/*  This Pipes filter will construct a request to the TACACS server
    and transmit it using the UDP protocol and wait for a response.  The
    results (either accepted or not accepted) is passed onto the invoker
    via the return code.  This filter was written for use with the
    EnterpriseWeb product as a security exit.  It was written to interact
    with our "homegrown" TACACS server on VM.  However, it should work
    with any TACACS server which uses the standard protocols.
    It expects the parameters to be the userid and password to be
    validated.  If the TACACS server accepts these, then the RC=0.
    If they are not accepted, then it returns RC=403, access forbidden.
    The web server will also accept RC=401, which rechallenges the client
    for a different password.  According to Beyond Software, the server
    will invoke the exit first with a null argument.  The exit must return
    RC=401 so that the browser will prompt the user for the username
    and password.  The exit will then be invoked a second time with the
    user supplied data.
 
    Written by Martha McConaghy 12/10/96
 
    Retry UDP call several times before giving up.  If null record comes
       back from TACACS, then the connection timed out.  MMM 3/20/98
 
    Change TACACS ip address to 1.30. MMM 6/18/01
    Change TACACS ip address to 80.40. MMM 10/21/02
*/
trace o
arg Userid ':' Passw .
Retry = 3
Passw = substr(Passw,1,8)
 
if(1>length(Userid)) then exit 401
 
do while Retry > 0
   Retry = Retry - 1
   'CALLPIPE (end ?) literal' Userid Passw'|' ,
        'fortac|' ,
        'forudp 49 148.100.80.40|' ,
        'xlate 50-* from 1047 to 819|' ,
        'udp 0|' ,
        'l: locate 1|' ,
        'spec 17-* c2x 1|' ,
        'var Resp|' ,
        'spec 3.2 1 13.2 nextw|' ,
        'var Resp_vals' ,
        '? l:|' ,
        'literal 2 99|' ,
        'var Resp_vals'
 
   say 'TACACSR results for:' Userid 'Retry=' (Retry + 1)
   say '---Values from Tac response:' Resp
   select
      when (2^=word(Resp_vals,1)) then do
          say 'Invalid response:' Resp_vals
          if(Retry>0) then iterate
          RC = 403
          leave
          end;
      when (1^=word(Resp_vals,2)) then do
          say 'Not accepted:' Resp_vals
          RC = 403
          leave
       end;
      otherwise do
          say 'Username and password accepted'
          RC = 0
          leave
          end;
   end; /* select */
end; /* do while */
exit RC