Security Settings

Security configuration from the GUI consists of creating the building blocks you can use to establish TLS-secured paths for your signaling traffic. The overall process includes generating certificate requests and certificate import.

The TLS configuration procedures that you can perform from the GUI includes:

  • Configure Certificate Records.
  • Generate Certificate Request for your CA.
  • Import Certificates.
  • Upload certificate files.
  • Download certificate files.
  • Configure TLS Profiles, which utilize your certificate records.
  • Apply TLS Profiles to SIP Interfaces, agents and the web-server-config.

The dialogs available from the Security icon allow you to perform all procedures with the exception of applying a TLS profile to a configuration element. You apply TLS profiles to configuration elements using controls within their respective dialogs.

SHA 2 Support

The Oracle Enterprise Communications Broker (OECB) supports Secure Hash Algorithm (SHA) 2 for improved security.

The OECB supports SHA 2 for:

  • Generating certificate requests, signing certificates, and verifying certificates.
  • Configuring SHA-2 digital certificates on all interfaces through the dashboard, for example, the LDAP, SIP, and web/HTTPS: interfaces.
  • Using the 2048 key size as the default for the signing algorithm.
  • TLS 1.2 using the SHA-2 algorithm for certificates.

Add a Certificate Record

Use the certificate-record element to add certificate records to the Oracle Enterprise Communications Broker (OECB).

  • Confirm that the system displays the Expert mode.
A certificate record represents either the end-entity or the Certificate Authority (CA) certificate on the OECB. When you configure a certificate for the OECB, the name that you enter must be the same as the name that you use to generate a certificate request. If configuring for an end stations CA certificate for mutual authentication, the certificate name must be the same name used during the import procedure.
  • If this certificate record is used to present an end-entity certificate, associate a private key with this certificate record by using a certificate request.
  • If this certificate record is created to hold a CA certificate or certificate in pkcs12 format, a private key is not required.
  1. From the Web GUI, click Configuration, Security, Certificate record.
  2. On the Certificate record page, clickAdd.
  3. On the Add certificate record page, click Show advanced, and do the following:
  4. Click OK.
  5. Save the configuration.
  • Create TLS profiles, using the certificate records to further define the encryption behavior and to provide an entity that you can apply to a SIP interface.

TLS Profile Configuration

Certificate records must exist prior to this configuration.
Configure a TLS profile to further define the encryption behavior you want between these systems and to establish an entity that you can apply to SIP Interfaces. Steps required follow.
  1. Click the TLS Profile link. The system displays the TLS profile list.
  2. Click the Add link. The system displays the dialog below, which is truncated for the purpose of presentation here.
  3. Name—Enter the name of the TLS profile. This parameter is required.
  4. end-entity-certificate—Enter the name of the Certificate Record for the applicable entity.
  5. trusted-ca-certificates—Enter the names of the trusted CA certificate records.
  6. cipher-list—The following cipher-lists are supported for the GUI only:
    • AES256-SHA (TLS_RSA_WITH_AES_256_CBC_SHA) - Firefox (version 12) and Chrome (version 19.0.1084.46m)
    • AES128-SHA (TLS_RSA_WITH_AES_128_CBC_SHA) - Firefox (version 12) and Chrome (version 19.0.1084.46m)
    • DES-CBC-SHA (SSL_RSA_WITH_DES_CBC_SHA or TLS_RSA_WITH_DES_CBC_SHA) - Internet Explorer (Version 9)
  7. verify-depth—Specify the maximum depth of the certificate chain that will be verified. The default value is 10. The valid range is:
    • Minimum-0
    • Maximum-10
  8. mutual-authenticate—Define whether or not you want the Oracle Enterprise Communications Broker to mutually authenticate the client. The default value is disabled. The valid values are:
    • enabled-disabled (default)
  9. tls-version—Enter the TLS version you want to use with this TLS profile. Default is compatibility. Valid values are:
    • TLSv1
    • SSLv3
    • compatibility (default)
  10. cert-status-check—Enables OCSP in conjunction with an existing TLS profile.
  11. cert-status-profile-list—Assigns one or more cert-status-profiles to the current TLS profile. Each assigned cert-status-profile provides the information needed to access a single OCSP responder.
  12. ignore-dead-responder—Enables your device to establish a client connection even if the OCSP responder is unavailable, assuming the associated certificate was signed by a trusted certificate authority.
    • enabled-disabled (default)
  13. allow-self-signed-cert—Enables your device to establish client connections to clients that present self-signed certificates.
    • enabled-disabled (default)
Apply your TLS profile to a SIP Interface by selecting if from the SIP Interface's TLS Profile drop-down.

Generate a Certificate Request

Use the certificate-record element to select a certificate record and generate a certificate request.

  • Confirm that the certificate record exists.

To get a certificate authorized by a Certificate Authority (CA), you must generate a certificate request from the certificate record on the device and send it to the CA.

  1. From the Web GUI, click Configuration, security, certificate-record.
    The system displays a list of certificate records.
  2. Select the certificate record for the device.
  3. Click Generate.
    The system creates the request and displays it in a dialog.
  4. Copy the information from the dialog and send it to your CA as a text file.
  • When the CA replies with the certificate, import the certificate to the device with the corresponding certificate record.

Import a Certificate

Use the certificate-record element to import a certificate into the Oracle Enterprise Communications Broker (OECB).

Use this procedure to import either a device certificate or an end-station CA certificate for a mutual authentication deployment. You must import the certificate to the corresponding certificate record for the OECB. End-station CA certificates may or may not need to be imported against a pre-configured certificate record.

  1. From the Web GUI, click Configuration, security, certificate record.
  2. Select the certificate record for the device.
  3. Click Import.
    The system displays a dialog from which you can import the certificate.
  4. Select one of the following format types from the Format drop down list:
    • pkcs7
    • x509
    • Try-all. The system tries all possible formats until it can import the certificate.
  5. Browse to the certificate file, and select the certificate to import.
  6. Click Import.
    TheOECB imports the certificate.
  7. Reboot the system.
  • Apply the corresponding certificate record to the intended SIP interface.

RADIUS Authentication

The User Authentication and Access control feature supports authentication using one or more RADIUS servers. In addition, you can set two levels of privilege, one for all privileges and more limited set that is read-only.

User authentication configuration also allows you to use local authentication, localizing security to the Oracle Enterprise Communications Broker (OECB) log-in modes. These modes are User and Superuser, each requiring a separate password.

The components involved in the RADIUS-based user authentication architecture are the OECB and your RADIUS servers. In these roles:

  • The OECB restricts access and requires authentication through the RADIUS server. The OECB communicates with the RADIUS server using either port 1812 or 1645, but does not know whether or not the RADIUS server listens on these ports
  • Your RADIUS server provides an alternative method for defining OECB users and authenticating them through RADIUS. The RADIUS server supports the VSA called ACME_USER_CLASS, which specifies what kind of user is requesting authentication and what privileges to grant.

    The OECB also supports the use of the Cisco Systems Inc.™ Cisco-AVPair vendor specific attribute (VSA). This attribute allows for successful administrator login to servers that do not support the Oracle authorization VSA. While using RADIUS-based authentication, the OECB authorizes you to enter Superuser mode locally even when your RADIUS server does not return the ACME_USER_CLASS VSA or the Cisco-AVPair VSA. For this VSA, the Vendor-ID is 1 and the Vendor-Type is 9. The following below shows the values this attribute can return, and the result of each:

    • shell:priv-lvl=15—User automatically logged in as an administrator
    • shell:priv-lvl=1—User logged in at the user level, and not allowed to become an administrator
    • Any other value—User rejected

When RADIUS user authentication is enabled, the OECB communicates with one or more configured RADIUS servers that validates the user and specifies privileges. On the OECB, you configure:

  • What type of authentication you want to use on the OECB
  • If you are using RADIUS authentication, you set the port from which you want the OECB to send messages
  • If you are using RADIUS authentication, you also set the protocol type you want the OECB and RADIUS server to use for secure communication

Although most common deployments use two RADIUS servers to support this feature, you may configure up to six. Among other settings for the server, there is a class parameter that specifies whether the OECB should consider a specific server as primary or secondary. As implied by these designations, the primary servers are used first for authentication, and the secondary servers are used as backups. If you configure more than one primary and one secondary server, the OECB chooses servers to which it sends traffic in a round-robin strategy. For example, if you specify three servers are primary, the OECB will round-robin to select a server until it finds an appropriate one. The system does the same for secondary servers.

The VSA attribute assists with enforcement of access levels by containing one of the following classes:

  • None—All access denied
  • User—Monitoring privileges are granted; your user prompt will resemble ORACLE>
  • Admin—All privileges are granted (monitoring, configuration, etc.); your user prompt will resemble ORACLE#

After the system selects a RADIUS server, the OECB initiates communication and proceeds with the authentication process. The authentication process between the OECB and the RADIUS server takes place uses one the following methods, all of which are defined by RFCs:

Protocol RFC
PAP (Password Authentication Protocol) B. Lloyd and W. Simpson, PPP Authentication Protocols, RFC 1334, October 1992
CHAP (Challenge Handshake Authentication Protocol) B. Lloyd and W. Simpson, PPP Authentication Protocols, RFC 1334, October 1992

W. Simpson, PPP Challenge Handshake Authentication Protocol (CHAP), RFC 1994, August 1996

MS-CHAP-V2 G. Zorn, Microsoft PPP CHAP Extensions, Version 2, RFC 2759, January 2000

Note:

MS-CHAP-V2 support includes authentication, only. The OECB does not support or allow password exchange.

