends traffic in a round-robin strategy. For example, if you specify three servers are primary, the OECB will round-robin to select a server until it finds an appropriate one. The system does the same for secondary servers.
The VSA attribute assists with enforcement of access levels by containing one of the following classes:
- None—All access denied
- User—Monitoring privileges are granted; your user prompt will resemble ORACLE>
- Admin—All privileges are granted (monitoring, configuration, etc.); your user prompt will resemble ORACLE#
After the system selects a RADIUS server, the OECB initiates communication and proceeds with the authentication process. The authentication process between the OECB and the RADIUS server takes place uses one the following methods, all of which are defined by RFCs:
| Protocol | RFC |
|---|---|
| PAP (Password Authentication Protocol) | B. Lloyd and W. Simpson, PPP Authentication Protocols, RFC 1334, October 1992 |
| CHAP (Challenge Handshake Authentication Protocol) | B. Lloyd and W. Simpson, PPP Authentication
Protocols, RFC 1334, October 1992
W. Simpson, PPP Challenge Handshake Authentication Protocol (CHAP), RFC 1994, August 1996 |
| MS-CHAP-V2 | G. Zorn, Microsoft PPP CHAP Extensions, Version 2, RFC 2759, January 2000 |
Note:
MS-CHAP-V2 support includes authentication, only. The OECB does not support or allow password exchange.Management Protocol Behavior
When you use local authentication, management protocols behave the same way that they do when you are not using RADIUS servers. When you use RADIUS servers for authentication, management protocols behave as follows:
- SSH in pass-through mode—The User and Admin accounts are authenticated locally, not through the RADIUS server. For all other accounts, the configured RADIUS servers are used for authentication. When authentication is successful, the user is granted privileges depending on the ACME_USER_CLASS VSA attribute.
- SSH in non-pass-through mode—When you create an SSH account on the Oracle Enterprise Communications Broker (OECB), you are asked to supply a user name and password. When local authentication succeeds, you are prompted for the ACLI user name and password. If your user ACLI name is user, then you are authenticated locally. Otherwise, you are authenticated using the RADIUS server. If RADIUS authentication is successful, the privileges you are granted depend on the ACME_USER_CLASS VSA attribute.
- SFTP in pass-through mode—When you do not configure an SSH account on the Oracle Enterprise Communications Broker, the RADIUS server is contacted for authentication for any user that does not have the user name user. The Oracle Enterprise Communications Broker uses local authentication if the user name is user.
- SFTP in non-pass-through mode—The User and Admin accounts are authenticated locally, not through the RADIUS server. For all other accounts, the configured RADIUS servers are used for authentication.
RADIUS Authentication Configuration
To enable RADIUS authentication and user access on your Oracle Enterprise Communications Broker, you need to configure global parameters for the feature and then configure the RADIUS servers that you want to use.
RADIUS Server Settings
The parameters you set for individual RADIUS servers identify the RADIUS server, establish a password common to the Oracle Enterprise Communications Broker and the server, and establish trying times.
Setting the class and the authentication methods for the RADIUS servers can determine how and when they are used in the authentication process.
To configure a RADIUS server to use for authentication:
TACACS+ Overview
Like DIAMETER and RADIUS, TACACS+ uses a client/server model in which a Network Access Server (NAS) acts in the client role and a TACACS+ equipped device (a daemon in TACACS+ nomenclature) assumes the server role. For purposes of the current implementation, the Oracle Enterprise Communications Broker functions as the TACACS+ client. Unlike RADIUS, which combines authentication and authorization, TACACS+ provides three distinct applications to provide finer grade access control.
Authentication is the process that confirms a user’s purported identity. Authentication is most often based on a simple username/password association, but other, and more secure methods, are becoming more common. The following authentication methods are support by the current implementation: simple password, PAP (Protocol Authentication Protocol), and CHAP (Challenge Handshake Authentication Protocol).
Authorization is the process that confirms user privileges. TACACS+ can provide extremely precise control over access to system resources. In the current implementation, TACACS+ controls access to system administrative functions.
TACACS+ provides secure communication between the client and daemon by encrypting all packets. Encryption is based on a shared-secret, a string value known only to the client and daemon. Packets are encrypted in their entirety, save for a common TACACS+ header.
The cleartext header contains, among other fields, a version number, a sequence number. and a session ID. Using a methodology described in Section 5 of the TACACS+ draft RFC, the sender encrypts outbound cleartext messages by repetitively running the MD5 hash algorithm over the concatenation of the session ID, shared-secret, version number, and sequence number values, eventually deriving a virtual one-time-pad of the same length as the message body. The sender encrypts the cleartext message with an XOR (Exclusive OR) operation, using the cleartext message and virtual one-time-pad as inputs.
The message recipient, who possesses the shared-secret, can readily obtain the version number, sequence number, session ID, and message length from the cleartext header. Consequently, the recipient employs the same methodology to derive a virtual one-time-pad identical to that derived by the sender. The recipient decrypts the encrypted message with an XOR operation, using the encrypted message and virtual one-time-pad as inputs.
Details on the TACACS+ functions and configuration can be found in the Oracle Communications Session Border Controller ACLI Configuration Guide.
The TACACS+ implementation is based upon the following internet draft.
draft-grant-tacacs-02.txt, The TACACS+ Protocol Version 1.78
Other relevant documents include
RFC 1321, The MD-5 Message Digest Algorithm
RFC 1334, PPP Authentication Protocols .
RFC 1994, PPP Challenge Handshake Authentication Protocol (CHAP)
Note:
TACACs documentation in this guide excludes per-message definitions that duplicate IETF standards documentation.TACACS+ Authentication
The Oracle Enterprise Communications Broker uses TACACS+ authentication services solely for the authentication of user accounts. Administrative users must be authenticated locally by the Oracle Enterprise Communications Broker.
The current TACACS+ implementation supports three types of user authentication: simple password (referred to as ascii by TACACS+), PAP, and CHAP.
ascii Login
ascii login is analogous to logging into a standard PC. The initiating peer is prompted for a username, and, after responding, is then prompted for a password.
PAP Login
PAP is defined in RFC 1334, PPP Authentication Protocols. This protocol offers minimal security in that passwords are transmitted as unprotected cleartext. PAP login differs from ascii login in that the username and password are transmitted to the authenticating peer in a single authentication packet, as opposed to the two-step prompting process used in ascii login.
CHAP Login
CHAP is defined in RFC 1994, PPP Challenge Handshake Authentication Protocol. CHAP is a more secure than PAP in that it is based on a shared-secret (known only to the communicating peers), and therefore avoids the transmission of cleartext authentication credentials. CHAP operations can be summarized as follows.
After a login attempt, the initiator is tested by the authenticator who responds with a packet containing a challenge value — an octet stream with a recommended length of 16 octets or more. Receiving the challenge, the initiator concatenates an 8-bit identifier (carried within the challenge packet header), the shared-secret, and the challenge value, and uses the shared-secret to compute an MD-5 hash over the concatenated string. The initiator returns the hash value to the authenticator, who performs the same hash calculation, and compares results. If the hash values match, authentication succeeds; if hash values differ, authentication fails.
