draft-ietf-opsawg-tacacs-04.txt   draft-ietf-opsawg-tacacs-05.txt 
Operations T. Dahm Operations T. Dahm
Internet-Draft A. Ota Internet-Draft A. Ota
Intended status: Informational Google Inc Intended status: Informational Google Inc
Expires: January 9, 2017 D. Medway Gash Expires: February 21, 2017 D. Medway Gash
Cisco Systems, Inc. Cisco Systems, Inc.
D. Carrel D. Carrel
vIPtela, Inc. vIPtela, Inc.
L. Grant L. Grant
July 8, 2016 August 20, 2016
The TACACS+ Protocol The TACACS+ Protocol
draft-ietf-opsawg-tacacs-04 draft-ietf-opsawg-tacacs-05
Abstract Abstract
TACACS+ provides Device Administration for routers, network access TACACS+ provides Device Administration for routers, network access
servers and other networked computing devices via one or more servers and other networked computing devices via one or more
centralized servers. This document describes the protocol that is centralized servers. This document describes the protocol that is
used by TACACS+. used by TACACS+.
Status of This Memo Status of This Memo
skipping to change at page 1, line 38 skipping to change at page 1, line 38
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 9, 2017. This Internet-Draft will expire on February 21, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 27 skipping to change at page 2, line 27
not be created outside the IETF Standards Process, except to format not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other it for publication as an RFC or to translate it into languages other
than English. than English.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Technical Definitions . . . . . . . . . . . . . . . . . . . . 4 2. Technical Definitions . . . . . . . . . . . . . . . . . . . . 4
3. TACACS+ Connections and Sessions . . . . . . . . . . . . . . 5 3. TACACS+ Connections and Sessions . . . . . . . . . . . . . . 5
3.1. Connection . . . . . . . . . . . . . . . . . . . . . . . 5 3.1. Connection . . . . . . . . . . . . . . . . . . . . . . . 5
3.1.1. Security Considerations . . . . . . . . . . . . . . . 5 3.2. Session . . . . . . . . . . . . . . . . . . . . . . . . . 5
3.2. Session . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.3. Single Connect Mode . . . . . . . . . . . . . . . . . . . 6 3.3. Single Connect Mode . . . . . . . . . . . . . . . . . . . 6
3.4. The TACACS+ Packet Header . . . . . . . . . . . . . . . . 7 3.4. The TACACS+ Packet Header . . . . . . . . . . . . . . . . 6
3.5. The TACACS+ Packet Body . . . . . . . . . . . . . . . . . 8 3.5. The TACACS+ Packet Body . . . . . . . . . . . . . . . . . 8
3.6. Encryption . . . . . . . . . . . . . . . . . . . . . . . 9 3.6. Encryption . . . . . . . . . . . . . . . . . . . . . . . 9
3.7. Text Encoding . . . . . . . . . . . . . . . . . . . . . . 11 3.7. Text Encoding . . . . . . . . . . . . . . . . . . . . . . 10
4. Authentication . . . . . . . . . . . . . . . . . . . . . . . 11 4. Authentication . . . . . . . . . . . . . . . . . . . . . . . 11
4.1. The Authentication START Packet Body . . . . . . . . . . 11 4.1. The Authentication START Packet Body . . . . . . . . . . 11
4.2. The Authentication REPLY Packet Body . . . . . . . . . . 13 4.2. The Authentication REPLY Packet Body . . . . . . . . . . 13
4.3. The Authentication CONTINUE Packet Body . . . . . . . . . 15 4.3. The Authentication CONTINUE Packet Body . . . . . . . . . 15
4.4. Description of Authentication Process . . . . . . . . . . 15 4.4. Description of Authentication Process . . . . . . . . . . 15
4.4.1. Version Behaviour . . . . . . . . . . . . . . . . . . 16 4.4.1. Version Behaviour . . . . . . . . . . . . . . . . . . 16
4.4.2. Common Authentication Flows . . . . . . . . . . . . . 17 4.4.2. Common Authentication Flows . . . . . . . . . . . . . 17