Management Protocol Behavior

When you use local authentication, management protocols behave the same way that they do when you are not using RADIUS servers. When you use RADIUS servers for authentication, management protocols behave as follows:

  • SSH in pass-through mode—The User and Admin accounts are authenticated locally, not through the RADIUS server. For all other accounts, the configured RADIUS servers are used for authentication. When authentication is successful, the user is granted privileges depending on the ACME_USER_CLASS VSA attribute.
  • SSH in non-pass-through mode—When you create an SSH account on the Oracle Enterprise Communications Broker (OECB), you are asked to supply a user name and password. When local authentication succeeds, you are prompted for the ACLI user name and password. If your user ACLI name is user, then you are authenticated locally. Otherwise, you are authenticated using the RADIUS server. If RADIUS authentication is successful, the privileges you are granted depend on the ACME_USER_CLASS VSA attribute.
  • SFTP in pass-through mode—When you do not configure an SSH account on the Oracle Enterprise Communications Broker, the RADIUS server is contacted for authentication for any user that does not have the user name user. The Oracle Enterprise Communications Broker uses local authentication if the user name is user.
  • SFTP in non-pass-through mode—The User and Admin accounts are authenticated locally, not through the RADIUS server. For all other accounts, the configured RADIUS servers are used for authentication.

RADIUS Authentication Configuration

To enable RADIUS authentication and user access on your Oracle Enterprise Communications Broker, you need to configure global parameters for the feature and then configure the RADIUS servers that you want to use.

Global Authentication Settings

To configure the global authentication settings:

  1. Click the Configuration tab.
    The Oracle Enterprise Communications Broker displays the configuration panel.
  2. Click the Security configuration icon.
    The Oracle Enterprise Communications Broker displays the security configuration panel.
  3. Click the Login authentication link from the navigation panel on the left-hand side of the security configuration panel.
    The Oracle Enterprise Communications Broker displays the Modify Authentication dialog.
  4. Set the number of the port you want to use from message sent from the Oracle Enterprise Communications Broker to the RADIUS server in the Source port field. The default value is 1812. The valid values are:
    • 1645 | 1812

  5. Set the type of user authentication you want to use on this Oracle Enterprise Communications Broker using the Type drop-down list. The default value is local. The valid values are:
    • local | radius

  6. If you are using RADIUS user authentication, set the protocol to use with your RADIUS server(s) from the Protocol drop-down list. The default is pap. The valid values are:
    • pap | chap | mschapv2

  7. Set the allow-local-authorization parameter to enabled if you want the Oracle Enterprise Communications Broker to authorize users to enter Superuser (administrative) mode locally even when your RADIUS server does not return the ACME_USER_CLASS VSA or the Cisco-AVPair VSA. The default for this parameter is disabled.
  8. Check the Login as admin checkbox if you want users to be logged automatically in Superuser (administrative) mode. The default for this parameter is disabled.

RADIUS Server Settings

The parameters you set for individual RADIUS servers identify the RADIUS server, establish a password common to the Oracle Enterprise Communications Broker and the server, and establish trying times.

Setting the class and the authentication methods for the RADIUS servers can determine how and when they are used in the authentication process.

To configure a RADIUS server to use for authentication:

  1. Navigate to the Radius servers list box directly below the main authentication configuration controls. The list box displays all previously configured Radius servers, if any. You can Add, Edit, Copy and Delete existing servers using the control across the top of this list box.
  2. Click the Add link.
    The Oracle Enterprise Communications Broker displays the Add Radius server dialog.
  3. Set the remote IP address for the RADIUS server in the Add field. There is no default value, and you are required to configure this address.
  4. Set the port at the remote IP address for the RADIUS server in the Port field. The default port is set to 1812. The valid values are:
    • 1645 | 1812

  5. Set the state of the RADIUS server in the State field. Enable this parameter to use this RADIUS server to authenticate users. The default value is enabled. The valid values are:
    • enabled | disabled

  6. Set the password that the RADIUS server and the Oracle Enterprise Communications Broker share in the secret dialog, available when you click the set button. This dialog requires you to enter the secret twice and click OK. This password is transmitted between the two when the request for authentication is initiated; this ensures that the RADIUS server is communicating with the correct client.
  7. Set the NAS ID for the RADIUS server in the Nas id field. There is no default for this parameter.
  8. Set the number of times that you want the Oracle Enterprise Communications Broker to retry for authentication information from this RADIUS server in the retry-limit field. The default value is 3. The valid range is:
    • Minimum—1

    • Maximum—5

      If the RADIUS server does not respond within this number of tries, the Oracle Enterprise Communications Broker marks is as dead.

  9. Set the amount of time (in seconds) that you want theOracle Enterprise Communications Broker to wait before retrying for authentication from this RADIUS server in the retry-time field. The default value is 5. The valid range is:
    • Minimum—5

    • Maximum—10

  10. Set the amount of time in seconds before the Oracle Enterprise Communications Broker retries a RADIUS server that it has designated as dead because that server did not respond within the maximum number of retries in the dead-time field. The default is 10. The valid range is:
    • Minimum—10

    • Maximum—10000

  11. Set the maximum number of outstanding sessions for this RADIUS server. The default value is 255 in the maximum-sessions field. The valid range is:
    • Minimum—1

    • Maximum—255

  12. Set the class of this RADIUS server as either primary or secondary in the class field. A connection to the primary server is tried before a connection to the secondary server is tried. The default value is primary. Valid values are:
    • primary | secondary

      The Oracle Enterprise Communications Broker tries to initiate contact with primary RADIUS servers first, and then tries the secondary servers if it cannot reach any of the primary ones.

      If you configure more than one RADIUS server as primary, the Oracle Enterprise Communications Broker chooses the one with which it communicates using a round-robin strategy. The same strategy applies to the selection of secondary servers if there is more than one.

  13. Set the authentication method you want the Oracle Enterprise Communications Broker to use with this RADIUS server from the in the authentication-method drop-down. The default value is pap. Valid values are:
    • all | pap | chap | mschapv2

      This parameter has a specific relationship to the global protocol parameter for the authentication configuration, and you should exercise care when setting it. If the authentication method that you set for the RADIUS server does not match the global authentication protocol, then the RADIUS server is not used. The Oracle Enterprise Communications Broker simply overlooks it and does not send authentication requests to it. You can enable use of the server by changing the global authentication protocol so that it matches.

  14. Save your work and activate your configuration.

TACACS+ Overview

Like DIAMETER and RADIUS, TACACS+ uses a client/server model in which a Network Access Server (NAS) acts in the client role and a TACACS+ equipped device (a daemon in TACACS+ nomenclature) assumes the server role. For purposes of the current implementation, the Oracle Enterprise Communications Broker functions as the TACACS+ client. Unlike RADIUS, which combines authentication and authorization, TACACS+ provides three distinct applications to provide finer grade access control.

Authentication is the process that confirms a user’s purported identity. Authentication is most often based on a simple username/password association, but other, and more secure methods, are becoming more common. The following authentication methods are support by the current implementation: simple password, PAP (Protocol Authentication Protocol), and CHAP (Challenge Handshake Authentication Protocol).

Authorization is the process that confirms user privileges. TACACS+ can provide extremely precise control over access to system resources. In the current implementation, TACACS+ controls access to system administrative functions.

TACACS+ provides secure communication between the client and daemon by encrypting all packets. Encryption is based on a shared-secret, a string value known only to the client and daemon. Packets are encrypted in their entirety, save for a common TACACS+ header.

The cleartext header contains, among other fields, a version number, a sequence number. and a session ID. Using a methodology described in Section 5 of the TACACS+ draft RFC, the sender encrypts outbound cleartext messages by repetitively running the MD5 hash algorithm over the concatenation of the session ID, shared-secret, version number, and sequence number values, eventually deriving a virtual one-time-pad of the same length as the message body. The sender encrypts the cleartext message with an XOR (Exclusive OR) operation, using the cleartext message and virtual one-time-pad as inputs.

The message recipient, who possesses the shared-secret, can readily obtain the version number, sequence number, session ID, and message length from the cleartext header. Consequently, the recipient employs the same methodology to derive a virtual one-time-pad identical to that derived by the sender. The recipient decrypts the encrypted message with an XOR operation, using the encrypted message and virtual one-time-pad as inputs.

Details on the TACACS+ functions and configuration can be found in the Oracle Communications Session Border Controller ACLI Configuration Guide.

The TACACS+ implementation is based upon the following internet draft.

draft-grant-tacacs-02.txt, The TACACS+ Protocol Version 1.78

Other relevant documents include

RFC 1321, The MD-5 Message Digest Algorithm

RFC 1334, PPP Authentication Protocols .

