Validating tacacs+ authorization reply – Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual

Multi-Service IronWare Security Configuration Guide

47

53-1003035-02

Configuring TACACS or TACACS+ security

1

Following table lists all possible error conditions and corresponding messages for the
authentication reply validation.

Validating TACACS+ authorization reply

The TACACS+ authorization reply packet validates:

•

Minimum length of data (fixed size 6 bytes) for a valid TACACS+ authorization reply before
reading through individual fields in the reply body.

•

The reply packet is decrypted correctly, validate the status field received in the reply packet to
be one of the legal values for TACACS+ authorization status.

•

If arg-count field is present in the reply packet, ensure this is within the received packet and
has non-null data.

•

If server-msg length field is present in the reply packet, ensure server message is within the
received packet and has non-null string message.

•

If data length field is present in the reply packet, ensure data is within the received packet.

•

If arg-count field is present in the reply packet, ensure this is within the received packet and
has non-null data.

•

Full packet length (header size + length field received in packet header) against number of
bytes parsed successfully from the received reply packet.

Following table lists all possible error conditions and corresponding messages for the authorization
reply validation.

TABLE 7

Authentication reply validation

Error warning message

Error condition

Warning: Invalid TACACS+ authentication reply
packet

Received packet body size is less than minimum length for
TACACS+ authentication reply body

Warning: Invalid TACACS+ authentication reply
packet body

Received packet having invalid or null packet body

Warning: Invalid TACACS+ authentication reply
packet body.check key value

Invalid status field in the packet body. possibly key mismatch

Warning: Invalid server msg length in TACACS+
authentication reply

The server message length specified is not within packet
boundary

Warning: Invalid server msg in TACACS+
authentication reply

Invalid or null data found in server message

Warning: Invalid data length in TACACS+
authentication reply

The data length specified is not within packet boundary

Warning: Invalid TACACS+ authentication reply.
packet total length mismatch

The total number of bytes parsed successfully from the
received packet is not matching with data length specified in
the packet

TABLE 8

Authorization reply validation

Error warning message

Error condition

Warning: Invalid TACACS+ authorization reply
packet

Received packet body size is less than minimum length for
TACACS+ authorization reply body

Warning: Invalid TACACS+ authorization reply
packet body

Received packet having invalid or null packet body