4.4.3. Aborting an Authentication Session . . . . . . . . . 20 4.4.3. Aborting an Authentication Session . . . . . . . . . 20
5. Authorization . . . . . . . . . . . . . . . . . . . . . . . . 21 5. Authorization . . . . . . . . . . . . . . . . . . . . . . . . 21
5.1. The Authorization REQUEST Packet Body . . . . . . . . . . 21 5.1. The Authorization REQUEST Packet Body . . . . . . . . . . 22
5.2. The Authorization RESPONSE Packet Body . . . . . . . . . 24 5.2. The Authorization RESPONSE Packet Body . . . . . . . . . 24
6. Accounting . . . . . . . . . . . . . . . . . . . . . . . . . 26 6. Accounting . . . . . . . . . . . . . . . . . . . . . . . . . 26
6.1. The Account REQUEST Packet Body . . . . . . . . . . . . . 26 6.1. The Account REQUEST Packet Body . . . . . . . . . . . . . 26
6.2. The Accounting REPLY Packet Body . . . . . . . . . . . . 27 6.2. The Accounting REPLY Packet Body . . . . . . . . . . . . 27
7. Attribute-Value Pairs . . . . . . . . . . . . . . . . . . . . 29 7. Attribute-Value Pairs . . . . . . . . . . . . . . . . . . . . 29
7.1. Authorization Attributes . . . . . . . . . . . . . . . . 30 7.1. Authorization Attributes . . . . . . . . . . . . . . . . 30
7.2. Accounting Attributes . . . . . . . . . . . . . . . . . . 32 7.2. Accounting Attributes . . . . . . . . . . . . . . . . . . 32
8. Privilege Levels . . . . . . . . . . . . . . . . . . . . . . 34 8. Privilege Levels . . . . . . . . . . . . . . . . . . . . . . 34
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 35 9. TACACS+ Security Considerations . . . . . . . . . . . . . . . 35
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 35 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 35
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 36
1. Introduction 1. Introduction
Terminal Access Controller Access-Control System Plus (TACACS+) was Terminal Access Controller Access-Control System Plus (TACACS+) was
originally conceived as a general Authentication, Authorization and originally conceived as a general Authentication, Authorization and
Accounting protocol. It is primarily used today for Device Accounting protocol. It is primarily used today for Device
Administration: authenticating access to network devices, providing Administration: authenticating access to network devices, providing
central authorization of operations, and audit of those operations. central authorization of operations, and audit of those operations.
A wide range of TACACS+ clients and servers are already deployed in A wide range of TACACS+ clients and servers are already deployed in
the field. The TACACS+ protocol they are based on is defined in a the field. The TACACS+ protocol they are based on is defined in a
draft document that was originally intended for IETF publication. draft document that was originally intended for IETF publication.
This document is known as `The Draft' [TheDraft] . This document is known as `The Draft' [TheDraft] .
It is intended that all implementations which conform to this It is intended that all implementations which conform to this
document will conform to `The Draft'. However, the following document will conform to `The Draft'. However, attention is drawn to
specific adjustments of the protocol specification from 'The Draft' the following specific adjustments of the protocol specification from
should be noted: 'The Draft':
This document officially removes SENDPASS for security reasons. This document officially removes SENDPASS for security reasons.
The normative description of Legacy features such as ARAP and The normative description of Legacy features such as ARAP and
outbound authentication have been removed, however the required outbound authentication have been removed, however the required
enumerations are kept. enumerations are kept.