RFC 1994, PPP Challenge Handshake Authentication Protocol (CHAP)

Note:

TACACs documentation in this guide excludes per-message definitions that duplicate IETF standards documentation.

TACACS+ Authentication

The Oracle Enterprise Communications Broker uses TACACS+ authentication services solely for the authentication of user accounts. Administrative users must be authenticated locally by the Oracle Enterprise Communications Broker.

The current TACACS+ implementation supports three types of user authentication: simple password (referred to as ascii by TACACS+), PAP, and CHAP.

ascii Login

ascii login is analogous to logging into a standard PC. The initiating peer is prompted for a username, and, after responding, is then prompted for a password.

PAP Login

PAP is defined in RFC 1334, PPP Authentication Protocols. This protocol offers minimal security in that passwords are transmitted as unprotected cleartext. PAP login differs from ascii login in that the username and password are transmitted to the authenticating peer in a single authentication packet, as opposed to the two-step prompting process used in ascii login.

CHAP Login

CHAP is defined in RFC 1994, PPP Challenge Handshake Authentication Protocol. CHAP is a more secure than PAP in that it is based on a shared-secret (known only to the communicating peers), and therefore avoids the transmission of cleartext authentication credentials. CHAP operations can be summarized as follows.

After a login attempt, the initiator is tested by the authenticator who responds with a packet containing a challenge value — an octet stream with a recommended length of 16 octets or more. Receiving the challenge, the initiator concatenates an 8-bit identifier (carried within the challenge packet header), the shared-secret, and the challenge value, and uses the shared-secret to compute an MD-5 hash over the concatenated string. The initiator returns the hash value to the authenticator, who performs the same hash calculation, and compares results. If the hash values match, authentication succeeds; if hash values differ, authentication fails.

Authentication Message Exchange

All TACACS+ authentication packets consist of a common header and a message body. Authentication packets are of three types: START, CONTINUE, and REPLY.

START and CONTINUE packets are always sent by the Oracle Enterprise Communications Broker, the TACACS+ client. START packets initiate an authentication session, while CONTINUE packets provide authentication data requested by the TACACS+ daemon. In response to every client-originated START or CONTINUE, the daemon must respond with a REPLY packet. The REPLY packet contains either a decision (pass or fail), which terminates the authentication session, or a request for additional information needed by the authenticator.

TACACS+ Header

The TACACS+ header format is as follows.

+----+----+--------+--------+--------+
|maj |min | type   | seq_no | flags  |
|ver |ver |        |        |        |
+----+----+--------+--------+--------+
| session_id                         |
+------------------------------------+
| length                             |
+------------------------------------+

maj ver

This 4-bit field identifies the TACACS+ major protocol version, and must contain a value of 0xC .

min ver

This 4-bit field identifies the TACACS+ minor protocol version, and must contain either a value of 0x0 (identifying TACACS+ minor version 0) or a value of 0x1 . (identifying TACACS+ minor version 1). Minor versions 0 and 1 differ only in the processing of PAP and CHAP logins.

type

This 8-bit field identifies the TACACS+ AAA service as follows:

0x1 — TACACS+ Authentication

0x2 — TACACS+ Authorization

0x3 — TACACS+ Accounting

sequence-no

This 8-bit field contains the packet sequence for the current session.

The first packet of a TACACS+ session must contain the value 1; each following packet increments the sequence count by 1. As TACACS+ sessions are always initiated by the client, all client-originated packets carry an odd sequence number, and all daemon-originated packets carry an even sequence number. TACACS+ protocol strictures do not allow the sequence_no field to wrap. If the sequence count reaches 255, the session must be stopped and restarted with a new sequence number of 1.

flags

This 8-bit field contains flags as described in Section 3 of the draft RFC; flags are not under user control.

session_id

This 32-bit field contains a random number that identifies the current TACACS+ session — it is used by clients and daemons to correlate TACACS+ requests and responses.

length

This 32-bit field contains the total length of the TACACS+ message, excluding the 12-octet header — in other words, the length of the message body.

Authentication START Packet

The Oracle Enterprise Communications Broker, acting as a TACACS+ client, sends an authentication START packet to the TACACS+ daemon to initiate an authentication session. The daemon must respond with a REPLY packet.

The authentication START packet format is as follows.

+-----------------------------------+
|           Common Header           |
|                                   |
|         type contains 0x1         |
+--------+--------+--------+--------+
|action  |priv_lvl|authen_ |service |
|        |        |type    |        |
|--------+--------+--------+--------+
|user_len|port_len|rem_addr|data_len|
|        |        |_len    |        |
+--------+--------+--------+--------+
|              user ...             |
+-----------------------------------+
|              port ...             |
+-----------------------------------+
|            rem-addr ...           |
+-----------------------------------+
|              data ...             |
+-----------------------------------+

action

This 8-bit field contains an enumerated value that identifies the requested authentication action. For the current TACACS+ implementation, this field always contains a value of 0x01 , indicating user login authentication.

priv_lvl

This 8-bit field contains an enumerated value that identifies the privilege level requested by an authenticating user. For the current TACACS+ authentication implementation, this field always contains a value of 0x01 , indicating the user level.

authen-type

This 8-bit field contains an enumerated value that identifies the authentication methodology. Supported values are as follows:

0x01 ASCII — simple login, Oracle Enterprise Communications Broker prompts for username and password

0x02 PAP — as specified in RFC 1334

0x03 CHAP — as specified in RFC 1994

service

This 8-bit field contains an enumerated value that identifies the service requesting the authentication. For the current TACACS+ implementation, this field always contains a value of 0x01 , indicating user login authentication.

user_len

This 8-bit field contains the length of the user field in octets.

port_len

This 8-bit field contains the length of the port field in octets. As the port field is not used in the current TACACS+ authentication implementation, the port_len field always contains a value of 0 as specified in Section 4 of the TACACS+ draft RFC.

rem_addr_len

This 8-bit field contains the length of the rem_addr field in octets. As the rem_addr field is not used in the current TACACS+ authentication implementation, the rem_addr_len field always contains a value of 0 as specified in Section 4 of the TACACS+ draft RFC.

data_len

This 8-bit field contains the length of the data field in octets.

user

This variable length field contains the login name of the user to be authenticated.

port

This variable length field contains the name of the Oracle Enterprise Communications Broker port on which authentication is taking place. Following Cisco Systems convention, this field contains the string tty10 .

rem_addr

This variable length field contains the location of the user to be authenticated. This field contains the localhost address.

data

This optional variable length field contains miscellaneous data.

Authentication REPLY Packet

The TACACS+ daemon sends an authentication REPLY packet to the Oracle Enterprise Communications Broker in response to a authentication START or authentication CONTINUE packet. Depending on the contents of the status field, the authentication REPLY packet either ends the authentication transaction, or continues the transaction by requesting addition information needed by the authenticator.

The authentication REPLY packet format is as follows.

+-----------------------------------+
|           Common Header           |
|                                   |
|         type contains 0x1         |
+--------+--------+--------+--------+
|     (type field contains 0x1)     |
+--------+--------+-----------------+
| status |  flags |  server_msg_len |
|--------+--------+--------+--------+
|     data_len    |  server_msg ... |
+-----------------+-----------------+
|              data ...             |
+-----------------------------------+

status

This 16-bit field contains an enumerated value that specifies the current state of the authentication process. Supported values are as follows:

0x01 PASS — the user is authenticated, thus ending the session

0x02 FAIL — the user is rejected, thus ending the session

0x04 GETUSER — daemon request for the user name

0x05 GETPASS — daemon request for the user password

0x06 RESTART — restarts the transaction, possibly because the sequence number has wrapped, or possibly because the requested authentication type is not supported by the daemon

0x07 ERROR — reports an unrecoverable error

flags

This 8-bit field contains various flags that are not under user control.

server_msg_len

This 16-bit field contains the length of the server_msg field in octets. As the server_msg field is not used in REPLY packets sent by the current TACACS+ authentication implementation, the server_msg_len field always contains a value of 0 as specified in Section 4 of the TACACS+ draft RFC.

data_len

This 16-bit field contains the length of the data field in octets. As the data field is not used in REPLY packets sent by the current TACACS+ authentication implementation, the data_len field always contains a value of 0 as specified in Section 4 of the TACACS+ draft RFC.

server_msg

This optional variable length field contains a server message intended for display to the user. The current TACACS+ authentication implementation does not use this field.

data

This optional variable length field contains data pertinent to the authentication process. The current TACACS+ authentication implementation does not use this field.

Authentication CONTINUE Packet

The Oracle Enterprise Communications Broker, acting as a TACACS+ client, sends an authentication CONTINUE packet to the TACACS+ daemon in response to a REPLY message which requested additional data required by the authenticator.

The authentication CONTINUE packet format is as follows.