Authentication Message Exchange
All TACACS+ authentication packets consist of a common header and a message body. Authentication packets are of three types: START, CONTINUE, and REPLY.
START and CONTINUE packets are always sent by the Oracle Enterprise Communications Broker, the TACACS+ client. START packets initiate an authentication session, while CONTINUE packets provide authentication data requested by the TACACS+ daemon. In response to every client-originated START or CONTINUE, the daemon must respond with a REPLY packet. The REPLY packet contains either a decision (pass or fail), which terminates the authentication session, or a request for additional information needed by the authenticator.
TACACS+ Header
The TACACS+ header format is as follows.
+----+----+--------+--------+--------+ |maj |min | type | seq_no | flags | |ver |ver | | | | +----+----+--------+--------+--------+ | session_id | +------------------------------------+ | length | +------------------------------------+
maj ver
This 4-bit field identifies the TACACS+ major protocol version, and must contain a value of 0xC .
min ver
This 4-bit field identifies the TACACS+ minor protocol version, and must contain either a value of 0x0 (identifying TACACS+ minor version 0) or a value of 0x1 . (identifying TACACS+ minor version 1). Minor versions 0 and 1 differ only in the processing of PAP and CHAP logins.
type
This 8-bit field identifies the TACACS+ AAA service as follows:
0x1 — TACACS+ Authentication
0x2 — TACACS+ Authorization
0x3 — TACACS+ Accounting
sequence-no
This 8-bit field contains the packet sequence for the current session.
The first packet of a TACACS+ session must contain the value 1; each following packet increments the sequence count by 1. As TACACS+ sessions are always initiated by the client, all client-originated packets carry an odd sequence number, and all daemon-originated packets carry an even sequence number. TACACS+ protocol strictures do not allow the sequence_no field to wrap. If the sequence count reaches 255, the session must be stopped and restarted with a new sequence number of 1.
flags
This 8-bit field contains flags as described in Section 3 of the draft RFC; flags are not under user control.
session_id
This 32-bit field contains a random number that identifies the current TACACS+ session — it is used by clients and daemons to correlate TACACS+ requests and responses.
length
This 32-bit field contains the total length of the TACACS+ message, excluding the 12-octet header — in other words, the length of the message body.
Authentication START Packet
The Oracle Enterprise Communications Broker, acting as a TACACS+ client, sends an authentication START packet to the TACACS+ daemon to initiate an authentication session. The daemon must respond with a REPLY packet.
The authentication START packet format is as follows.
+-----------------------------------+ | Common Header | | | | type contains 0x1 | +--------+--------+--------+--------+ |action |priv_lvl|authen_ |service | | | |type | | |--------+--------+--------+--------+ |user_len|port_len|rem_addr|data_len| | | |_len | | +--------+--------+--------+--------+ | user ... | +-----------------------------------+ | port ... | +-----------------------------------+ | rem-addr ... | +-----------------------------------+ | data ... | +-----------------------------------+
action
This 8-bit field contains an enumerated value that identifies the requested authentication action. For the current TACACS+ implementation, this field always contains a value of 0x01 , indicating user login authentication.
priv_lvl
This 8-bit field contains an enumerated value that identifies the privilege level requested by an authenticating user. For the current TACACS+ authentication implementation, this field always contains a value of 0x01 , indicating the user level.
authen-type
This 8-bit field contains an enumerated value that identifies the authentication methodology. Supported values are as follows:
0x01 ASCII — simple login, Oracle Enterprise Communications Broker prompts for username and password
0x02 PAP — as specified in RFC 1334
0x03 CHAP — as specified in RFC 1994
service
This 8-bit field contains an enumerated value that identifies the service requesting the authentication. For the current TACACS+ implementation, this field always contains a value of 0x01 , indicating user login authentication.
user_len
This 8-bit field contains the length of the user field in octets.
port_len
This 8-bit field contains the length of the port field in octets. As the port field is not used in the current TACACS+ authentication implementation, the port_len field always contains a value of 0 as specified in Section 4 of the TACACS+ draft RFC.
rem_addr_len
This 8-bit field contains the length of the rem_addr field in octets. As the rem_addr field is not used in the current TACACS+ authentication implementation, the rem_addr_len field always contains a value of 0 as specified in Section 4 of the TACACS+ draft RFC.
data_len
This 8-bit field contains the length of the data field in octets.
user
This variable length field contains the login name of the user to be authenticated.
port
This variable length field contains the name of the Oracle Enterprise Communications Broker port on which authentication is taking place. Following Cisco Systems convention, this field contains the string tty10 .
rem_addr
This variable length field contains the location of the user to be authenticated. This field contains the localhost address.
data
This optional variable length field contains miscellaneous data.
Authentication REPLY Packet
The TACACS+ daemon sends an authentication REPLY packet to the Oracle Enterprise Communications Broker in response to a authentication START or authentication CONTINUE packet. Depending on the contents of the status field, the authentication REPLY packet either ends the authentication transaction, or continues the transaction by requesting addition information needed by the authenticator.
The authentication REPLY packet format is as follows.
+-----------------------------------+ | Common Header | | | | type contains 0x1 | +--------+--------+--------+--------+ | (type field contains 0x1) | +--------+--------+-----------------+ | status | flags | server_msg_len | |--------+--------+--------+--------+ | data_len | server_msg ... | +-----------------+-----------------+ | data ... | +-----------------------------------+
status
This 16-bit field contains an enumerated value that specifies the current state of the authentication process. Supported values are as follows:
0x01 PASS — the user is authenticated, thus ending the session
0x02 FAIL — the user is rejected, thus ending the session
0x04 GETUSER — daemon request for the user name
0x05 GETPASS — daemon request for the user password
0x06 RESTART — restarts the transaction, possibly because the sequence number has wrapped, or possibly because the requested authentication type is not supported by the daemon
0x07 ERROR — reports an unrecoverable error
flags
This 8-bit field contains various flags that are not under user control.
server_msg_len
This 16-bit field contains the length of the server_msg field in octets. As the server_msg field is not used in REPLY packets sent by the current TACACS+ authentication implementation, the server_msg_len field always contains a value of 0 as specified in Section 4 of the TACACS+ draft RFC.
data_len
This 16-bit field contains the length of the data field in octets. As the data field is not used in REPLY packets sent by the current TACACS+ authentication implementation, the data_len field always contains a value of 0 as specified in Section 4 of the TACACS+ draft RFC.
server_msg
This optional variable length field contains a server message intended for display to the user. The current TACACS+ authentication implementation does not use this field.
data
This optional variable length field contains data pertinent to the authentication process. The current TACACS+ authentication implementation does not use this field.
Authentication CONTINUE Packet
The Oracle Enterprise Communications Broker, acting as a TACACS+ client, sends an authentication CONTINUE packet to the TACACS+ daemon in response to a REPLY message which requested additional data required by the authenticator.
The authentication CONTINUE packet format is as follows.