The TACACS+ protocol separates the functions of Authentication, The TACACS+ protocol separates the functions of Authentication,
Authorization and Accounting. It allows for arbitrary length and Authorization and Accounting. It allows for arbitrary length and
content authentication exchanges, which will support any content authentication exchanges, which will support any
skipping to change at page 4, line 18 skipping to change at page 4, line 18
this document this document
Authentication Authentication
Authentication is the action of determining who a user (or entity) Authentication is the action of determining who a user (or entity)
is. Authentication can take many forms. Traditional authentication is. Authentication can take many forms. Traditional authentication
utilizes a name and a fixed password. However, fixed passwords have utilizes a name and a fixed password. However, fixed passwords have
limitations, mainly in the area of security. Many modern limitations, mainly in the area of security. Many modern
authentication mechanisms utilize "one-time" passwords or a authentication mechanisms utilize "one-time" passwords or a
challenge-response query. TACACS+ is designed to support all of challenge-response query. TACACS+ is designed to support all of
these, and should be powerful enough to handle any future mechanisms. these, and be powerful enough to handle any future mechanisms.
Authentication generally takes place when the user first logs in to a Authentication generally takes place when the user first logs in to a
machine or requests a service of it. machine or requests a service of it.
Authentication is not mandatory; it is a site-configured option. Authentication is not mandatory; it is a site-configured option.
Some sites do not require it. Others require it only for certain Some sites do not require it. Others require it only for certain
services (see authorization below). Authentication may also take services (see authorization below). Authentication may also take
place when a user attempts to gain extra privileges, and must place when a user attempts to gain extra privileges, and must
identify himself or herself as someone who possesses the required identify himself or herself as someone who possesses the required
information (passwords, etc.) for those privileges. information (passwords, etc.) for those privileges.
skipping to change at page 5, line 44 skipping to change at page 5, line 44
All uses of the word packet in this document refer to TACACS+ All uses of the word packet in this document refer to TACACS+
protocol packets unless explicitly noted otherwise. protocol packets unless explicitly noted otherwise.
3. TACACS+ Connections and Sessions 3. TACACS+ Connections and Sessions
3.1. Connection 3.1. Connection
TACACS+ uses TCP for its transport. Server port 49 is allocated for TACACS+ uses TCP for its transport. Server port 49 is allocated for
TACACS+ traffic. TACACS+ traffic.
3.1.1. Security Considerations
The protocol includes an obfuscation mechanism referred to in the
original draft as Body Encryption. It is intended to follow up this
document with enhancements to TACACS+ security.
It is recommended to separate the management traffic from the regular
network access traffic, and to use Body Encryption in production
environments.
3.2. Session 3.2. Session
The concept of a session is used throughout this document. A TACACS+ The concept of a session is used throughout this document. A TACACS+
session is a single authentication sequence, a single authorization session is a single authentication sequence, a single authorization
exchange, or a single accounting exchange. exchange, or a single accounting exchange.
An accounting and authorization session will consist of a single pair An accounting and authorization session will consist of a single pair
of packets (the request and its reply). An authentication session of packets (the request and its reply). An authentication session
may involve an arbitrary number of packets being exchanged. The may involve an arbitrary number of packets being exchanged. The
session is an operational concept that is maintained between the session is an operational concept that is maintained between the
skipping to change at page 8, line 33 skipping to change at page 8, line 27
The single-connection flag: The single-connection flag:
TAC_PLUS_SINGLE_CONNECT_FLAG := 0x04 TAC_PLUS_SINGLE_CONNECT_FLAG := 0x04
This flag is used to allow a client and server to agree whether This flag is used to allow a client and server to agree whether
multiple sessions may be multiplexed onto a single connection. multiple sessions may be multiplexed onto a single connection.
session_id session_id
The Id for this TACACS+ session. The session id should be randomly The Id for this TACACS+ session. The session id is to be selected
chosen. This field does not change for the duration of the TACACS+ randomly. This field does not change for the duration of the TACACS+
session. (If this value is not a cryptographically strong random session. (If this value is not a cryptographically strong random
number, it will compromise the protocol's security, see RFC 1750 number, it will compromise the protocol's security, see RFC 1750
[RFC1750] ) [RFC1750] )
length length
The total length of the packet body (not including the header). This The total length of the packet body (not including the header). This
value is in network byte order. Packets are never padded beyond this value is in network byte order. Packets are never padded beyond this
length. length.
skipping to change at page 9, line 15 skipping to change at page 9, line 7
- Any variable length data fields which are unused MUST have a - Any variable length data fields which are unused MUST have a
length value equal to zero. length value equal to zero.
