do_auth - Program allowing more granular control than tac_plus.
do_auth -u user [-i Ip Address] [-d Device address] [-f Config
filename] [-l Log file] [-D Debug mode]
do_auth is a python program written to work as an authorization script
for tacacs to allow greater flexability in tacacs authentication. It
allows a user to be part of many predefined groups that can allow
different access to different devices based on ip, user, and source
Groups are assigned to users in the [users] section. A user must be
assigned to one or more groups, one per line. Groups are defined in
brackets, but can be any name. Each group can have up to 6 options as
host_deny Deny any user coming from this host. Optional.
host_allow Allow users from this range. Mandatory with -i.
device_deny Deny any device with this IP. Optional.
device_permit Allow this range. Mandatory if -d is specified.
command_deny Deny these commands. Optional.
command_permit Allow these commands. Mandatory.
The options are parsed in order till a match is found. Obviously, for
login, the commands section is not parsed. If a match is not found, or
a deny is found, we move on to the next group. At the end, we have an
implicit deny if no groups match. All tacacs keys passed on login to
do_auth are returned. (except cmd*) It is possible to modify them,
but I haven’t implemented this yet as I don’t need it. Future versions
may have an av_pair & append_av_pair option.
-u Username. Mandatory. $user
-i Ip address of user. Optional. If not specified, all host_
entries are ignored and can be omitted. $address
-d Device address. Optional. If not specified, all device_
entries are ignored and can be omitted. $name
-f Config Filename. Default is do_auth.ini.
-l Logfile. Default is log.txt.
-D Activate debug mode.
do_auth -i $address -u $user -d $name -l /var/log/do_auth.log -f
do_auth returns 0 to allow, 1 to deny authorization.
Henry-Nicolas Tourneur from the do_auth file written by Dan Schmidt.