+-----------------------------------+ | Common Header | | | | type contains 0x1 | +--------+--------+-----------------+ | user_msg_len | data_len | |--------+--------+-----------------+ | flags | user_msg ... | +--------+--------------------------+ | data ... | +-----------------------------------+
user_msg_len
This 16-bit field contains the length of the user_msg field in octets.
data_len
This 16-bit field contains the length of the data field in octets. As the data field is not used in the current TACACS+ authentication implementation, the data field always contains a value of 0 as specified in Section 4 of the TACACS+ draft RFC.
flags
This 8-bit field contains various flags that are not under user control.
user_msg
This variable length field contains a string that responds to an information request contained in a REPLY message.
data
This optional variable length field contains miscellaneous data, often in response to a daemon request. The current TACACS+ authentication implementation does not use the data field in Authentication CONTINUE packets.
Authentication Scenarios
Each of the supported user authentication scenarios is described in terms of packet flow in the following sections.
ASCII Authentication
The Oracle Enterprise Communications Broker initiates the authentication with an authentication START packet.
+-----------------------------------+ | Common Header | | minor_version contains 0x0 | | type contains 0x1 | +--------+--------+--------+--------+ |action |priv_lvl|authen_ |service | | | |type | | | 0x01 | 0x01 | 0x01 | 0x01 | |--------+--------+--------+--------+ |user_len|port_len|rem_addr|data_len| | | |_len | | | 0 | N | N | 0 | +--------+--------+--------+--------+ | port | | tty10 | +-----------------------------------+ | rem_addr | | localhost address | +-----------------------------------+
- The action field specifies the requested authentication action — 0x01 for TAC_PLUSAUTHEN_LOGIN (authentication of a user login).
- The priv_lvl field specifies the privilege level requested by the user — 0x01 for TAC_PLUS_PRIV_LVL_USER.
- The authen_type field specifies the authentication methodology — 0x01 for TAC_PLUS_AUTHEN_TYPE_ASCII (simple login).
- The service field specifies the requesting service — 0x01 for TAC_PLUS_AUTHEN_SVC_LOGIN (login service).
- The user_len and data_len fields contain a value of 0 , as required by the TACACS+ protocol.
- The port_len and rem_addr_len fields contain the length, in octets, of the port and rem_addr fields.
- The port field contains the name of the Oracle Enterprise Communications Broker port on which authentication is taking place. Following Cisco Systems convention, this field contains the string tty10 .
- The rem_addr field specifies the location of the user to be authenticated. This field contains the localhost address.
The TACACS+ daemon returns an authentication REPLY requesting the username.
+-----------------------------------+ | Common Header | | minor_version contains 0x0 | | type contains 0x1 | +--------+--------+-----------------+ | status | flags | server_msg_len | | 0x04 | | 0 | |--------+--------+-----------------+ | data_len | | 0 | +-----------------+
- The status field specifies a daemon request — 0x04 for TAC_PLUS_AUTH_STATUS_GETUSER (get username).
- The server_msg_len data_len fields both contain a value of 0 , as required by the TACACS+ protocol.
The Oracle Enterprise Communications Brokerresponds with an authentication CONTINUE packet.
+-----------------------------------+ | Common Header | | minor_version contains 0x0 | | type contains 0x1 | +-----------------+-----------------+ | user_msg_len | data_len | | | 0 | |--------+--------+-----------------+ | flags | user_msg ... | +--------+--------------------------+
- The user_msg_len field contains the length, in octets, of the user_msg field.
- The data_len field contains a value of 0 , as required by the TACACS+ protocol.
- The user_msg field contains the username to be authenticated.
The TCACS+ daemon returns a second authentication REPLY requesting the user password.
+-----------------------------------+ | Common Header | | minor_version contains 0x0 | | type contains 0x1 | +--------+--------+--------+--------+ | status | flags | server_msg_len | | 0x05 | | 0 | |--------+--------+--------+--------+ | data_len | | 0 | +-----------------+
- The status field specifies a daemon request — 0x05 for TAC_PLUS_AUTH_STATUS_GETPASS (get user password).
- The server_msg_len and data_len fields both contain a value of 0 , as required by the TACACS+ protocol.
The Oracle Enterprise Communications Broker responds with a second authentication CONTINUE packet.
+-----------------------------------+ | Common Header | | minor_version contains 0x0 | | type contains 0x1 | +-----------------+-----------------+ | user_msg_len | data_len | | | 0 | |--------+--------+--------+--------+ | flags | user_msg ... | +--------+--------------------------+
- The user_msg_len field contains the length, in octets, of the user_msg field.
- The data_len field contains a value of 0 , as required by the TACACS+ protocol.
- The user_msg field contains the user password to be authenticated.
- Other, optional fields are not used.
The TACACS+ daemon returns a third authentication REPLY reporting the authentication result, and terminating the authentication session.
+-----------------------------------+ | Common Header | | minor_version contains 0x0 | | type contains 0x1 | +--------+--------+-----------------+ | status | flags | server_msg_len | | 0x01 | | 0 | |--------+--------+-----------------+ | data_len | | 0 | +-----------------+
- The status field specifies the authentication result — 0x01 for TAC_PLUS_AUTH_STATUS_PASS (authorization succeeds), or 0x02 for TAC_PLUS_AUTH_STATUS_FAIL (authorization fails).
- The server_msg_len , and data_len fields both contain a value of 0 , as required by the TACACS+ protocol.
PAP Authentication
The Oracle Enterprise Communications Broker initiates the authentication with an authentication START packet.
+-----------------------------------+ | Common Header | | minor_version contains 0x1 | | type contains 0x1 | +--------+--------+--------+--------+ |action |priv_lvl|authen_ |service | | | |type | | | 0x01 | 0x01 | 0x02 | 0x01 | |--------+--------+--------+--------+ |user_len|port_len|rem_addr|data_len| | | |_len | | | N | N | N | N | +--------+--------+--------+--------+ | user | +-----------------------------------+ | port | | tty10 | +-----------------------------------+ | rem_addr | | localhost address | +-----------------------------------+ | data ... | +-----------------------------------+
- The action field specifies the requested authentication action — 0x01 for TAC_PLUSAUTHEN_LOGIN (authentication of a user login).
- The priv_lvl field specifies the privilege level requested by the user — 0x01 for TAC_PLUS_PRIV_LVL_USER.
- The authen_type field specifies the authentication methodology — 0x02 for TAC_PLUS_AUTHEN_TYPE_PAP (PAP login).
- The service field specifies the requesting service — 0x01 for TAC_PLUS_AUTHEN_SVC_LOGIN (login service).
- The user_len field contains the length, in octets, of the user field.
- The port_len field contains the length, in octets, of the port field.
- The rem_addr_len field contains the length, in octets, of the rem_addr field.
- The data_len field contains the length, in octets, of the date field.
- The user field contains the username to be authenticated.
- The port field contains the name of the Oracle Enterprise Communications Broker port on which authentication is taking place. Following Cisco Systems convention, this field contains the string tty10 .
- The rem_addr field specifies the location of the user to be authenticated. This field contains the localhost address.
- The data field contains the password to be authenticated.
The TCACS+ daemon returns an authentication REPLY reporting the authentication result.