- Unused fixed length fields SHOULD have values of zero. - Unused fixed length fields SHOULD have values of zero.
- All data and message fields in a packet MUST NOT be null - All data and message fields in a packet MUST NOT be null
terminated. terminated.
- All length values are unsigned and in network byte order. - All length values are unsigned and in network byte order.
- There should be no padding in any of the fields or at the end of - There will be no padding in any of the fields or at the end of a
a packet. packet.
3.6. Encryption 3.6. Encryption
The body of packets may be encrypted. The following sections The body of packets may be encrypted. The following sections
describe the encryption mechanism that is supported to enable describe the encryption mechanism that is supported to enable
backwards compatibility with 'The Draft'. backwards compatibility with 'The Draft'.
When the encryption mechanism relies on a secret key, it is referring When the encryption mechanism relies on a secret key, it is referring
to a shared secret value that is known to both the client and the to a shared secret value that is known to both the client and the
server. This document does not discuss the management and storage of server. This document does not discuss the management and storage of
those keys. It is an implementation detail of the server and client, those keys. It is an implementation detail of the server and client,
as to whether they will maintain only one key, or a different key for as to whether they will maintain only one key, or a different key for
each client or server with which they communicate. For security each client or server with which they communicate. For security
reasons, the latter options should be available, but it is a site reasons, the latter options MUST be available, but it is a site
dependent decision as to whether the use of separate keys is dependent decision as to whether the use of separate keys is
appropriate. appropriate.
The encrypted flag field may be set as follows: The encrypted flag field may be set as follows:
TAC_PLUS_UNENCRYPTED_FLAG == 0x0 TAC_PLUS_UNENCRYPTED_FLAG == 0x0
In this case, the packet body is encrypted by XOR-ing it byte-wise In this case, the packet body is encrypted by XOR-ing it byte-wise
with a pseudo random pad. with a pseudo random pad.
skipping to change at page 10, line 29 skipping to change at page 10, line 21
key, version, seq_no, MD5_1} .... MD5_n = MD5{session_id, key, key, version, seq_no, MD5_1} .... MD5_n = MD5{session_id, key,
version, seq_no, MD5_n-1} version, seq_no, MD5_n-1}
When a server detects that the secret(s) it has configured for the When a server detects that the secret(s) it has configured for the
device mismatch, it MUST return ERROR. The handling of the TCP device mismatch, it MUST return ERROR. The handling of the TCP
connection by the server is implementation independent. connection by the server is implementation independent.
TAC_PLUS_UNENCRYPTED_FLAG == 0x1 TAC_PLUS_UNENCRYPTED_FLAG == 0x1
In this case, the entire packet body is in cleartext. Encryption and In this case, the entire packet body is in cleartext. Encryption and
decryption are null operations. This method should only be used for decryption are null operations. This method must only be used for
debugging. It does not provide data protection or authentication and debugging. It does not provide data protection or authentication and
is highly susceptible to packet spoofing. Implementing this is highly susceptible to packet spoofing. Implementing this
encryption method is optional. encryption method is optional.
NOTE: Implementations should take care not to skip decryption simply If deployment is configured for encrypting a connection then do no
because an incoming packet indicates that it is not encrypted. If skip decryption simply because an incoming packet indicates that it
the unencrypted flag is not set, and the packet is not encrypted, it is not encrypted. If the unencrypted flag is not set when expected,
must be dropped. then it must be dropped.
