Basic tacacs+ CTiT.

awx/settings/defaults.py

@@ -313,6 +313,14 @@ RADIUS_SERVER = ''
 RADIUS_PORT = 1812
 RADIUS_SECRET = ''
 
+# TACACS+ settings (default host to empty string to skip using TACACS+ auth).
+# Note: These settings may be overridden by database settings.
+TACACSPLUS_HOST = ''
+TACACSPLUS_PORT = 49
+TACACSPLUS_SECRET = ''
+TACACSPLUS_SESSION_TIMEOUT = 5
+TACACSPLUS_AUTH_PROTOCOL = 'ascii'
+
 # Seconds before auth tokens expire.
 # Note: This setting may be overridden by database settings.
 AUTH_TOKEN_EXPIRATION = 1800

awx/sso/conf.py

@@ -33,7 +33,7 @@ multiple organizations, otherwise the single default organization is used
 regardless of the key.  Values are dictionaries defining the options for
 each organization's membership.  For each organization it is possible to
 specify which users are automatically users of the organization and also
-which users can administer the organization. 
+which users can administer the organization.
 
 - admins: None, True/False, string or list of strings.
   If None, organization admins will not be updated.
@@ -51,7 +51,7 @@ which users can administer the organization.
   administrative list.
 - users: None, True/False, string or list of strings. Same rules apply as for
   admins.
-- remove_users: True/False. Defaults to True. Same rules as apply for 
+- remove_users: True/False. Defaults to True. Same rules as apply for
   remove_admins.\
 ''')
 
@@ -520,6 +520,72 @@ register(
     encrypted=True,
 )
 
+###############################################################################
+# TACACSPLUS AUTHENTICATION SETTINGS
+###############################################################################
+
+register(
+    'TACACSPLUS_HOST',
+    field_class=fields.CharField,
+    allow_blank=True,
+    default='',
+    label=_('TACACS+ Server'),
+    help_text=_('Hostname of TACACS+ server.'),
+    category=_('TACACSPLUS'),
+    category_slug='tacacsplus',
+    feature_required='enterprise_auth',
+)
+
+register(
+    'TACACSPLUS_PORT',
+    field_class=fields.IntegerField,
+    min_value=1,
+    max_value=65535,
+    default=49,
+    label=_('TACACS+ Port'),
+    help_text=_('Port number of TACACS+ server.'),
+    category=_('TACACSPLUS'),
+    category_slug='tacacsplus',
+    feature_required='enterprise_auth',
+)
+
+register(
+    'TACACSPLUS_SECRET',
+    field_class=fields.TACACSPLUSSecretField,
+    allow_blank=True,
+    default='',
+    label=_('TACACS+ Secret'),
+    help_text=_('Shared secret for authenticating to TACACS+ server.'),
+    category=_('TACACSPLUS'),
+    category_slug='tacacsplus',
+    feature_required='enterprise_auth',
+    encrypted=True,
+)
+
+register(
+    'TACACSPLUS_SESSION_TIMEOUT',
+    field_class=fields.IntegerField,
+    min_value=0,
+    default=5,
+    label=_('TACACS+ Auth Session Timeout'),
+    help_text=_('TACACS+ session timeout value in seconds. Set to 0 to cancel timeout.'),
+    category=_('TACACSPLUS'),
+    category_slug='tacacsplus',
+    feature_required='enterprise_auth',
+)
+
+register(
+    'TACACSPLUS_AUTH_PROTOCOL',
+    field_class=fields.ChoiceField,
+    choices=['ascii', 'pap'],
+    default='ascii',
+    label=_('TACACS+ Authentication Protocol'),
+    help_text=_('Choose the authentication protocol used by TACACS+ client.'),
+    category=_('TACACSPLUS'),
+    category_slug='tacacsplus',
+    feature_required='enterprise_auth',
+)
+
 ###############################################################################
 # GOOGLE OAUTH2 AUTHENTICATION SETTINGS
 ###############################################################################

awx/sso/fields.py

@@ -470,6 +470,11 @@ class RADIUSSecretField(fields.CharField):
         return value
 
 
+class TACACSPLUSSecretField(RADIUSSecretField):
+
+    pass
+
+
 class SocialMapStringRegexField(fields.CharField):
 
     def to_representation(self, value):