+-----------------------------------+
|           Common Header           |
|                                   |
|         type contains 0x1         |
+--------+--------+-----------------+
|   user_msg_len  |     data_len    |
|--------+--------+-----------------+
|  flags |       user_msg ...       |
+--------+--------------------------+
|              data ...             |
+-----------------------------------+

user_msg_len

This 16-bit field contains the length of the user_msg field in octets.

data_len

This 16-bit field contains the length of the data field in octets. As the data field is not used in the current TACACS+ authentication implementation, the data field always contains a value of 0 as specified in Section 4 of the TACACS+ draft RFC.

flags

This 8-bit field contains various flags that are not under user control.

user_msg

This variable length field contains a string that responds to an information request contained in a REPLY message.

data

This optional variable length field contains miscellaneous data, often in response to a daemon request. The current TACACS+ authentication implementation does not use the data field in Authentication CONTINUE packets.

Authentication Scenarios

Each of the supported user authentication scenarios is described in terms of packet flow in the following sections.

ASCII Authentication

The Oracle Enterprise Communications Broker initiates the authentication with an authentication START packet.

+-----------------------------------+
|           Common Header           |
|     minor_version contains 0x0    |
|         type contains 0x1         |
+--------+--------+--------+--------+
|action  |priv_lvl|authen_ |service |
|        |        |type    |        |
|  0x01  |  0x01  |  0x01  |  0x01  |
|--------+--------+--------+--------+
|user_len|port_len|rem_addr|data_len|
|        |        |_len    |        |
|    0   |    N   |    N   |    0   |
+--------+--------+--------+--------+
|                port               |
|               tty10               |
+-----------------------------------+
|              rem_addr             |
|         localhost address         |
+-----------------------------------+
  • The action field specifies the requested authentication action — 0x01 for TAC_PLUSAUTHEN_LOGIN (authentication of a user login).
  • The priv_lvl field specifies the privilege level requested by the user — 0x01 for TAC_PLUS_PRIV_LVL_USER.
  • The authen_type field specifies the authentication methodology — 0x01 for TAC_PLUS_AUTHEN_TYPE_ASCII (simple login).
  • The service field specifies the requesting service — 0x01 for TAC_PLUS_AUTHEN_SVC_LOGIN (login service).
  • The user_len and data_len fields contain a value of 0 , as required by the TACACS+ protocol.
  • The port_len and rem_addr_len fields contain the length, in octets, of the port and rem_addr fields.
  • The port field contains the name of the Oracle Enterprise Communications Broker port on which authentication is taking place. Following Cisco Systems convention, this field contains the string tty10 .
  • The rem_addr field specifies the location of the user to be authenticated. This field contains the localhost address.

The TACACS+ daemon returns an authentication REPLY requesting the username.

+-----------------------------------+
|           Common Header           |
|     minor_version contains 0x0    |
|         type contains 0x1         |
+--------+--------+-----------------+
| status |  flags |  server_msg_len |
|  0x04  |        |        0        |
|--------+--------+-----------------+
|     data_len    |
|        0        |
+-----------------+
  • The status field specifies a daemon request — 0x04 for TAC_PLUS_AUTH_STATUS_GETUSER (get username).
  • The server_msg_len data_len fields both contain a value of 0 , as required by the TACACS+ protocol.

The Oracle Enterprise Communications Brokerresponds with an authentication CONTINUE packet.

+-----------------------------------+
|           Common Header           |
|     minor_version contains 0x0    |
|         type contains 0x1         |
+-----------------+-----------------+
|   user_msg_len  |     data_len    |
|                 |        0        |
|--------+--------+-----------------+
|  flags |       user_msg ...       |
+--------+--------------------------+
  • The user_msg_len field contains the length, in octets, of the user_msg field.
  • The data_len field contains a value of 0 , as required by the TACACS+ protocol.
  • The user_msg field contains the username to be authenticated.

The TCACS+ daemon returns a second authentication REPLY requesting the user password.

+-----------------------------------+
|           Common Header           |
|     minor_version contains 0x0    |
|         type contains 0x1         |
+--------+--------+--------+--------+
| status |  flags |  server_msg_len |
|  0x05  |        |        0        |
|--------+--------+--------+--------+
|     data_len    |
|        0        |
+-----------------+
  • The status field specifies a daemon request — 0x05 for TAC_PLUS_AUTH_STATUS_GETPASS (get user password).
  • The server_msg_len and data_len fields both contain a value of 0 , as required by the TACACS+ protocol.

The Oracle Enterprise Communications Broker responds with a second authentication CONTINUE packet.

+-----------------------------------+
|           Common Header           |
|     minor_version contains 0x0    |
|         type contains 0x1         |
+-----------------+-----------------+
|   user_msg_len  |     data_len    |
|                 |        0        |
|--------+--------+--------+--------+
|  flags |       user_msg ...       |
+--------+--------------------------+
  • The user_msg_len field contains the length, in octets, of the user_msg field.
  • The data_len field contains a value of 0 , as required by the TACACS+ protocol.
  • The user_msg field contains the user password to be authenticated.
  • Other, optional fields are not used.

The TACACS+ daemon returns a third authentication REPLY reporting the authentication result, and terminating the authentication session.

+-----------------------------------+
|           Common Header           |
|     minor_version contains 0x0    |
|         type contains 0x1         |
+--------+--------+-----------------+
| status |  flags |  server_msg_len |
|  0x01  |        |        0        |
|--------+--------+-----------------+
|     data_len    |
|        0        |
+-----------------+
  • The status field specifies the authentication result — 0x01 for TAC_PLUS_AUTH_STATUS_PASS (authorization succeeds), or 0x02 for TAC_PLUS_AUTH_STATUS_FAIL (authorization fails).
  • The server_msg_len , and data_len fields both contain a value of 0 , as required by the TACACS+ protocol.

PAP Authentication

The Oracle Enterprise Communications Broker initiates the authentication with an authentication START packet.

+-----------------------------------+
|           Common Header           |
|     minor_version contains 0x1    |
|         type contains 0x1         |
+--------+--------+--------+--------+
|action  |priv_lvl|authen_ |service |
|        |        |type    |        |
|  0x01  |  0x01  |  0x02  |  0x01  |
|--------+--------+--------+--------+
|user_len|port_len|rem_addr|data_len|
|        |        |_len    |        |
|    N   |    N   |    N   |    N   |
+--------+--------+--------+--------+
|                user               |
+-----------------------------------+
|                port               |
|               tty10               |
+-----------------------------------+
|              rem_addr             |
|         localhost address         |
+-----------------------------------+
|              data ...             |
+-----------------------------------+
  • The action field specifies the requested authentication action — 0x01 for TAC_PLUSAUTHEN_LOGIN (authentication of a user login).
  • The priv_lvl field specifies the privilege level requested by the user — 0x01 for TAC_PLUS_PRIV_LVL_USER.
  • The authen_type field specifies the authentication methodology — 0x02 for TAC_PLUS_AUTHEN_TYPE_PAP (PAP login).
  • The service field specifies the requesting service — 0x01 for TAC_PLUS_AUTHEN_SVC_LOGIN (login service).
  • The user_len field contains the length, in octets, of the user field.
  • The port_len field contains the length, in octets, of the port field.
  • The rem_addr_len field contains the length, in octets, of the rem_addr field.
  • The data_len field contains the length, in octets, of the date field.
  • The user field contains the username to be authenticated.
  • The port field contains the name of the Oracle Enterprise Communications Broker port on which authentication is taking place. Following Cisco Systems convention, this field contains the string tty10 .
  • The rem_addr field specifies the location of the user to be authenticated. This field contains the localhost address.
  • The data field contains the password to be authenticated.

The TCACS+ daemon returns an authentication REPLY reporting the authentication result.

+-----------------------------------+
|           Common Header           |
|     minor_version contains 0x1    |
|         type contains 0x1         |
+--------+--------+-----------------+
| status |  flags |  server_msg_len |
|  0x01  |        |        0        |
|--------+--------+-----------------+
|     data_len    |
|        0        |
+-----------------+
  • The status field specifies the authentication result — 0x01 for TAC_PLUS_AUTH_STATUS_PASS (authorization succeeds), or 0x02 for TAC_PLUS_AUTH_STATUS_FAIL (authorization fails).
  • The server_msg_len and data_len fields both contain a value of 0 , as required by the TACACS+ protocol.
  • Other, optional fields are not used.

CHAP Authentication

The Oracle Enterprise Communications Broker initiates the authentication with an authentication START packet.

