New Features Of tacacs+
By version 8 tacacs+ gain lot of features and enhance it's power.
I want to give brief summary for this features.

			Major Changes
1) Per host key
Now tacacs provides per host key feature to  enhance security for large networks
Because one global key isn't good idea at big network. 
The function get information(key) from host section of tac_plus.cfg. 
If it isn't match for host(IP) it's uses global key which is defined by key 
keyword. And additionaly all packets(Accounting,Authentication and Authorization)
uses this key.

example:
-----------------------------------------------------
key = test

default authentication = file /etc/passwd

host = 192.168.1.1 {
	key = helo
}
------------------------------------------------------
If we explain above lines:
Nas which is IP number equal 192.168.1.1 must configure tacacs key
to helo if it want use all tac_plus service. Because tac_plus daemon looks 
for remote IP number and if it's find in host definition  it's uses this key
for all AAA propose. If not it use global key. So when some NAS or client
access other than 192.168.1.1 IP it's uses global key "test" for AAA.
 
2) libwrap feature

For enable this feature you must configure tac_plus with --with-libwrap flag
Then compile and use. 

This feature get  flexibility to tac_plus. This feature controls NAS access from
hosts.deny or hosts.allow files.  Don't forget the service name must be "tac_plus" word.

So if you can deny all service from hosts.deny but you would like to give access
to known NAS your hosts.allow file must have following line:

tac_plus : 192.168.1.1 , 10.10.10.

For more info please refer man page of hosts.deny and hosts.allow


3) Time limiting Feature

I want to strongly add these feature for limiting users access time. 

Applicable format is  : <day str><time str> [,|] <day str><time str> [,|] and so on

Acceptible parameter for day str is:
SU = Sunday
MO = Monday
TU = Tuesday
WE = Wednesday
TH = Thursday
FR = Friday
SA = Saturday
WK = For week days
WD = For Week end
AL = For All days

And time str must be:
Hourminute-Hourminute
For example it's to be -> 0000-1200 or 1600-1700 or 1600-0800

For this feature i added new keyword to config file. Following example shows how
to use it in config file :

user = test {
    time = "Al0800-1700"
}
This example show that test user only use this system All days of week but only
between 0800 to 1700 time range.

You can also used in group declaration .  

Additional this string to be :
"Wk0800-1700, Wd1200-0000" 
This user only connect in week days between 0800-1700 and at week end between 
1200-0000. 

4) PostgreSQL DB Support

This is same as Mysql db support .  However you must change tac_plus.sql for adapt PostgreSQL. Usage is same.


5) LDAP Support

Well this function didn't writen by me.  But i fixed some codes and put more control for check given parameters.
Please refer README.LDAP file to get more info how to use this functionality.

 
 				Minor Changes
Now configure script have option  --with-tacplus_pid=PREFIX. By this option you can define tac_plus_pid file location.


Good luck..
devrim@gazi.edu.tr