+-----------------------------------+ | Common Header | | minor_version contains 0x1 | | type contains 0x1 | +--------+--------+-----------------+ | status | flags | server_msg_len | | 0x01 | | 0 | |--------+--------+-----------------+ | data_len | | 0 | +-----------------+
- The status field specifies the authentication result — 0x01 for TAC_PLUS_AUTH_STATUS_PASS (authorization succeeds), or 0x02 for TAC_PLUS_AUTH_STATUS_FAIL (authorization fails).
- The server_msg_len and data_len fields both contain a value of 0 , as required by the TACACS+ protocol.
- Other, optional fields are not used.
CHAP Authentication
The Oracle Enterprise Communications Broker initiates the authentication with an authentication START packet.
+-----------------------------------+ | Common Header | | minor_version contains 0x1 | | type contains 0x1 | +--------+--------+--------+--------+ |action |priv_lvl|authen_ |service | | | |type | | | 0x01 | 0x01 | 0x03 | 0x01 | |--------+--------+--------+--------+ |user_len|port_len|rem_addr|data_len| | | |_len | | | N | N | N | N | +--------+--------+--------+--------+ | user | +-----------------------------------+ | port | | tty10 | +-----------------------------------+ | rem_addr | | localhost address | +-----------------------------------+ | data ... | +-----------------------------------+
- The action field specifies the requested authentication action — 0x01 for TAC_PLUSAUTHEN_LOGIN (authentication of a user login).
- The priv_lvl field specifies the privilege level requested by the user — 0x01 for TAC_PLUS_PRIV_LVL_USER.
- The authen_type field specifies the authentication methodology — 0x03 for TAC_PLUS_AUTHEN_TYPE_CHAP (CHAP login).
- The service field specifies the requesting service — 0x01 for TAC_PLUS_AUTHEN_SVC_LOGIN (login service).
- The user_len field contains the length, in octets, of the user field.
- The port_len field contains the length, in octets, of the port field.
- The rem_addr_len field contains the length, in octets, of the rem_addr field.
- The data_len field contains the length, in octets, of the date field.
- The user field contains the username to be authenticated.
- The port field contains the name of the Oracle Enterprise Communications Broker port on which authentication is taking place. Following Cisco Systems convention, this field contains the string tty10 .
- The rem_addr field specifies the location of the user to be authenticated. This field contains the localhost address.
- The data field contains the password to be authenticated.
The TCACS+ daemon returns an authentication REPLY reporting the authentication result.
+-----------------------------------+ | Common Header | | minor_version contains 0x1 | | type contains 0x1 | +--------+--------+-----------------+ | status | flags | server_msg_len | | 0x01 | | 0 | |--------+--------+-----------------+ | data_len | | 0 | +-----------------+
- The status field specifies the authentication result — 0x01 for TAC_PLUS_AUTH_STATUS_PASS (authorization succeeds), or 0x02 for TAC_PLUS_AUTH_STATUS_FAIL (authorization fails).
- The server_msg_len and data_len fields both contain a value of 0 , as required by the TACACS+ protocol.
- Other, optional fields are not used.
TACACS+ Authorization
The Oracle Enterprise Communications Broker uses TACACS+ services to provide administrative authorization. With TACACS+ authorization enabled, each individual ACLI command issued by an admin user is authorized by the TACACS+ authorization service. The Oracle Enterprise Communications Broker replicates each ACLI command in its entirety, sends the command string to the authorization service, and suspends command execution until it receives an authorization response. If TACACS+ grants authorization, the pending command is executed; if authorization is not granted, the Oracle Enterprise Communications Broker does not execute the ACLI command, and displays an appropriate error message.
The daemon’s authorization decisions are based on a database lookup. Data base records use regular expressions to associate specific command string with specific users. The construction of such records is beyond the scope of this document.
Authorization Message Exchange
All TACACS+ authorization packets consist of a common header and a message body. Authorization packets are of two types: REQUEST and RESPONSE.
The REQUEST packet, which initiates an authorization session, is always sent by the Oracle Enterprise Communications Broker. Upon receipt of every REQUEST, the daemon must answer with a RESPONSE packet. In the current TACACS+ implementation, the RESPONSE packet must contain an authorization decision (pass or fail). The exchange of a single REQUEST and the corresponding RESPONSE completes the authorization session.
Authorization REQUEST Packet
The Oracle Enterprise Communications Broker, acting as a TACACS+ client, sends an authorization REQUEST packet to the TACACS+ daemon to initiate an authorization session.
The authorization REQUEST packet format is as follows.
+-----------------------------------+ | Common Header | | | | type contains 0x2 | +--------+--------+--------+--------+ |authen_ |priv_lvl|authen_ |authen- | |method | |type |service | |--------+--------+--------+--------+ |user_len|port_len|rem_addr|arg_cnt | | | |_len | | +----+---+--------+--------+--------+ |arg1_len|arg2_len| ... |argN_len| | | | | | +--------+--------+--------+--------+ | user ... | +-----------------------------------+ | port ... | +-----------------------------------+ | rem-addr ... | +-----------------------------------+ | arg1 ... | +-----------------------------------+ | arg2 ... | +-----------------------------------+ | argN ... | +-----------------------------------+
authen_method
This 8-bit field contains an enumerated value that identifies the method used to authenticate the authorization subject — that is, an admin user. Because the admin user was authenticated locally by the Oracle Enterprise Communications Broker, this field always contains a value of 0x05 , indicating authentication by the requesting client.
priv_lvl
This 8-bit field contains an enumerated value that identifies the privilege level associated with the authorization subject. For the current TACACS+ authorization implementation, this field always contains a value of 0x00 .
authen-type
This 8-bit field contains an enumerated value that identifies the methodology. used to authenticate the authorization subject. Because the admin user was authenticated with a simple username/password exchange, this field always contains a value of 0x01 , indicating ascii login.
authen_service
This 8-bit field contains an enumerated value that identifies the service that requested authentication. Because an admin user is authenticated with a simple username/password exchange, this field always contains a value of 0x01 , the login service.
user_len
This 8-bit field contains an integer that specifies the length, in octets, of the user field.
port_len
This 8-bit field contains an integer that specifies the length, in octets, of the port field.
rem_addr_len
This 8-bit field contains an integer that specifies the length, in octets, of the rem_addr field.
arg_cnt
This 8-bit field contains an integer that specifies the number or arguments contained with the REQUEST. Given the design of the current TACACS+ implementation, this field always contains a value of 0x02 .
arg1_len
This 8-bit field contains an integer that specifies the length, in octets, of the first argument.
Subsequent fields contain the length of each sequential argument.
user
This variable length field contains the login name of the user to be authorized.
port
This variable length field contains the name of the Oracle Enterprise Communications Broker port on which authorization is taking place. Following Cisco Systems convention, this field contains the string tty10 .
rem_addr
This variable length contains the location of the user to be authorized. This field contains the localhost address.
arg...
This variable length field contains a TACACS+ attribute value pair (AVP); each arg field holds a single AVP.