+-----------------------------------+
|           Common Header           |
|     minor_version contains 0x1    |
|         type contains 0x1         |
+--------+--------+--------+--------+
|action  |priv_lvl|authen_ |service |
|        |        |type    |        |
|  0x01  |  0x01  |  0x03  |  0x01  |
|--------+--------+--------+--------+
|user_len|port_len|rem_addr|data_len|
|        |        |_len    |        |
|    N   |    N   |    N   |    N   |
+--------+--------+--------+--------+
|                user               |
+-----------------------------------+
|                port               |
|               tty10               |
+-----------------------------------+
|              rem_addr             |
|         localhost address         |
+-----------------------------------+
|              data ...             |
+-----------------------------------+
  • The action field specifies the requested authentication action — 0x01 for TAC_PLUSAUTHEN_LOGIN (authentication of a user login).
  • The priv_lvl field specifies the privilege level requested by the user — 0x01 for TAC_PLUS_PRIV_LVL_USER.
  • The authen_type field specifies the authentication methodology — 0x03 for TAC_PLUS_AUTHEN_TYPE_CHAP (CHAP login).
  • The service field specifies the requesting service — 0x01 for TAC_PLUS_AUTHEN_SVC_LOGIN (login service).
  • The user_len field contains the length, in octets, of the user field.
  • The port_len field contains the length, in octets, of the port field.
  • The rem_addr_len field contains the length, in octets, of the rem_addr field.
  • The data_len field contains the length, in octets, of the date field.
  • The user field contains the username to be authenticated.
  • The port field contains the name of the Oracle Enterprise Communications Broker port on which authentication is taking place. Following Cisco Systems convention, this field contains the string tty10 .
  • The rem_addr field specifies the location of the user to be authenticated. This field contains the localhost address.
  • The data field contains the password to be authenticated.

The TCACS+ daemon returns an authentication REPLY reporting the authentication result.

+-----------------------------------+
|           Common Header           |
|     minor_version contains 0x1    |
|         type contains 0x1         |
+--------+--------+-----------------+
| status |  flags |  server_msg_len |
|  0x01  |        |        0        |
|--------+--------+-----------------+
|     data_len    |
|        0        |
+-----------------+
  • The status field specifies the authentication result — 0x01 for TAC_PLUS_AUTH_STATUS_PASS (authorization succeeds), or 0x02 for TAC_PLUS_AUTH_STATUS_FAIL (authorization fails).
  • The server_msg_len and data_len fields both contain a value of 0 , as required by the TACACS+ protocol.
  • Other, optional fields are not used.

TACACS+ Authorization

The Oracle Enterprise Communications Broker uses TACACS+ services to provide administrative authorization. With TACACS+ authorization enabled, each individual ACLI command issued by an admin user is authorized by the TACACS+ authorization service. The Oracle Enterprise Communications Broker replicates each ACLI command in its entirety, sends the command string to the authorization service, and suspends command execution until it receives an authorization response. If TACACS+ grants authorization, the pending command is executed; if authorization is not granted, the Oracle Enterprise Communications Broker does not execute the ACLI command, and displays an appropriate error message.

The daemon’s authorization decisions are based on a database lookup. Data base records use regular expressions to associate specific command string with specific users. The construction of such records is beyond the scope of this document.

Authorization Message Exchange

All TACACS+ authorization packets consist of a common header and a message body. Authorization packets are of two types: REQUEST and RESPONSE.

The REQUEST packet, which initiates an authorization session, is always sent by the Oracle Enterprise Communications Broker. Upon receipt of every REQUEST, the daemon must answer with a RESPONSE packet. In the current TACACS+ implementation, the RESPONSE packet must contain an authorization decision (pass or fail). The exchange of a single REQUEST and the corresponding RESPONSE completes the authorization session.

Authorization REQUEST Packet

The Oracle Enterprise Communications Broker, acting as a TACACS+ client, sends an authorization REQUEST packet to the TACACS+ daemon to initiate an authorization session.

The authorization REQUEST packet format is as follows.

+-----------------------------------+
|           Common Header           |
|                                   |
|         type contains 0x2         |
+--------+--------+--------+--------+
|authen_ |priv_lvl|authen_ |authen- |
|method  |        |type    |service |
|--------+--------+--------+--------+
|user_len|port_len|rem_addr|arg_cnt |
|        |        |_len    |        |
+----+---+--------+--------+--------+
|arg1_len|arg2_len|  ...   |argN_len|
|        |        |        |        |
+--------+--------+--------+--------+
|              user ...             |
+-----------------------------------+
|              port ...             |
+-----------------------------------+
|            rem-addr ...           |
+-----------------------------------+
|              arg1 ...             |
+-----------------------------------+
|              arg2 ...             |
+-----------------------------------+
|              argN ...             |
+-----------------------------------+

authen_method

This 8-bit field contains an enumerated value that identifies the method used to authenticate the authorization subject — that is, an admin user. Because the admin user was authenticated locally by the Oracle Enterprise Communications Broker, this field always contains a value of 0x05 , indicating authentication by the requesting client.

priv_lvl

This 8-bit field contains an enumerated value that identifies the privilege level associated with the authorization subject. For the current TACACS+ authorization implementation, this field always contains a value of 0x00 .

authen-type

This 8-bit field contains an enumerated value that identifies the methodology. used to authenticate the authorization subject. Because the admin user was authenticated with a simple username/password exchange, this field always contains a value of 0x01 , indicating ascii login.

authen_service

This 8-bit field contains an enumerated value that identifies the service that requested authentication. Because an admin user is authenticated with a simple username/password exchange, this field always contains a value of 0x01 , the login service.

user_len

This 8-bit field contains an integer that specifies the length, in octets, of the user field.

port_len

This 8-bit field contains an integer that specifies the length, in octets, of the port field.

rem_addr_len

This 8-bit field contains an integer that specifies the length, in octets, of the rem_addr field.

arg_cnt

This 8-bit field contains an integer that specifies the number or arguments contained with the REQUEST. Given the design of the current TACACS+ implementation, this field always contains a value of 0x02 .

arg1_len

This 8-bit field contains an integer that specifies the length, in octets, of the first argument.

Subsequent fields contain the length of each sequential argument.

user

This variable length field contains the login name of the user to be authorized.

port

This variable length field contains the name of the Oracle Enterprise Communications Broker port on which authorization is taking place. Following Cisco Systems convention, this field contains the string tty10 .

rem_addr

This variable length contains the location of the user to be authorized. This field contains the localhost address.

arg...

This variable length field contains a TACACS+ attribute value pair (AVP); each arg field holds a single AVP.

A TACACS+ AVP is an ASCII string with a maximum length of 255 octets. The string consists of the attribute name and its assigned value separated by either an equal sign (=) or by an asterisk (*). The equal sign (=) identifies a mandatory argument, one that must be understood and processed by the TACACS+ daemon; the asterisk (*) identifies an optional argument that may be disregarded by either the client or daemon.

Administrative authorization requires the use of only two TACACS+ AVPs: service and cmd .

The service AVP identifies the function to be authorized. In the case of the current implementation, the attribute value is always shell . Consequently the attribute takes the follow format:

service=shell

The cmd AVP identifies the specific ACLI command to be authorized. The command is passed in its entirety, from the administrative configuration root, configure terminal, through the final command argument. For example,

cmd=configure terminal security authentication type tacacsplus

Note the equal sign (=) used in the attribute examples, indicating that both are mandatory arguments.

Authorization RESPONSE Packet

The TACACS+ daemon sends an authorization RESPONSE packet to the Oracle Enterprise Communications Broker to report authorization results.

The authorization RESPONSE packet format is as follows.

+-----------------------------------+
|           Common Header           |
|                                   |
|         type contains 0x2         |
+--------+--------+-----------------+
|status  |arg_cnt | server_msg len  |
|        |        |                 |
|--------+--------+--------+--------+
|     data_len    |arg1_len|arg2_len|
|                 |        |        |
+--------+--------+--------+--------+
|   ...  |argN_len|    server_msg   |
|        |        |                 |
+--------+--------+-----------------+
|              data ...             |
+-----------------------------------+
|              arg1 ...             |
+-----------------------------------+
|              arg2 ...             |
+-----------------------------------+
|              argN ...             |
+-----------------------------------+

status

This 8-bit field contains an enumerated value that specifies the results of the authorization process. Supported values are 0x01 (Pass), 0x10 (Fail), and 0x11 (Error). Fail indicates that the authorization service rejected the proposed operation, while Error indicates the authorization service failed

If authorization succeeds (status=0x01), the ACLI command is executed; if authorization fails, for whatever the reason (status=0x10 or 0x11), the ACLI command is not executed, and an appropriate error message is generated.

arg_cnt

This 8-bit field contains an integer that specifies the number or arguments contained with the RESPONSE. Given the design of the current TACACS+ implementation, this field always contains a value of 0x02 .

server_msg_len

This 16-bit field contains an integer that specifies the length, in octets, of the server_msg field.

data_len

This 16-bit field contains an integer that specifies the length, in octets, of the data field.

arg1_len

This 8-bit field contains an integer that specifies the length, in octets, of the first argument.

Subsequent fields contain the length of each sequential argument.

server-msg

This optional variable length field contains a string that can be presented to the user.

data

This optional variable length field contains a string that can be presented to an administrative display, console, or log.

arg...

This optional variable length field contains a TACACS+ attribute value pair (AVP); each arg field holds a single AVP.

No arguments are generated in RESPONSE packets within the current TACACS+ implementation.

Authorization Pass

The Oracle Enterprise Communications Broker initiates the authorization with an authorization REQUEST packet.

