From: Nick Porter <nick@portercomputing.co.uk>
Date: Tue, 26 Sep 2023 07:34:20 +0000 (+0100)
Subject: Remove remaining use of tacacs policy
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=deb894b7e8877c9279b329f0af334dfaceea6ef6;p=thirdparty%2Ffreeradius-server.git

Remove remaining use of tacacs policy

All modules needed for TACACS authentication are now protocol agnostic.
---

diff --git a/raddb/policy.d/tacacs b/raddb/policy.d/tacacs
deleted file mode 100644
index 6f834387c2a..00000000000
--- a/raddb/policy.d/tacacs
+++ /dev/null
@@ -1,35 +0,0 @@
-#
-#  TACACS+ policies which make everything better.
-#
-
-tacacs_set_authentication_status {
-	if (ok) {
-		&reply.Authentication-Status = Pass
-	} else {
-		&reply.Authentication-Status = Fail
-	}
-}
-
-tacacs_mschap {
-	subrequest RADIUS.Access-Request {
-		&request.User-Name := &parent.request.User-Name
-
-		&control.Password.Cleartext := &parent.control.Password.Cleartext
-
-		#
-		#  There's always a challenge
-		#
-		&request.Vendor-Specific.Microsoft.CHAP-Challenge := &parent.request.MS-CHAP-Challenge
-
-		#
-		#  One of these two assignments will fail.  Using "+="
-		#  is simpler than checking for it via "if" and then using ":="
-		#
-		&request.Vendor-Specific.Microsoft.CHAP-Response := &parent.request.MS-CHAP-Response
-		&request.Vendor-Specific.Microsoft.CHAP2-Response := &parent.request.MS-CHAP2-Response
-
-		mschap.authenticate
-	}
-
-	tacacs_set_authentication_status
-}
diff --git a/raddb/sites-available/tacacs b/raddb/sites-available/tacacs
index cebd4182639..45f48948c55 100644
--- a/raddb/sites-available/tacacs
+++ b/raddb/sites-available/tacacs
@@ -304,12 +304,26 @@ server tacacs {
 		chap
 	}
 
+	#
+	#  [NOTE]
+	#  =====
+	#  In order to use MSCHAP / MSCHAPv2 with TACACS, the instance of
+	#  `rlm_mschap` being called must be configured correctly.
+	#  The default configuration referrs to the attributes relevant to
+	#  RADIUS.  The attributes have different names in TACACS.
+	#
+	#  If both RADIUS and TACACS virtual servers are defined and both
+	#  are using `rlm_mschap`, then two instances of the module will
+	#  need to be configured, one for each protocol.
+	#
+	#  See the `mschap` module for more details.
+	#
 	authenticate MSCHAP {
-		tacacs_mschap
+		mschap
 	}
 
 	authenticate MSCHAPv2 {
-		tacacs_mschap
+		mschap
 	}
 
 	#
@@ -323,7 +337,7 @@ server tacacs {
 	#  the next packet (if the client provides it)
 	#
 	authenticate ASCII {
-		tacacs_pap
+		pap
 	}
 
 	#