A TACACS+ AVP is an ASCII string with a maximum length of 255 octets. The string consists of the attribute name and its assigned value separated by either an equal sign (=) or by an asterisk (*). The equal sign (=) identifies a mandatory argument, one that must be understood and processed by the TACACS+ daemon; the asterisk (*) identifies an optional argument that may be disregarded by either the client or daemon.
Administrative authorization requires the use of only two TACACS+ AVPs: service and cmd .
The service AVP identifies the function to be authorized. In the case of the current implementation, the attribute value is always shell . Consequently the attribute takes the follow format:
service=shell
The cmd AVP identifies the specific ACLI command to be authorized. The command is passed in its entirety, from the administrative configuration root, configure terminal, through the final command argument. For example,
cmd=configure terminal security authentication type tacacsplus
Note the equal sign (=) used in the attribute examples, indicating that both are mandatory arguments.
Authorization RESPONSE Packet
The TACACS+ daemon sends an authorization RESPONSE packet to the Oracle Enterprise Communications Broker to report authorization results.
The authorization RESPONSE packet format is as follows.
+-----------------------------------+ | Common Header | | | | type contains 0x2 | +--------+--------+-----------------+ |status |arg_cnt | server_msg len | | | | | |--------+--------+--------+--------+ | data_len |arg1_len|arg2_len| | | | | +--------+--------+--------+--------+ | ... |argN_len| server_msg | | | | | +--------+--------+-----------------+ | data ... | +-----------------------------------+ | arg1 ... | +-----------------------------------+ | arg2 ... | +-----------------------------------+ | argN ... | +-----------------------------------+
status
This 8-bit field contains an enumerated value that specifies the results of the authorization process. Supported values are 0x01 (Pass), 0x10 (Fail), and 0x11 (Error). Fail indicates that the authorization service rejected the proposed operation, while Error indicates the authorization service failed
If authorization succeeds (status=0x01), the ACLI command is executed; if authorization fails, for whatever the reason (status=0x10 or 0x11), the ACLI command is not executed, and an appropriate error message is generated.
arg_cnt
This 8-bit field contains an integer that specifies the number or arguments contained with the RESPONSE. Given the design of the current TACACS+ implementation, this field always contains a value of 0x02 .
server_msg_len
This 16-bit field contains an integer that specifies the length, in octets, of the server_msg field.
data_len
This 16-bit field contains an integer that specifies the length, in octets, of the data field.
arg1_len
This 8-bit field contains an integer that specifies the length, in octets, of the first argument.
Subsequent fields contain the length of each sequential argument.
server-msg
This optional variable length field contains a string that can be presented to the user.
data
This optional variable length field contains a string that can be presented to an administrative display, console, or log.
arg...
This optional variable length field contains a TACACS+ attribute value pair (AVP); each arg field holds a single AVP.
No arguments are generated in RESPONSE packets within the current TACACS+ implementation.
Authorization Pass
The Oracle Enterprise Communications Broker initiates the authorization with an authorization REQUEST packet.
+-----------------------------------+ | Common Header | | | | type contains 0x2 | +--------+--------+--------+--------+ |authen_ |priv_lvl|authen_ |authen_ | |method | |type |service | | 0x05 | 0x00 | 0x01 | 0x01 | |--------+--------+--------+--------+ |user_len|port_len|rem_addr|arg_cnt | | | |_len | | | N | N | N | 2 | +--------+--------+--------+--------+ |arg1_len|arg2_len| user ... | | | | | | N | N | login name | +--------+--------+-----------------+ | port | | tty10 | +-----------------------------------+ | rem_addr | | localhost address | +-----------------------------------+ | arg1 | | AVP | | service=shell | +-----------------------------------+ | arg2 | | AVP | | cmd=configure terminal security | +-----------------------------------+
- The authen_method field specifies the method used to authenticate the subject — 0x05 for TAC_PLUS_AUTHEN_METHOD_LOCAL (authentication by the client).
- The priv_lvl field specifies the privilege level requested by the user — 0x00 for TAC_PLUS_PRIV_LVL_MIN.
- The authen_type field specifies the authentication methodology — 0x01 for TAC_PLUS_AUTHEN_TYPE_ASCII (simple login).
- The authen_ service field specifies the requesting service — 0x01 for TAC_PLUS_AUTHEN_SVC_LOGIN (login service).
- The user_len field contains the length, in octets, of the user field.
- The port_len field contains the length, in octets, of the port field.
- The rem_addr_len field contains the length, in octets, of the rem_addr field.
- The arg_cnt field contains the number of arguments in the message body.
- The arg1_len field contains the length, in octets, of the service AVP.
- The arg2_len field contains the length, in octets, of the service AVP.
- The user field contains the login name of an admin user.
- The port field contains the name of the Oracle Enterprise Communications Broker port on which authentication is taking place. Following Cisco Systems convention, this field contains the string tty10 .
- The rem_addr field specifies the location of the user to be authenticated. This field contains the localhost address.
- The arg1 field contains the mandatory service AVP.
- The arg2 field contains the mandatory cmd AVP.
The TACACS+ daemon returns a authorization RESPONSE reporting the status, and terminating the authorization session.
+-----------------------------------+ | Common Header | | | | type contains 0x2 | +--------+--------+-----------------+ | status |arg_cnt | server_msg_len | | 0x01 | 0 | 0 | |--------+--------+-----------------+ | data_len | | 0 | +-----------------+
- The status field specifies the authorization status — 0x01 for TAC_PLUS_AUTHOR_STATUS_PASS_ADD (authorization approved).
- The arg_cnt field contains a value of 0 — the authorization RESPONSE returns no arguments.
- The server_msg_len and data_len fields both contain a value of 0, as required by the TACACS+ protocol.
Authorization Fail
The Oracle Enterprise Communications Broker initiates the authorization with an authorization REQUEST packet.
+-----------------------------------+ | Common Header | | | | type contains 0x2 | +--------+--------+--------+--------+ |authen_ |priv_lvl|authen_ |authen_ | |method | |type |service | | 0x05 | 0x00 | 0x01 | 0x01 | |--------+--------+--------+--------+ |user_len|port_len|rem_addr|arg_cnt | | | |_len | | | N | N | N | 2 | +--------+--------+--------+--------+ |arg1_len|arg2_len| user ... | | | | | | N | N | login name | +--------+--------+-----------------+ | port | | tty10 | +-----------------------------------+ | rem_addr | | localhost address | +-----------------------------------+ | arg1 | | AVP | | service=shell | +-----------------------------------+ | arg2 | | AVP | | cmd=configure terminal scurity | +-----------------------------------+
- The authen_method field specifies the method used to authenticate the administrative subject — 0x05 for TAC_PLUS_AUTHEN_METHOD_LOCAL (authentication by the client).
- The priv_lvl field specifies the privilege level requested by the user — 0x00 for TAC_PLUS_PRIV_LVL_MIN.
- The authen_type field specifies the authentication methodology — 0x01 for TAC_PLUS_AUTHEN_TYPE_ASCII (simple login).
- The authen_ service field specifies the requesting service — 0x01 for TAC_PLUS_AUTHEN_SVC_LOGIN (login service).