+-----------------------------------+
|           Common Header           |
|                                   |
|         type contains 0x2         |
+--------+--------+--------+--------+
|authen_ |priv_lvl|authen_ |authen_ |
|method  |        |type    |service |
|  0x05  |  0x00  |  0x01  |  0x01  |
|--------+--------+--------+--------+
|user_len|port_len|rem_addr|arg_cnt |
|        |        |_len    |        |
|    N   |    N   |    N   |    2   |
+--------+--------+--------+--------+
|arg1_len|arg2_len|      user ...   |
|        |        |                 |
|    N   |    N   |    login name   |
+--------+--------+-----------------+
|                port               |
|               tty10               |
+-----------------------------------+
|              rem_addr             |
|         localhost address         |
+-----------------------------------+
|                arg1               |
|                AVP                |
|           service=shell           |
+-----------------------------------+
|                arg2               |
|                AVP                |
|  cmd=configure terminal security  |
+-----------------------------------+
  • The authen_method field specifies the method used to authenticate the subject — 0x05 for TAC_PLUS_AUTHEN_METHOD_LOCAL (authentication by the client).
  • The priv_lvl field specifies the privilege level requested by the user — 0x00 for TAC_PLUS_PRIV_LVL_MIN.
  • The authen_type field specifies the authentication methodology — 0x01 for TAC_PLUS_AUTHEN_TYPE_ASCII (simple login).
  • The authen_ service field specifies the requesting service — 0x01 for TAC_PLUS_AUTHEN_SVC_LOGIN (login service).
  • The user_len field contains the length, in octets, of the user field.
  • The port_len field contains the length, in octets, of the port field.
  • The rem_addr_len field contains the length, in octets, of the rem_addr field.
  • The arg_cnt field contains the number of arguments in the message body.
  • The arg1_len field contains the length, in octets, of the service AVP.
  • The arg2_len field contains the length, in octets, of the service AVP.
  • The user field contains the login name of an admin user.
  • The port field contains the name of the Oracle Enterprise Communications Broker port on which authentication is taking place. Following Cisco Systems convention, this field contains the string tty10 .
  • The rem_addr field specifies the location of the user to be authenticated. This field contains the localhost address.
  • The arg1 field contains the mandatory service AVP.
  • The arg2 field contains the mandatory cmd AVP.

The TACACS+ daemon returns a authorization RESPONSE reporting the status, and terminating the authorization session.

+-----------------------------------+
|           Common Header           |
|                                   |
|         type contains 0x2         |
+--------+--------+-----------------+
| status |arg_cnt |  server_msg_len |
|  0x01  |   0    |        0        |
|--------+--------+-----------------+
|     data_len    |
|        0        |
+-----------------+
  • The status field specifies the authorization status — 0x01 for TAC_PLUS_AUTHOR_STATUS_PASS_ADD (authorization approved).
  • The arg_cnt field contains a value of 0 — the authorization RESPONSE returns no arguments.
  • The server_msg_len and data_len fields both contain a value of 0, as required by the TACACS+ protocol.

Authorization Fail

The Oracle Enterprise Communications Broker initiates the authorization with an authorization REQUEST packet.

+-----------------------------------+
|           Common Header           |
|                                   |
|         type contains 0x2         |
+--------+--------+--------+--------+
|authen_ |priv_lvl|authen_ |authen_ |
|method  |        |type    |service |
|  0x05  |  0x00  |  0x01  |  0x01  |
|--------+--------+--------+--------+
|user_len|port_len|rem_addr|arg_cnt |
|        |        |_len    |        |
|    N   |    N   |    N   |    2   |
+--------+--------+--------+--------+
|arg1_len|arg2_len|      user ...   |
|        |        |                 |
|    N   |    N   |    login name   |
+--------+--------+-----------------+
|                port               |
|               tty10               |
+-----------------------------------+
|              rem_addr             |
|         localhost address         |
+-----------------------------------+
|                arg1               |
|                AVP                |
|           service=shell           |
+-----------------------------------+
|                arg2               |
|                AVP                |
|   cmd=configure terminal scurity  |
+-----------------------------------+
  • The authen_method field specifies the method used to authenticate the administrative subject — 0x05 for TAC_PLUS_AUTHEN_METHOD_LOCAL (authentication by the client).
  • The priv_lvl field specifies the privilege level requested by the user — 0x00 for TAC_PLUS_PRIV_LVL_MIN.
  • The authen_type field specifies the authentication methodology — 0x01 for TAC_PLUS_AUTHEN_TYPE_ASCII (simple login).
  • The authen_ service field specifies the requesting service — 0x01 for TAC_PLUS_AUTHEN_SVC_LOGIN (login service).
  • The user_len field contains the length, in octets, of the user field.
  • The port_len field contains the length, in octets, of the port field.
  • The rem_addr_len field contains the length, in octets, of the rem-addr field.
  • The arg_cnt field contains the number of arguments in the message body.
  • The arg1_len field contains the length, in octets, of the service AVP.
  • The arg2_len field contains the length, in octets, of the service AVP.
  • The user field contains the login name of an admin user.
  • The port field contains the name of the Oracle Enterprise Communications Broker port on which authentication is taking place. Following Cisco Systems convention, this field contains the string tty10 .
  • The rem_addr field specifies the location of the user to be authenticated. This field contains the localhost address.
  • The arg1 field contains the mandatory service AVP.
  • The arg2 field contains the mandatory cmd AVP.

The TACACS+ daemon returns an authorization RESPONSE reporting the status, and terminating the authorization session.

+-----------------------------------+
|           Common Header           |
|                                   |
|         type contains 0x2         |
+--------+--------+--------+--------+
| status |arg_cnt |  server_msg_len |
|  0x10  |   0    |        0        |
|--------+--------+--------+--------+
|     data_len    |
|        0        |
+-----------------+
  • The status field specifies the authorization status — 0x10 for TAC_PLUS_AUTHOR_STATUS_FAIL (authorization rejected).
  • The arg_cnt field contains a value of 0 — the authorization RESPONSE returns no arguments.
  • The server_msg_len and data_len fields both contain a value of 0 , as required by the TACACS+ protocol.

TACACS+ Accounting

The Oracle Enterprise Communications Broker uses TACACS+ accounting to log administrative actions. With accounting enabled, each individual ACLI command executed by an admin user is logged by the accounting service.

Accounting Message Exchange

All TACACS+ accounting packets consist of a common header and a message body. Accounting packets are of two types: REQUEST and REPLY.

The REQUEST packet has three variant forms. The START variant initiates an accounting session; the STOP variant terminates an accounting session; the WATCHDOG variant updates the current accounting session. REQUEST packets are always sent by the Oracle Enterprise Communications Broker. Upon receipt of every REQUEST, the daemon must answer with a REPLY packet.

A TACACS+ accounting session proceeds as follows.

  1. Immediately following successful authorization of an admin user, the Oracle Enterprise Communications Broker sends an accounting REQUEST START packet.
  2. The daemon responds with an accounting REPLY packet, indicating that accounting has started.
  3. For each ACLI command executed by an admin user, the Oracle Enterprise Communications Broker sends an accounting REQUEST WATCHDOG packet requesting accounting of the ACLI command. As the Oracle Enterprise Communications Broker sends the WATCHDOG only after an admin user’s access to the ACLI command is authorized, the accounting function records only those commands executed by the user, not those commands for which authorization was not granted.
  4. The daemon responds with an accounting REPLY packet, indicating that the ACLI operation has been recorded by the accounting function.
  5. Steps 3 and 4 are repeated for each authorized ACLI operation.
  6. Immediately following logout (or timeout) of an admin user, the Oracle Enterprise Communications Broker sends an accounting REQUEST STOP packet.
  7. The daemon responds with an accounting REPLY packet, indicating that accounting has stopped.

Accounting REQUEST Packet

The Oracle Enterprise Communications Broker, acting as a TACACS+ client, sends an accounting REQUEST START variant to the TACACS+ daemon following the successful authorization of an admin user. It sends an accounting REQUEST WATCHDOG variant to the daemon following the authorization of an admin user’s access to an ACLI command. It sends an accounting REQUEST STOP variant to the daemon at the conclusion of the ACLI session.

The accounting REQUEST packet format is as follows.

+-----------------------------------+
|           Common Header           |
|                                   |
|         type contains 0x3         |
+--------+--------+--------+--------+
| flags  |authen_ |priv_lvl|authen- |
|        |method  |        |type    |
|--------+--------+--------+--------+
|authen_ |user_len|port_len|rem_addr|
|service |        |        |_len    |
+----+---+--------+--------+--------+
|arg_cnt |arg1_len|arg2_len|argN_len|
|        |        |        |        |
+--------+--------+--------+--------+
|argN_len|         user ...         |
+--------+--------------------------+
|              port ...             |
+-----------------------------------+
|            rem-addr ...           |
+-----------------------------------+
|              arg1 ...             |
+-----------------------------------+
|              arg2 ...             |
+-----------------------------------+
|              argN ...             |
+-----------------------------------+

flags

This 8-bit field contains an enumerated value that identifies the accounting REQUEST variant.

