Index: usr/click/lib/libexauth/auth_ext_cli.h =================================================================== --- usr/click/lib/libexauth/auth_ext_cli.h (revision 38435) +++ usr/click/lib/libexauth/auth_ext_cli.h (working copy) @@ -34,7 +34,7 @@ #define CLI_EXAUTH_SERVER "admin aaa server" #define CLI_EXAUTHORIZE_ON "admin aaa authorize on" #define CLI_EXAUTHORIZE_OFF "admin aaa authorize off" -#define VERIFYCERT "admin aaa server ldaps verifycert" +#define VERIFYCERT "admin aaa server es04 verifycert" #define CLI_SHOW_EXAUTH_ALL "show admin aaa all" #define CLI_NO_EXAUTH_SERVER "no admin aaa server" #define CLI_CLEAR_EXAUTH_ALL "clear admin aaa all" Index: usr/click/lib/libexauth/auth_ext_cli.c =================================================================== --- usr/click/lib/libexauth/auth_ext_cli.c (revision 38435) +++ usr/click/lib/libexauth/auth_ext_cli.c (working copy) @@ -171,8 +171,9 @@ /*configure an exauth ldaps server*/ int -exauth_ldaps_server(char *id, char *host, uint16_t port, char *dn, char *memberOf) +exauth_ldaps_server(char *host, uint16_t port, char *dn, char *memberOf) { + char *id = "es04"; int id_num = -1; char *str_num = NULL, *ep = NULL; @@ -234,8 +235,9 @@ /*configure an exauth ldap server*/ int -exauth_ldap_server(char *id, char *host, uint16_t port, char *dn, char *memberOf) +exauth_ldap_server(char *host, uint16_t port, char *dn, char *memberOf) { + char *id = "es03"; int id_num = -1; char *str_num = NULL, *ep = NULL; @@ -286,10 +288,96 @@ return 0; } +/*configure an exauth tcacs server*/ +int +exauth_tacacs_server(char *host, uint16_t port, char *secret, char *cipher_flag) +{ + char *id = "es02"; + int id_num = -1; + char *str_num = NULL, *ep = NULL; + + + if (id == NULL || host == NULL || secret == NULL) + { + printf ("%s failed\n",CLI_EXAUTH_SERVER); + return -1; + } + + get_auth_conf(&shm_p, &g_exauth_conf); + + /*invalid server id, should be "es01" or "es02"*/ + if (strcmp(id, EXAUTH_SERVER_ID1) && strcmp(id, EXAUTH_SERVER_ID2)) + { + printf ("%s | %s\n", EXAUTH_SERVER_ID1, EXAUTH_SERVER_ID2); + return 0; + } + + /*assign id*/ + str_num = id + 3; + id_num = (int)strtol(str_num, &ep,10) - 1; + + if (id_num == 0) + { + if ((g_exauth_conf.exau_method == METHOD_LDAPS) || (g_exauth_conf.exau_method == METHOD_LDAP)) { + printf ("Invalid method selected for : %s\n", EXAUTH_SERVER_ID1); + return 0; + } + strcpy(g_exauth_conf.exauth_servers[id_num].id, EXAUTH_SERVER_ID1); + } + + if (id_num == 1) + { + if ((g_exauth_conf.exau_method == METHOD_LDAPS) || (g_exauth_conf.exau_method == METHOD_LDAP)) { + printf ("Invalid method selected for : %s \n", EXAUTH_SERVER_ID2); + return 0; + } + strcpy(g_exauth_conf.exauth_servers[id_num].id, EXAUTH_SERVER_ID2); + } + + /*assign host*/ + /*the libradius and libtacplus can resolve host name to either ipv4 or ipv6 address*/ + strncpy(g_exauth_conf.exauth_servers[id_num].host, host, HOST_LEN); + + /*assign port*/ + /*if port == 0, the default value in libradius is 1812 for radius authen and in libtacplus is 49 for tacacs+ authen*/ + g_exauth_conf.exauth_servers[id_num].port = port; + + /*assign secret*/ + if (strncmp(cipher_flag, AAA_SECRET_ENCRYPTED, sizeof(AAA_SECRET_ENCRYPTED)) == 0) { + decrypt_secret((unsigned char *)secret, (unsigned char *)secret); + } + strncpy(g_exauth_conf.exauth_servers[id_num].secret, secret, SECRET_LEN - 1); + g_exauth_conf.exauth_servers[id_num].secret[SECRET_LEN - 1] = '\0'; + + + /*assign timeout and maxretyr*/ + if (g_exauth_conf.exau_method == METHOD_RADIUS) + { + g_exauth_conf.exauth_servers[id_num].timeout = RAD_DEF_TIMEOUT; + } + + /* + * for tac_x, since there is no maxretry parameter + * use RAD_DEF_TIMEOUT * RAD_DEF_RETRIES as the timeout instead + */ + if (g_exauth_conf.exau_method == METHOD_TAC_X) + { + g_exauth_conf.exauth_servers[id_num].timeout = RAD_DEF_TIMEOUT * RAD_DEF_RETRIES; + } + g_exauth_conf.exauth_servers[id_num].max_retry = RAD_DEF_RETRIES; + + + /*update conf to shared mem*/ + set_auth_conf(&shm_p, &g_exauth_conf); + + return 0; +} + /*configure an exauth radius server*/ int -exauth_radius_server(char *id, char *host, uint16_t port, char *secret, char *cipher_flag) +exauth_radius_server(char *host, uint16_t port, char *secret, char *cipher_flag) { + char *id = "es01"; int id_num = -1; char *str_num = NULL, *ep = NULL; @@ -431,8 +519,13 @@ /*delete an ldaps server*/ +int +no_exauth_server_ldaps() +{ + return no_exauth_server_ldaps_wrap("es04"); +} int -no_exauth_server_ldaps(char *id) +no_exauth_server_ldaps_wrap(char *id) { int id_num = -1; char *str_num = NULL, *ep = NULL; @@ -471,8 +564,13 @@ /*delete an ldap server*/ int -no_exauth_server_ldap(char *id) +no_exauth_server_ldap() { + return no_exauth_server_ldap_wrap("es03"); +} +int +no_exauth_server_ldap_wrap(char *id) +{ int id_num = -1; char *str_num = NULL, *ep = NULL; @@ -510,8 +608,20 @@ /*delete an radiustacacs server*/ int -no_exauth_server_radiustacacs(char *id) +no_exauth_server_radius() { + return no_exauth_server_radiustacacs_wrap("es01"); +} + +int +no_exauth_server_tacacs() +{ + return no_exauth_server_radiustacacs_wrap("es02"); +} + +int +no_exauth_server_radiustacacs_wrap(char *id) +{ int id_num = -1; char *str_num = NULL, *ep = NULL; @@ -679,7 +789,7 @@ if (g_exauth_conf.exauth_servers[i].id && g_exauth_conf.exauth_servers[i].id[0] != '\0') { if (!strcmp (g_exauth_conf.exauth_servers[i].id, "es03")) { - printf ("%s ldap %s \"%s\" %d \"%s\" \"%s\" \n", + printf ("%s %s \"%s\" %d \"%s\" \"%s\" \n", CLI_EXAUTH_SERVER, g_exauth_conf.exauth_servers[i].id, g_exauth_conf.exauth_servers[i].host, @@ -688,7 +798,7 @@ g_exauth_conf.exauth_servers[i].memberOf ); } else if (!strcmp (g_exauth_conf.exauth_servers[i].id, "es04")) { - printf ("%s ldaps settings %s \"%s\" %d \"%s\" \"%s\"\n", + printf ("%s %s settings \"%s\" %d \"%s\" \"%s\"\n", CLI_EXAUTH_SERVER, g_exauth_conf.exauth_servers[i].id, g_exauth_conf.exauth_servers[i].host, @@ -698,7 +808,7 @@ ); printf("%s %d\n", VERIFYCERT, g_exauth_conf.exauth_servers[i].verifyCert); } else { - printf ("%s radiustacacs %s \"%s\" %d \"%s\"\n", + printf ("%s %s \"%s\" %d \"%s\"\n", CLI_EXAUTH_SERVER, g_exauth_conf.exauth_servers[i].id, g_exauth_conf.exauth_servers[i].host, @@ -834,7 +944,7 @@ if (g_exauth_conf.exauth_servers[i].id && g_exauth_conf.exauth_servers[i].id[0] != '\0') { if (g_exauth_conf.exau_method == METHOD_LDAP) { - buf_offset += sprintf (conf_buf + buf_offset, "%s ldap %s \"%s\" %d \"%s\" \"%s\"\n", + buf_offset += sprintf (conf_buf + buf_offset, "%s %s \"%s\" %d \"%s\" \"%s\"\n", CLI_EXAUTH_SERVER, g_exauth_conf.exauth_servers[i].id, g_exauth_conf.exauth_servers[i].host, @@ -843,7 +953,7 @@ g_exauth_conf.exauth_servers[i].memberOf ); } else if (g_exauth_conf.exau_method == METHOD_LDAPS) { - buf_offset += sprintf (conf_buf + buf_offset, "%s ldaps settings %s \"%s\" %d \"%s\" \"%s\"\n", + buf_offset += sprintf (conf_buf + buf_offset, "%s %s settings \"%s\" %d \"%s\" \"%s\"\n", CLI_EXAUTH_SERVER, g_exauth_conf.exauth_servers[i].id, g_exauth_conf.exauth_servers[i].host, @@ -855,7 +965,7 @@ g_exauth_conf.exauth_servers[i].verifyCert); } else { encrypt_secret((unsigned char *)(g_exauth_conf.exauth_servers[i].secret), encrypted_secret); - buf_offset += sprintf (conf_buf + buf_offset, "%s radiustacacs %s \"%s\" %d \"%s\" \"%s\"\n", + buf_offset += sprintf (conf_buf + buf_offset, "%s %s \"%s\" %d \"%s\" \"%s\"\n", CLI_EXAUTH_SERVER, g_exauth_conf.exauth_servers[i].id, g_exauth_conf.exauth_servers[i].host, Index: usr/click/lib/libparser/commands.pm =================================================================== --- usr/click/lib/libparser/commands.pm (revision 38435) +++ usr/click/lib/libparser/commands.pm (working copy) @@ -48721,19 +48721,14 @@ }, { obj_type => "ITEM", - name => "radiustacacs", + name => "es01", menu => "root_admin_server_aaa", - help_string => "Configure external authentication server", + help_string => "Configure external RADIUS authentication server", cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL|CMD_GLOBAL|CMD_SPECIAL_LOG", user_level => "CLI_LEVEL_CONFIG", function_name => "exauth_radius_server", function_args => [{ type => "STRING", - help_string => "id, es01 or es02(if server es01 is down, request will be sent to server es02)", - optional => "NO", - }, - { - type => "STRING", help_string => "Host name or ip address", optional => "NO", }, @@ -48758,19 +48753,47 @@ }, { obj_type => "ITEM", - name => "ldap", + name => "es02", menu => "root_admin_server_aaa", - help_string => "Configure external authentication server", + help_string => "Configure external TACACS authentication server", cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL|CMD_GLOBAL|CMD_SPECIAL_LOG", user_level => "CLI_LEVEL_CONFIG", - function_name => "exauth_ldap_server", + function_name => "exauth_tacacs_server", function_args => [{ type => "STRING", - help_string => "id, es03(request will be sent to server es03)", + help_string => "Host name or ip address", optional => "NO", - }, - { + }, + { + type => "U16", + help_string => "Port", + optional => "NO", + }, + { type => "STRING", + help_string => "Secret", + optional => "YES", + default_value => "\"\"", + }, + { + type => "STRING", + help_string => "", + optional => "YES", + default_value => "\"\"", + }, + ], + }, + + { + obj_type => "ITEM", + name => "es03", + menu => "root_admin_server_aaa", + help_string => "Configure external LDAP authentication server", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL|CMD_GLOBAL|CMD_SPECIAL_LOG", + user_level => "CLI_LEVEL_CONFIG", + function_name => "exauth_ldap_server", + function_args => [{ + type => "STRING", help_string => "Host name or ip address", optional => "NO", }, @@ -48795,12 +48818,12 @@ }, { obj_type => "MENU", - name => "ldaps", + name => "es04", parent_menu => "root_admin_server_aaa", uniq_name => "root_admin_ldaps_server_aaa", cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL", user_level => "CLI_LEVEL_CONFIG", - help_string => "Configure external authentication server", + help_string => "Configure external LDAPS authentication server", }, { obj_type => "ITEM", @@ -48812,11 +48835,6 @@ function_name => "exauth_ldaps_server", function_args => [{ type => "STRING", - help_string => "id, es04(request will be sent to server es04)", - optional => "NO", - }, - { - type => "STRING", help_string => "Host name or ip address", optional => "NO", }, @@ -49015,40 +49033,44 @@ }, { obj_type => "ITEM", - name => "radiustacacs", + name => "es01", menu => "root_no_admin_aaa", - help_string => "Delete external authentication server", + help_string => "Delete external RADIUS authentication server", cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL|CMD_GLOBAL|CMD_SPECIAL_LOG", user_level => "CLI_LEVEL_CONFIG", - function_name => "no_exauth_server_radiustacacs", - function_args => [{ - type => "STRING", - help_string => "server id", - optional => "NO", - },], + function_name => "no_exauth_server_radius", + function_args => [], }, { obj_type => "ITEM", - name => "ldap", + name => "es02", menu => "root_no_admin_aaa", - help_string => "Delete external authentication server", + help_string => "Delete external TACACS authentication server", cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL|CMD_GLOBAL|CMD_SPECIAL_LOG", user_level => "CLI_LEVEL_CONFIG", + function_name => "no_exauth_server_tacacs", + function_args => [], + }, + { + obj_type => "ITEM", + name => "es03", + menu => "root_no_admin_aaa", + help_string => "Delete external LDAP authentication server", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL|CMD_GLOBAL|CMD_SPECIAL_LOG", + user_level => "CLI_LEVEL_CONFIG", function_name => "no_exauth_server_ldap", - function_args => [{ - type => "STRING", - help_string => "server id", - optional => "NO", - },], + function_args => [], }, { obj_type => "MENU", - name => "ldaps", + name => "es04", parent_menu => "root_no_admin_aaa", uniq_name => "root_no_admin_ldaps_server_aaa", cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL", user_level => "CLI_LEVEL_CONFIG", - help_string => "Delete external authentication server", + help_string => "Delete external LDAPS authentication server", + function_name => "no_exauth_server_ldaps", + function_args => [], }, { obj_type => "ITEM", @@ -49058,11 +49080,7 @@ cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL|CMD_GLOBAL|CMD_SPECIAL_LOG", user_level => "CLI_LEVEL_CONFIG", function_name => "no_exauth_server_ldaps", - function_args => [{ - type => "STRING", - help_string => "server id", - optional => "NO", - },], + function_args => [], }, { obj_type => "ITEM",