- The user_len field contains the length, in octets, of the user field.
- The port_len field contains the length, in octets, of the port field.
- The rem_addr_len field contains the length, in octets, of the rem-addr field.
- The arg_cnt field contains the number of arguments in the message body.
- The arg1_len field contains the length, in octets, of the service AVP.
- The arg2_len field contains the length, in octets, of the service AVP.
- The user field contains the login name of an admin user.
- The port field contains the name of the Oracle Enterprise Communications Broker port on which authentication is taking place. Following Cisco Systems convention, this field contains the string tty10 .
- The rem_addr field specifies the location of the user to be authenticated. This field contains the localhost address.
- The arg1 field contains the mandatory service AVP.
- The arg2 field contains the mandatory cmd AVP.
The TACACS+ daemon returns an authorization RESPONSE reporting the status, and terminating the authorization session.
+-----------------------------------+ | Common Header | | | | type contains 0x2 | +--------+--------+--------+--------+ | status |arg_cnt | server_msg_len | | 0x10 | 0 | 0 | |--------+--------+--------+--------+ | data_len | | 0 | +-----------------+
- The status field specifies the authorization status — 0x10 for TAC_PLUS_AUTHOR_STATUS_FAIL (authorization rejected).
- The arg_cnt field contains a value of 0 — the authorization RESPONSE returns no arguments.
- The server_msg_len and data_len fields both contain a value of 0 , as required by the TACACS+ protocol.
TACACS+ Accounting
The Oracle Enterprise Communications Broker uses TACACS+ accounting to log administrative actions. With accounting enabled, each individual ACLI command executed by an admin user is logged by the accounting service.
Accounting Message Exchange
All TACACS+ accounting packets consist of a common header and a message body. Accounting packets are of two types: REQUEST and REPLY.
The REQUEST packet has three variant forms. The START variant initiates an accounting session; the STOP variant terminates an accounting session; the WATCHDOG variant updates the current accounting session. REQUEST packets are always sent by the Oracle Enterprise Communications Broker. Upon receipt of every REQUEST, the daemon must answer with a REPLY packet.
A TACACS+ accounting session proceeds as follows.
- Immediately following successful authorization of an admin user, the Oracle Enterprise Communications Broker sends an accounting REQUEST START packet.
- The daemon responds with an accounting REPLY packet, indicating that accounting has started.
- For each ACLI command executed by an admin user, the Oracle Enterprise Communications Broker sends an accounting REQUEST WATCHDOG packet requesting accounting of the ACLI command. As the Oracle Enterprise Communications Broker sends the WATCHDOG only after an admin user’s access to the ACLI command is authorized, the accounting function records only those commands executed by the user, not those commands for which authorization was not granted.
- The daemon responds with an accounting REPLY packet, indicating that the ACLI operation has been recorded by the accounting function.
- Steps 3 and 4 are repeated for each authorized ACLI operation.
- Immediately following logout (or timeout) of an admin user, the Oracle Enterprise Communications Broker sends an accounting REQUEST STOP packet.
- The daemon responds with an accounting REPLY packet, indicating that accounting has stopped.
Accounting REQUEST Packet
The Oracle Enterprise Communications Broker, acting as a TACACS+ client, sends an accounting REQUEST START variant to the TACACS+ daemon following the successful authorization of an admin user. It sends an accounting REQUEST WATCHDOG variant to the daemon following the authorization of an admin user’s access to an ACLI command. It sends an accounting REQUEST STOP variant to the daemon at the conclusion of the ACLI session.
The accounting REQUEST packet format is as follows.
+-----------------------------------+ | Common Header | | | | type contains 0x3 | +--------+--------+--------+--------+ | flags |authen_ |priv_lvl|authen- | | |method | |type | |--------+--------+--------+--------+ |authen_ |user_len|port_len|rem_addr| |service | | |_len | +----+---+--------+--------+--------+ |arg_cnt |arg1_len|arg2_len|argN_len| | | | | | +--------+--------+--------+--------+ |argN_len| user ... | +--------+--------------------------+ | port ... | +-----------------------------------+ | rem-addr ... | +-----------------------------------+ | arg1 ... | +-----------------------------------+ | arg2 ... | +-----------------------------------+ | argN ... | +-----------------------------------+
flags
This 8-bit field contains an enumerated value that identifies the accounting REQUEST variant.
0x2 — START
0x4 — STOP
0x8 — WATCHDOG
authen_method
This 8-bit field contains an enumerated value that identifies the method used to authenticate the accounting subject — that is, an admin user. Because an admin user is authenticated locally by the Oracle Enterprise Communications Broker, this field always contains a value of 0x05 , indicating authentication by the requesting client.
priv_lvl
This 8-bit field contains an enumerated value that identifies the privilege level associated with the accounting subject. For the current TACACS+ accounting implementation, this field always contains a value of 0x00 .
authen-type
This 8-bit field contains an enumerated value that identifies the methodology. used to authenticate the accounting subject. Because an admin user is authenticated with a simple username/password exchange, this field always contains a value of 0x01 , indicating ascii login.
authen_service
This 8-bit field contains an enumerated value that identifies the service that requested authentication. Because an admin user is authenticated with a simple username/password exchange, this field always contains a value of 0x01 , the login service.
user_len
This 8-bit field contains an integer that specifies the length, in octets, of the user field.
port_len
This 8-bit field contains an integer that specifies the length, in octets, of the port field.
rem_addr_len
This 8-bit field contains an integer that specifies the length, in octets, of the rem_addr field.
arg_cnt
This 8-bit field contains an integer that specifies the number or arguments contained with the accounting REQUEST.
arg1_len
This 8-bit field contains an integer that specifies the length, in octets, of the first argument.
Subsequent fields contain the length of each sequential argument.
user
This variable length field contains the login name of the accounting subject.
port
This variable length field contains the name of the Oracle Enterprise Communications Broker port on accounting is taking place. Following Cisco System convention, this field always contains the string tty10 .
rem_addr
This variable length contains the location of the authorization subject. This field always contains the localhost address.
arg...
This variable length field contains a TACACS+ attribute value pair (AVP); each arg field holds a single AVP.
A TACACS+ AVP is an ASCII string with a maximum length of 255 octets. The string consists of the attribute name and its assigned value separated by either an equal sign (=) or by an asterisk (*). The equal sign (=) identifies a mandatory argument, one that must be understood and processed by the TACACS+ daemon; the asterisk (*) identifies an optional argument that may be disregarded by either the client or daemon.
Administrative accounting requires the use of five TACACS+ AVPs: service, task-id, start_time, and stop_time.