0x2 — START

0x4 — STOP

0x8 — WATCHDOG

authen_method

This 8-bit field contains an enumerated value that identifies the method used to authenticate the accounting subject — that is, an admin user. Because an admin user is authenticated locally by the Oracle Enterprise Communications Broker, this field always contains a value of 0x05 , indicating authentication by the requesting client.

priv_lvl

This 8-bit field contains an enumerated value that identifies the privilege level associated with the accounting subject. For the current TACACS+ accounting implementation, this field always contains a value of 0x00 .

authen-type

This 8-bit field contains an enumerated value that identifies the methodology. used to authenticate the accounting subject. Because an admin user is authenticated with a simple username/password exchange, this field always contains a value of 0x01 , indicating ascii login.

authen_service

This 8-bit field contains an enumerated value that identifies the service that requested authentication. Because an admin user is authenticated with a simple username/password exchange, this field always contains a value of 0x01 , the login service.

user_len

This 8-bit field contains an integer that specifies the length, in octets, of the user field.

port_len

This 8-bit field contains an integer that specifies the length, in octets, of the port field.

rem_addr_len

This 8-bit field contains an integer that specifies the length, in octets, of the rem_addr field.

arg_cnt

This 8-bit field contains an integer that specifies the number or arguments contained with the accounting REQUEST.

arg1_len

This 8-bit field contains an integer that specifies the length, in octets, of the first argument.

Subsequent fields contain the length of each sequential argument.

user

This variable length field contains the login name of the accounting subject.

port

This variable length field contains the name of the Oracle Enterprise Communications Broker port on accounting is taking place. Following Cisco System convention, this field always contains the string tty10 .

rem_addr

This variable length contains the location of the authorization subject. This field always contains the localhost address.

arg...

This variable length field contains a TACACS+ attribute value pair (AVP); each arg field holds a single AVP.

A TACACS+ AVP is an ASCII string with a maximum length of 255 octets. The string consists of the attribute name and its assigned value separated by either an equal sign (=) or by an asterisk (*). The equal sign (=) identifies a mandatory argument, one that must be understood and processed by the TACACS+ daemon; the asterisk (*) identifies an optional argument that may be disregarded by either the client or daemon.

Administrative accounting requires the use of five TACACS+ AVPs: service, task-id, start_time, and stop_time.

The task_id AVP, included in accounting REQUEST START, STOP, and WATCHDOG variants, correlates session initiation, watchdog updates, and termination packets; each associated START, STOP, and WATCHDOG packet must contain matching task-id AVPs.

task_id=13578642

The start_time AVP, included in accounting REQUEST START and WATCHDOG variants, specifies the time at which a specific accounting request was initiated. The start time is expressed as the number of seconds elapsed since January 1, 1970 00:00:00 UTC.

start_time=1286790650

The stop_time AVP, included in accounting REQUEST STOP variants, specifies the time at which a specific accounting session was terminated. The stop time is expressed as the number of seconds elapsed since January 1, 1970 00:00:00 UTC.

stop_time=1286794250

The service AVP, included in accounting REQUEST START, STOP, and WATCHDOG variants, identifies the function subject to accounting. In the case of the current implementation, the attribute value is always shell . Consequently the attribute takes the follow format:

service=shell

The cmd AVP, included in accounting REQUEST WATCHDOG variants, identifies the specific ACLI command to be processed by the accounting service. The command is passed in its entirety, from the administrative configuration root, configure terminal, through the final command argument. For example,

cmd=configure terminal security authentication type tacacsplus

Note the equal sign (=) used in the attribute examples, indicating that all are mandatory arguments.

Accounting REPLY Packet

The TACACS+ daemon sends an accounting REPLY packet to the Oracle Enterprise Communications Broker to report accounting results.

The accounting REPLY packet format is as follows.

+-----------------------------------+
|           Common Header           |
|                                   |
|         type contains 0x3         |
+-----------------+--------+--------+
|  server_msg_len |     data_len    |
|--------+--------+-----------------+
| status |      server_msg ...      |
+--------+--------------------------+
|              data ...             |
+-----------------------------------+

server_msg_len

This 16-bit field contains the length, in octets, of the server_msg field.

data_len

This 16-bit field contains the length, in octets, of the data field.

status

This 8-bit field contains the status of the previous accounting request. Supported values are:

0x1 — Success

0x2 — Error/Failure

server_msg

This optional variable length field can contain a message intended for display to the user. This field is unused in the current TACACS+ implementation.

data

This optional variable length field can contain miscellaneous data. This field is unused in the current TACACS+ implementation.

Accounting Scenario

The Oracle Enterprise Communications Broker initiates the accounting session with an accounting REQUEST START.

+-----------------------------------+
|           Common Header           |
|                                   |
|         type contains 0x3         |
+--------+--------+--------+--------+
| flags  |authen_ |priv_lvl|authen- |
|        |method  |        |type    |
|  0x02  |  0x05  |  0x00  |  0x01  |
|--------+--------+--------+--------+
|authen_ |user_len|port_len|rem_addr|
|service |        |        |_len    |
|  0X01  |    N   |    N   |    N   |
+----+---+--------+--------+--------+
|arg_cnt |arg1_len|arg2_len|arg3_len|
|    3   |    N   |    N   |    N   |
+--------+--------+--------+--------+
|                user               |
|    login name of an admin user    |
+-----------------------------------+
|                port               |
|               tty10               |
+-----------------------------------+
|              rem_addr             |
|         localhost address         |
+-----------------------------------+
|                AVP                |
|          task-id=13578642         |
+-----------------------------------+
|                AVP                |
|       start_time=1286790650       |
+-----------------------------------+
|                AVP                |
|           service=shell           |
+-----------------------------------+
  • The flags field contains an enumerated value ( 0x02 ) that identifies an accounting REQUEST START.
  • The authen_method field specifies the method used to authenticate the ACCOUNTING subject — 0x05 for TAC_PLUS_AUTHEN_METHOD_LOCAL (authentication by the client).
  • The priv_lvl field specifies the privilege level requested by the user — 0x00 for TAC_PLUS_PRIV_LVL_MIN.
  • The authen_type field specifies the authentication methodology — 0x01 for TAC_PLUS_AUTHEN_TYPE_ASCII (simple login).
  • The authen_ service field specifies the requesting service — 0x01 for TAC_PLUS_AUTHEN_SVC_LOGIN (login service).
  • The user_len field contains the length, in octets, of the user field.
  • The port_len field contains the length, in octets, of the port field.
  • The rem_addr_len field contains the length, in octets, of the rem_addr field.
  • The arg_cnt field contains the number of arguments in the message body.
  • The arg1_len field contains the length, in octets, of the task_id AVP.
  • The arg2_len field contains the length, in octets, of the start_time AVP.
  • The arg3_len field contains the length, in octets, of the service AVP.
  • The user field contains the login name of an admin user.
  • The port field contains the name of the Oracle Enterprise Communications Broker port on which authentication is taking place. Following Cisco Systems convention, this field contains the string tty10 .
  • The rem_addr field specifies the location of the user to be authenticated. This field contains the localhost address.
  • The arg1 field contains the mandatory task_id AVP.
  • The arg2 field contains the mandatory start_time AVP.
  • The arg3 field contains the mandatory service AVP.

The TACACS+ daemon returns an accounting REPLY reporting the status, indicating that accounting has started.

+-----------------------------------+
|           Common Header           |
|                                   |
|         type contains 0x3         |
+-----------------+-----------------+
|  server_msg_len |     data_len    |
|        0        |        0        |
|--------+--------+-----------------+
| status |
|  0x01  |
+--------+
  • The server_msg_len and data_len fields both contain a value of 0 , as required by the TACACS+ protocol.
  • The status field specifies the authorization status — 0x01 for TAC_PLUS_ACCT_STATUS_SUCCESS (accounting processed).

The Oracle Enterprise Communications Broker reports ACLI command execution with an accounting REQUEST WATCHDOG.