After a packet body is decrypted, the lengths of the component values After a packet body is decrypted, the lengths of the component values
in the packet should be summed and checked against the cleartext in the packet are summed. If the sum is not identical to the
datalength value from the header. Any packets which fail this check cleartext datalength value from the header, the packet MUST be
should be discarded and an error signalled. Commonly such failures discarded, and an error signalled. The underlying TCP connection MAY
may be expected to be seen when there are mismatched keys between the also be closed, if it is not being used for other sessions in single-
client and the TACACS+ server. connect mode.
Commonly such failures are seen when the keys are mismatched between
the client and the TACACS+ server.
If an error must be declared but the type of the incoming packet If an error must be declared but the type of the incoming packet
cannot be determined, a packet with the identical cleartext header cannot be determined, a packet with the identical cleartext header
but with a sequence number incremented by one and the length set to but with a sequence number incremented by one and the length set to
zero MUST be returned to indicate an error. zero MUST be returned to indicate an error.
3.7. Text Encoding 3.7. Text Encoding
All text fields in TACACS+ MUST be US-ASCII, excepting special All text fields in TACACS+ MUST be US-ASCII, excepting special
consideration given to user field and data fields used for passwords. consideration given to user field and data fields used for passwords.
skipping to change at page 11, line 24 skipping to change at page 11, line 16
UTF-8, and other encodings outside US-ASCII SHOULD be deprecated. UTF-8, and other encodings outside US-ASCII SHOULD be deprecated.
4. Authentication 4. Authentication
4.1. The Authentication START Packet Body 4.1. The Authentication START Packet Body
1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| action | priv_lvl | authen_type | authen_service | | action | priv_lvl | authen_type | authen_service |
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| user len | port len | rem_addr len | data len | | user_len | port_len | rem_addr_len | data_len |
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| user ... | user ...
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| port ... | port ...
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| rem_addr ... | rem_addr ...
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| data... | data...
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
skipping to change at page 13, line 5 skipping to change at page 12, line 46
TAC_PLUS_AUTHEN_SVC_FWPROXY := 0x09 TAC_PLUS_AUTHEN_SVC_FWPROXY := 0x09
The TAC_PLUS_AUTHEN_SVC_NONE option is intended for the authorization The TAC_PLUS_AUTHEN_SVC_NONE option is intended for the authorization
application of this field that indicates that no authentication was application of this field that indicates that no authentication was
performed by the device. performed by the device.
The TAC_PLUS_AUTHEN_SVC_LOGIN option is identifies regular login (as The TAC_PLUS_AUTHEN_SVC_LOGIN option is identifies regular login (as
opposed to ENABLE) to a client device. opposed to ENABLE) to a client device.
The TAC_PLUS_AUTHEN_SVC_ENABLE option identifies the ENABLE service, The TAC_PLUS_AUTHEN_SVC_ENABLE option identifies the ENABLE
which refers to a service requesting authentication in order to grant authen_service, which refers to a service requesting authentication
the user different privileges. This is comparable to the Unix in order to grant the user different privileges. This is comparable
"su(1)" command. A service value of NONE should only be used when to the Unix "su(1)" command. An authen_service value of NONE is only
none of the other service values are appropriate. ENABLE may be to be used when none of the other authen_service values are
requested independently, no requirements for previous authentications appropriate. ENABLE may be requested independently, no requirements
or authorizations are imposed by the protocol. for previous authentications or authorizations are imposed by the
protocol.
Other options are included for legacy/backwards compatibility. Other options are included for legacy/backwards compatibility.
user user, user_len
The username. It is optional in this packet, depending upon the The username is optional in this packet, depending upon the class of
class of authentication. authentication. If it is absent, user_len will be 0, if included,
the user_len MUST indicate the length of the user field, in bytes.
port port, port_len
The US-ASCII name of the client port on which the authentication is The US-ASCII name of the client port on which the authentication is
taking place. The value of this field is client specific. (For taking place, and its length in bytes. The value of this field is
example, Cisco uses "tty10" to denote the tenth tty line and client specific. (For example, Cisco uses "tty10" to denote the
"Async10" to denote the tenth async interface). tenth tty line and "Async10" to denote the tenth async interface).