The task_id AVP, included in accounting REQUEST START, STOP, and WATCHDOG variants, correlates session initiation, watchdog updates, and termination packets; each associated START, STOP, and WATCHDOG packet must contain matching task-id AVPs.
task_id=13578642
The start_time AVP, included in accounting REQUEST START and WATCHDOG variants, specifies the time at which a specific accounting request was initiated. The start time is expressed as the number of seconds elapsed since January 1, 1970 00:00:00 UTC.
start_time=1286790650
The stop_time AVP, included in accounting REQUEST STOP variants, specifies the time at which a specific accounting session was terminated. The stop time is expressed as the number of seconds elapsed since January 1, 1970 00:00:00 UTC.
stop_time=1286794250
The service AVP, included in accounting REQUEST START, STOP, and WATCHDOG variants, identifies the function subject to accounting. In the case of the current implementation, the attribute value is always shell . Consequently the attribute takes the follow format:
service=shell
The cmd AVP, included in accounting REQUEST WATCHDOG variants, identifies the specific ACLI command to be processed by the accounting service. The command is passed in its entirety, from the administrative configuration root, configure terminal, through the final command argument. For example,
cmd=configure terminal security authentication type tacacsplus
Note the equal sign (=) used in the attribute examples, indicating that all are mandatory arguments.
Accounting REPLY Packet
The TACACS+ daemon sends an accounting REPLY packet to the Oracle Enterprise Communications Broker to report accounting results.
The accounting REPLY packet format is as follows.
+-----------------------------------+ | Common Header | | | | type contains 0x3 | +-----------------+--------+--------+ | server_msg_len | data_len | |--------+--------+-----------------+ | status | server_msg ... | +--------+--------------------------+ | data ... | +-----------------------------------+
server_msg_len
This 16-bit field contains the length, in octets, of the server_msg field.
data_len
This 16-bit field contains the length, in octets, of the data field.
status
This 8-bit field contains the status of the previous accounting request. Supported values are:
0x1 — Success
0x2 — Error/Failure
server_msg
This optional variable length field can contain a message intended for display to the user. This field is unused in the current TACACS+ implementation.
data
This optional variable length field can contain miscellaneous data. This field is unused in the current TACACS+ implementation.
Accounting Scenario
The Oracle Enterprise Communications Broker initiates the accounting session with an accounting REQUEST START.
+-----------------------------------+ | Common Header | | | | type contains 0x3 | +--------+--------+--------+--------+ | flags |authen_ |priv_lvl|authen- | | |method | |type | | 0x02 | 0x05 | 0x00 | 0x01 | |--------+--------+--------+--------+ |authen_ |user_len|port_len|rem_addr| |service | | |_len | | 0X01 | N | N | N | +----+---+--------+--------+--------+ |arg_cnt |arg1_len|arg2_len|arg3_len| | 3 | N | N | N | +--------+--------+--------+--------+ | user | | login name of an admin user | +-----------------------------------+ | port | | tty10 | +-----------------------------------+ | rem_addr | | localhost address | +-----------------------------------+ | AVP | | task-id=13578642 | +-----------------------------------+ | AVP | | start_time=1286790650 | +-----------------------------------+ | AVP | | service=shell | +-----------------------------------+
- The flags field contains an enumerated value ( 0x02 ) that identifies an accounting REQUEST START.
- The authen_method field specifies the method used to authenticate the ACCOUNTING subject — 0x05 for TAC_PLUS_AUTHEN_METHOD_LOCAL (authentication by the client).
- The priv_lvl field specifies the privilege level requested by the user — 0x00 for TAC_PLUS_PRIV_LVL_MIN.
- The authen_type field specifies the authentication methodology — 0x01 for TAC_PLUS_AUTHEN_TYPE_ASCII (simple login).
- The authen_ service field specifies the requesting service — 0x01 for TAC_PLUS_AUTHEN_SVC_LOGIN (login service).
- The user_len field contains the length, in octets, of the user field.
- The port_len field contains the length, in octets, of the port field.
- The rem_addr_len field contains the length, in octets, of the rem_addr field.
- The arg_cnt field contains the number of arguments in the message body.
- The arg1_len field contains the length, in octets, of the task_id AVP.
- The arg2_len field contains the length, in octets, of the start_time AVP.
- The arg3_len field contains the length, in octets, of the service AVP.
- The user field contains the login name of an admin user.
- The port field contains the name of the Oracle Enterprise Communications Broker port on which authentication is taking place. Following Cisco Systems convention, this field contains the string tty10 .
- The rem_addr field specifies the location of the user to be authenticated. This field contains the localhost address.
- The arg1 field contains the mandatory task_id AVP.
- The arg2 field contains the mandatory start_time AVP.
- The arg3 field contains the mandatory service AVP.
The TACACS+ daemon returns an accounting REPLY reporting the status, indicating that accounting has started.
+-----------------------------------+ | Common Header | | | | type contains 0x3 | +-----------------+-----------------+ | server_msg_len | data_len | | 0 | 0 | |--------+--------+-----------------+ | status | | 0x01 | +--------+
- The server_msg_len and data_len fields both contain a value of 0 , as required by the TACACS+ protocol.
- The status field specifies the authorization status — 0x01 for TAC_PLUS_ACCT_STATUS_SUCCESS (accounting processed).
The Oracle Enterprise Communications Broker reports ACLI command execution with an accounting REQUEST WATCHDOG.
+-----------------------------------+ | Common Header | | | | type contains 0x3 | +--------+--------+--------+--------+ | flags |authen_ |priv_lvl|authen- | | |method | |type | | 0x08 | 0x05 | 0x00 | 0x01 | |--------+--------+--------+--------+ |authen_ |user_len|port_len|rem_addr| |service | | |_len | | 0X01 | N | N | N | +----+---+--------+--------+--------+ |arg_cnt |arg1_len|arg2_len|arg3_len| | 4 | N | N | N | +--------+--------+--------+--------+ |arg4_len| user | | | login name of admin user | +--------+--------------------------+ | port | | tty10 | +-----------------------------------+ | rem_addr | | localhost address | +-----------------------------------+ | AVP | | task-id=13578642 | +-----------------------------------+ | AVP | | start_time=1286790650 | +-----------------------------------+ | AVP | | service=shell | +-----------------------------------+ | AVP | | cmd=configure terminal security | +-----------------------------------+
- The flags field contains an enumerated value ( 0x08 ) that identifies an accounting REQUEST WATCHDOG.
- The authen_method field specifies the method used to authenticate the ACCOUNTING subject — 0x05 for TAC_PLUS_AUTHEN_METHOD_LOCAL (authentication by the client).
- The priv_lvl field specifies the privilege level requested by the user — 0x00 for TAC_PLUS_PRIV_LVL_MIN.
- The authen_type field specifies the authentication methodology — 0x01 for TAC_PLUS_AUTHEN_TYPE_ASCII (simple login).
- The authen_ service field specifies the requesting service — 0x01 for TAC_PLUS_AUTHEN_SVC_LOGIN (login service).
- The user_len field contains the length, in octets, of the user field.
- The port_len field contains the length, in octets, of the port field.
- The rem_addr_len field contains the length, in octets, of the rem_addr field.
- The arg_cnt field contains the number of arguments in the message body.
- The arg1_len field contains the length, in octets, of the task_id AVP.
- The arg2_len field contains the length, in octets, of the start_time AVP.
- The arg3_len field contains the length, in octets, of the service AVP.
- The arg4_len field contains the length, in octets, of the cmd AVP.