+-----------------------------------+
|           Common Header           |
|                                   |
|         type contains 0x3         |
+--------+--------+--------+--------+
| flags  |authen_ |priv_lvl|authen- |
|        |method  |        |type    |
|  0x08  |  0x05  |  0x00  |  0x01  |
|--------+--------+--------+--------+
|authen_ |user_len|port_len|rem_addr|
|service |        |        |_len    |
|  0X01  |    N   |    N   |    N   |
+----+---+--------+--------+--------+
|arg_cnt |arg1_len|arg2_len|arg3_len|
|    4   |    N   |    N   |    N   |
+--------+--------+--------+--------+
|arg4_len|           user           |
|        | login name of admin user |
+--------+--------------------------+
|                port               |
|               tty10               |
+-----------------------------------+
|              rem_addr             |
|         localhost address         |
+-----------------------------------+
|                AVP                |
|          task-id=13578642         |
+-----------------------------------+
|                AVP                |
|       start_time=1286790650       |
+-----------------------------------+
|                AVP                |
|           service=shell           |
+-----------------------------------+
|                AVP                |
|  cmd=configure terminal security  |
+-----------------------------------+
  • The flags field contains an enumerated value ( 0x08 ) that identifies an accounting REQUEST WATCHDOG.
  • The authen_method field specifies the method used to authenticate the ACCOUNTING subject — 0x05 for TAC_PLUS_AUTHEN_METHOD_LOCAL (authentication by the client).
  • The priv_lvl field specifies the privilege level requested by the user — 0x00 for TAC_PLUS_PRIV_LVL_MIN.
  • The authen_type field specifies the authentication methodology — 0x01 for TAC_PLUS_AUTHEN_TYPE_ASCII (simple login).
  • The authen_ service field specifies the requesting service — 0x01 for TAC_PLUS_AUTHEN_SVC_LOGIN (login service).
  • The user_len field contains the length, in octets, of the user field.
  • The port_len field contains the length, in octets, of the port field.
  • The rem_addr_len field contains the length, in octets, of the rem_addr field.
  • The arg_cnt field contains the number of arguments in the message body.
  • The arg1_len field contains the length, in octets, of the task_id AVP.
  • The arg2_len field contains the length, in octets, of the start_time AVP.
  • The arg3_len field contains the length, in octets, of the service AVP.
  • The arg4_len field contains the length, in octets, of the cmd AVP.
  • The user field contains the login name of an admin user.
  • The port field contains the name of the Oracle Enterprise Communications Broker port on which authentication is taking place. Following Cisco Systems convention, this field contains the string tty10 .
  • The rem_addr field specifies the location of the user to be authenticated. This field contains the localhost address.
  • The arg1 field contains the mandatory task_id AVP.
  • The arg2 field contains the mandatory start_time AVP.
  • The arg3 field contains the mandatory service AVP.
  • The arg4 field contains the mandatory cmd AVP.

The TACACS+ daemon returns an accounting REPLY reporting the status, indicating that the ACLI operation has been processed.

+-----------------------------------+
|           Common Header           |
|                                   |
|         type contains 0x3         |
+-----------------+-----------------+
|  server_msg_len |     data_len    |
|        0        |        0        |
|--------+--------+-----------------+
| status |
|  0x01  |
+--------+
  • The server_msg_len and data_len fields both contain a value of 0 , as required by the TACACS+ protocol.
  • The status field specifies the authorization status — 0x01 for TAC_PLUS_ACCT_STATUS_SUCCESS (accounting processed).

The Oracle Enterprise Communications Broker reports an admin user logout or timeout with an accounting REQUEST STOP.

+-----------------------------------+
|           Common Header           |
|                                   |
|         type contains 0x3         |
+--------+--------+--------+--------+
| flags  |authen_ |priv_lvl|authen- |
|        |method  |        |type    |
|  0x04  |  0x05  |  0x00  |  0x01  |
|--------+--------+--------+--------+
|authen_ |user_len|port_len|rem_addr|
|service |        |        |_len    |
|  0X01  |    N   |    N   |    N   |
+----+---+--------+--------+--------+
|arg_cnt |arg1_len|arg2_len|arg3_len|
|    3   |    N   |    N   |    N   |
+--------+--------+--------+--------+
|                user               |
|    login name of an admin user    |
+-----------------------------------+
|                port               |
|               tty10               |
+-----------------------------------+
|              rem_addr             |
|         localhost address         |
+-----------------------------------+
|                AVP                |
|          task-id=13578642         |
+-----------------------------------+
|                AVP                |
|        stop_time=1286790650       |
+-----------------------------------+
|                AVP                |
|           service=shell           |
+-----------------------------------+
  • The flags field contains an enumerated value ( 0x04 ) that identifies an accounting REQUEST STOP.
  • The authen_method field specifies the method used to authenticate the ACCOUNTING subject — 0x05 for TAC_PLUS_AUTHEN_METHOD_LOCAL (authentication by the client).
  • The priv_lvl field specifies the privilege level requested by the user — 0x00 for TAC_PLUS_PRIV_LVL_MIN.
  • The authen_type field specifies the authentication methodology — 0x01 for TAC_PLUS_AUTHEN_TYPE_ASCII (simple login).
  • The authen_ service field specifies the requesting service — 0x01 for TAC_PLUS_AUTHEN_SVC_LOGIN (login service).
  • The user_len field contains the length, in octets, of the user field.
  • The port_len field contains the length, in octets, of the port field.
  • The rem_addr_len field contains the length, in octets, of the rem_addr field.
  • The arg_cnt field contains the number of arguments in the message body.
  • The arg1_len field contains the length, in octets, of the task_id AVP.
  • The arg2_len field contains the length, in octets, of the start_time AVP.
  • The arg3_len field contains the length, in octets, of the service AVP.
  • The user field contains the login name of an admin user.
  • The port field contains the name of the Oracle Enterprise Communications Broker port on which authentication is taking place. Following Cisco Systems convention, this field contains the string tty10 .
  • The rem_addr field specifies the location of the user to be authenticated. This field contains the localhost address.
  • The arg1 field contains the mandatory task_id AVP.
  • The arg2 field contains the mandatory start_time AVP.
  • The arg3 field contains the mandatory service AVP.

The TACACS+ daemon returns an accounting REPLY reporting the status, indicating that accounting has terminated.

+-----------------------------------+
|           Common Header           |
|                                   |
|         type contains 0x3         |
+-----------------+-----------------+
|  server_msg_len |     data_len    |
|        0        |        0        |
|--------+--------+-----------------+
| status |
|  0x01  |
+--------+
  • The server_msg_len and data_len fields both contain a value of 0 , as required by the TACACS+ protocol.
  • The status field specifies the authorization status — 0x01 for TAC_PLUS_ACCT_STATUS_SUCCESS (accounting processed).

Managing TACACS+ Operations

TACACS+ management is supported by the following utilities.

TACACS+ MIB

An Oracle proprietary MIB provides external access to TACACS+ statistics.

MIB counters are contained in the apSecurityTacacsPlusStatsTable that is defined as follows.

SEQUENCE { 
    apSecurityTacacsPlusCliCommands                Counter32 
    apSecurityTacacsPlusSuccess Authentications    Counter32 
    apSecurityTacacsPlusFailureAuthentications     Counter32 
    apSecurityTacacsPlusSuccess Authorizations     Counter32 
    apSecurityTacacsPlusFailureAuthorizations      Counter32 
}

apSecuritysTacacsPlusStats Table (1.3.6.1.4.1.9148.3.9.9.4)

Object Name Object OID Description
apSecurityTacacsCliCommands 1.3.6.1.4.1.9148.3.9.1.4.3 Global counter for ACLI commands sent to TACACS+ Accounting
apSecurityTacacsSuccess Authentications 1.3.6.1.4.1.9148.3.9.1.4.4 Global counter for the number of successful TACACS+ authentications
apSecurityTacacsFailureAuthentications 1.3.6.1.4.1.9148.3.9.1.4.5 Global counter for the number of unsuccessful TACACS+ authentications
apSecurityTacacsSuccess Authorizations 1.3.6.1.4.1.9148.3.9.1.4.6 Global counter for the number of successful TACACS+ authorizations
apSecurityTacacsFailure
Authorizations 1.3.6.1.4.1.9148.3.9.1.4.7 Global counter for the number of unsuccessful TACACS+ authorizations

SNMP Trap

SNMP traps are issued when

  • a TACACS+ daemon becomes unreachable
  • an unreachable TACACS+ daemon becomes reachable
  • an authentication error occurs
  • an authorization error occurs

TACACS+ Faults

The Oracle Enterprise Communications Broker supports two TACACS+ traps, apSysMgmtTacacsDownTrap and apSysMgmtTacacsDownClearTrap.

The apSysMgmtTacacsDownTrap is generated when a TACACS+ server becomes unreachable.

The apSysMgmtTacacsDownClearTrap is generated when a TACACS+ server that was unreachable becomes reachable.

The OECB searches for a TACACS+ server until it finds an available one and then stops searching. However, in the TACACS+ SNMP implementation, SNMP expects the OECB to make connection attempts to all servers. When there is only one TACACS+ server and that server goes down, the OECB behaves normally, sending a apSysMgmtTacacsDownTrap trap when the server goes down, and a apSysMgmtTacacsDownClearTrap trap when the server comes back up. When there is more than one TACACS+ server and the active server goes down, an apSysMgmtTacacsDownTrap trap is sent, indicating that some servers are down and the next server is tried. If all servers fail, an apSysMgmtTacacsDownTrap is sent indicating that all servers are down. If one of the servers comes back up while the rest are still down, an apSysMgmtTacacsDownTrap is sent indicating that some servers are still down.

TACACS+ Logging

All messages between the Oracle Enterprise Communications Broker and the TACACS+ daemon are logged in a cleartext format, allowing an admin user to view all data exchange, except for password information.

TACACS+ Configuration

Configuration of TACACS+ consists of the following steps.

  1. Enable TACACS+ client services
  2. Specify one or more TACACS+ servers (daemons)

Add TACACS+ Authentication and Servers

To configure TACACS+, you enable TACACS+ client services and specify one or more TACACS+ servers.

  1. Access the Login Authentication configuration object.
    Configuration, Security, Authentication.
  2. On the Modify Authentication page, do the following:
  3. Click OK.
  4. Save the configuration.