# tacacs-plus [TACACS+]
This is a simple TACACS+ library to help with basic encoding and decoding of TACACS+ authentication and authorization packets.
More information on TACACS+ can be found here, https://tools.ietf.org/html/draft-ietf-opsawg-tacacs-05.
Basic Usage
var tacacs = ; // receive or send raw TCP packet (port 49) to a TACACS+ server or client var decoded = tacacs;
The decoded object, depending on the sequence of packets, should be something along the lines of this.
In certain instances, the data element may not be populated if there is an issue with the type of messages or the sequence number. You can manually decode a message body using the decode functions in the library.
Creating a Simple Auth Start
If you are creating a client, to create a simple auth start to send to a server, simply do something along the lines of the following code snippit.
var tacacs = ; // create the auth start bodyvar authStart = tacacs; // create the tacacs+ headervar header = tacacs; // combine the header and bodyvar authStartPacket = Buffer; // open a connection and send the raw packet via TCP to the server (this example is not using encryption)
- All decode processes take Buffers that are then converted to objects.
- All create processes take objects and return Buffers of data.
Encryption
You can use the encodeByteData
and decodeByteData
functions to encrypt and decrypt data packets.
Using encryption requires a shared secret key as well as cryptographically secure random Session ID values.
var crypto = ;var tacacs = ; // Generate a random 32-bit sessionvar sessionIdBytes = crypto;var sessionId = Math; // create the auth start bodyvar authStart = tacacs; var version = tacacs;var sequenceNumber = 1;var encryptedAuthStart = tacacs; // create the tacacs+ headervar headerOptions = majorVersion: tacacsTAC_PLUS_MAJOR_VER minorVersion: tacacsTAC_PLUS_MINOR_VER_DEFAULT type: tacacsTAC_PLUS_AUTHEN sequenceNumber: sequenceNumber flags: 0x0 // setting this to zero assumes encryption is being used sessionId: sessionId length: authStartlengthvar header = tacacs; var packetToSend = Buffer; // open a connection and send the packet via TCP to the server
Sample Communications
Here is a very simple client that sends a auth start packet to a server, then the server responds to the client... this is a very simple "getting started" sample, that requires a lot more development to implement a full workflow, but it illustrates how to start.
For a more complete client example, see examples/client.js
.
var crypto = ;var tacacs = ; // SAMPLE SERVER var server = net; server; server; // SIMPLE CLIENT var client = net; client;client;
Authorization
simple authorization request and responses can also be created by using the createAuthorizationRequest and createAuthorizationResponse and their associated decode processes.
const tacacs = ; var authorReq = tacacs; console; var decodedReq = tacacs; console; console; var authorResp = tacacs; console; var decodedResp = tacacs; console;
Testing Server
A good and easy to spin up testing server is tac_plus running in a docker container. If you have docker setup, simply run the following to start the tac_plus container. More information is available here, https://hub.docker.com/r/dchidell/docker-tacacs.
sudo docker run -it --rm -p 49:49 dchidell/docker-tacacs
Then you can point your client to the docker server IP on port 49 and use the shared key 'ciscotacacskey' and the user 'iosuser' with the password 'cisco'.