- The user field contains the login name of an admin user.
- The port field contains the name of the Oracle Enterprise Communications Broker port on which authentication is taking place. Following Cisco Systems convention, this field contains the string tty10 .
- The rem_addr field specifies the location of the user to be authenticated. This field contains the localhost address.
- The arg1 field contains the mandatory task_id AVP.
- The arg2 field contains the mandatory start_time AVP.
- The arg3 field contains the mandatory service AVP.
- The arg4 field contains the mandatory cmd AVP.
The TACACS+ daemon returns an accounting REPLY reporting the status, indicating that the ACLI operation has been processed.
+-----------------------------------+ | Common Header | | | | type contains 0x3 | +-----------------+-----------------+ | server_msg_len | data_len | | 0 | 0 | |--------+--------+-----------------+ | status | | 0x01 | +--------+
- The server_msg_len and data_len fields both contain a value of 0 , as required by the TACACS+ protocol.
- The status field specifies the authorization status — 0x01 for TAC_PLUS_ACCT_STATUS_SUCCESS (accounting processed).
The Oracle Enterprise Communications Broker reports an admin user logout or timeout with an accounting REQUEST STOP.
+-----------------------------------+ | Common Header | | | | type contains 0x3 | +--------+--------+--------+--------+ | flags |authen_ |priv_lvl|authen- | | |method | |type | | 0x04 | 0x05 | 0x00 | 0x01 | |--------+--------+--------+--------+ |authen_ |user_len|port_len|rem_addr| |service | | |_len | | 0X01 | N | N | N | +----+---+--------+--------+--------+ |arg_cnt |arg1_len|arg2_len|arg3_len| | 3 | N | N | N | +--------+--------+--------+--------+ | user | | login name of an admin user | +-----------------------------------+ | port | | tty10 | +-----------------------------------+ | rem_addr | | localhost address | +-----------------------------------+ | AVP | | task-id=13578642 | +-----------------------------------+ | AVP | | stop_time=1286790650 | +-----------------------------------+ | AVP | | service=shell | +-----------------------------------+
- The flags field contains an enumerated value ( 0x04 ) that identifies an accounting REQUEST STOP.
- The authen_method field specifies the method used to authenticate the ACCOUNTING subject — 0x05 for TAC_PLUS_AUTHEN_METHOD_LOCAL (authentication by the client).
- The priv_lvl field specifies the privilege level requested by the user — 0x00 for TAC_PLUS_PRIV_LVL_MIN.
- The authen_type field specifies the authentication methodology — 0x01 for TAC_PLUS_AUTHEN_TYPE_ASCII (simple login).
- The authen_ service field specifies the requesting service — 0x01 for TAC_PLUS_AUTHEN_SVC_LOGIN (login service).
- The user_len field contains the length, in octets, of the user field.
- The port_len field contains the length, in octets, of the port field.
- The rem_addr_len field contains the length, in octets, of the rem_addr field.
- The arg_cnt field contains the number of arguments in the message body.
- The arg1_len field contains the length, in octets, of the task_id AVP.
- The arg2_len field contains the length, in octets, of the start_time AVP.
- The arg3_len field contains the length, in octets, of the service AVP.
- The user field contains the login name of an admin user.
- The port field contains the name of the Oracle Enterprise Communications Broker port on which authentication is taking place. Following Cisco Systems convention, this field contains the string tty10 .
- The rem_addr field specifies the location of the user to be authenticated. This field contains the localhost address.
- The arg1 field contains the mandatory task_id AVP.
- The arg2 field contains the mandatory start_time AVP.
- The arg3 field contains the mandatory service AVP.
The TACACS+ daemon returns an accounting REPLY reporting the status, indicating that accounting has terminated.
+-----------------------------------+ | Common Header | | | | type contains 0x3 | +-----------------+-----------------+ | server_msg_len | data_len | | 0 | 0 | |--------+--------+-----------------+ | status | | 0x01 | +--------+
- The server_msg_len and data_len fields both contain a value of 0 , as required by the TACACS+ protocol.
- The status field specifies the authorization status — 0x01 for TAC_PLUS_ACCT_STATUS_SUCCESS (accounting processed).
Managing TACACS+ Operations
TACACS+ management is supported by the following utilities.
TACACS+ MIB
An Oracle proprietary MIB provides external access to TACACS+ statistics.
MIB counters are contained in the apSecurityTacacsPlusStatsTable that is defined as follows.
SEQUENCE {
apSecurityTacacsPlusCliCommands Counter32
apSecurityTacacsPlusSuccess Authentications Counter32
apSecurityTacacsPlusFailureAuthentications Counter32
apSecurityTacacsPlusSuccess Authorizations Counter32
apSecurityTacacsPlusFailureAuthorizations Counter32
}
apSecuritysTacacsPlusStats Table (1.3.6.1.4.1.9148.3.9.9.4)
| Object Name | Object OID | Description |
|---|---|---|
| apSecurityTacacsCliCommands | 1.3.6.1.4.1.9148.3.9.1.4.3 | Global counter for ACLI commands sent to TACACS+ Accounting |
| apSecurityTacacsSuccess Authentications | 1.3.6.1.4.1.9148.3.9.1.4.4 | Global counter for the number of successful TACACS+ authentications |
| apSecurityTacacsFailureAuthentications | 1.3.6.1.4.1.9148.3.9.1.4.5 | Global counter for the number of unsuccessful TACACS+ authentications |
| apSecurityTacacsSuccess Authorizations | 1.3.6.1.4.1.9148.3.9.1.4.6 | Global counter for the number of successful TACACS+ authorizations |
| apSecurityTacacsFailure Authorizations | 1.3.6.1.4.1.9148.3.9.1.4.7 | Global counter for the number of unsuccessful TACACS+ authorizations |
SNMP Trap
SNMP traps are issued when
- a TACACS+ daemon becomes unreachable
- an unreachable TACACS+ daemon becomes reachable
- an authentication error occurs
- an authorization error occurs
TACACS+ Faults
The Oracle Enterprise Communications Broker supports two TACACS+ traps, apSysMgmtTacacsDownTrap and apSysMgmtTacacsDownClearTrap.
The apSysMgmtTacacsDownTrap is generated when a TACACS+ server becomes unreachable.
The apSysMgmtTacacsDownClearTrap is generated when a TACACS+ server that was unreachable becomes reachable.
The OECB searches for a TACACS+ server until it finds an available one and then stops searching. However, in the TACACS+ SNMP implementation, SNMP expects the OECB to make connection attempts to all servers. When there is only one TACACS+ server and that server goes down, the OECB behaves normally, sending a apSysMgmtTacacsDownTrap trap when the server goes down, and a apSysMgmtTacacsDownClearTrap trap when the server comes back up. When there is more than one TACACS+ server and the active server goes down, an apSysMgmtTacacsDownTrap trap is sent, indicating that some servers are down and the next server is tried. If all servers fail, an apSysMgmtTacacsDownTrap is sent indicating that all servers are down. If one of the servers comes back up while the rest are still down, an apSysMgmtTacacsDownTrap is sent indicating that some servers are still down.