The port_len MUST indicate the length of the port field, in bytes.
rem_addr rem_addr, rem_addr_len
An US-ASCII string this is a "best effort" description of the remote An US-ASCII string this is a "best effort" description of the remote
location from which the user has connected to the client. It is location from which the user has connected to the client. It is
intended to hold a network address if the user is connected via a intended to hold a network address if the user is connected via a
network, a caller ID is the user is connected via ISDN or a POTS, or network, a caller ID is the user is connected via ISDN or a POTS, or
any other remote location information that is available. This field any other remote location information that is available. This field
is optional (since the information may not be available). is optional (since the information may not be available). The
rem_addr_len MUST indicate the length of the user field, in bytes.
data data, data_len
This field is used to send data appropriate for the action and This field is used to send data appropriate for the action and
authen_type. It is described in more detail in the section Common authen_type. It is described in more detail in the section Common
Authentication flows (Section 4.4.2) . Authentication flows (Section 4.4.2) . The data_len MUST indicate the
length of the data field, in bytes.
4.2. The Authentication REPLY Packet Body 4.2. The Authentication REPLY Packet Body
The TACACS+ server sends only one type of authentication packet (a The TACACS+ server sends only one type of authentication packet (a
REPLY packet) to the client. The REPLY packet body looks as follows: REPLY packet) to the client. The REPLY packet body looks as follows:
1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| status | flags | server_msg len | | status | flags | server_msg_len |
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| data len | server_msg ... | data_len | server_msg ...
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| data ... | data ...
+----------------+----------------+ +----------------+----------------+
status status
The current status of the authentication. Legal values are: The current status of the authentication. Legal values are:
TAC_PLUS_AUTHEN_STATUS_PASS := 0x01 TAC_PLUS_AUTHEN_STATUS_PASS := 0x01
skipping to change at page 14, line 41 skipping to change at page 14, line 41
TAC_PLUS_AUTHEN_STATUS_FOLLOW := 0x21 TAC_PLUS_AUTHEN_STATUS_FOLLOW := 0x21
flags flags
Bitmapped flags that modify the action to be taken. The following Bitmapped flags that modify the action to be taken. The following
values are defined: values are defined:
TAC_PLUS_REPLY_FLAG_NOECHO := 0x01 TAC_PLUS_REPLY_FLAG_NOECHO := 0x01
server_msg server_msg, server_msg_len
c A message to be displayed to the user. This field is optional. If c A message to be displayed to the user. This field is optional. If
it exists, it is intended to be presented to the user. US-ASCII it exists, it is intended to be presented to the user. US-ASCII
charset must be used. charset MUST be used. The server_msg_len MUST indicate the length of
the server_msg field, in bytes.
data data, data_len
This field holds data that is a part of the authentication exchange This field holds data that is a part of the authentication exchange
and is intended for the client, not the user. It is described in and is intended for the client, not the user. It is described in
more detail in the section Common Authentication flows more detail in the section Common Authentication flows
(Section 4.4.2) . (Section 4.4.2) . The data_len MUST indicate the length of the data
field, in bytes.
4.3. The Authentication CONTINUE Packet Body 4.3. The Authentication CONTINUE Packet Body
This packet is sent from the client to the server following the This packet is sent from the client to the server following the
receipt of a REPLY packet. receipt of a REPLY packet.
1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| user_msg len | data len | | user_msg len | data_len |
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| flags | user_msg ... | flags | user_msg ...
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| data ... | data ...
+----------------+ +----------------+
user_msg user_msg, user_msg_len
This field is the string that the user entered, or the client This field is the string that the user entered, or the client
provided on behalf of the user, in response to the server_msg from a provided on behalf of the user, in response to the server_msg from a
REPLY packet. REPLY packet. The user_len MUST indicate the length of the user
field, in bytes.
data data, data_len
This field carries information that is specific to the action and the This field carries information that is specific to the action and the
authen_type for this session. Valid uses of this field are described authen_type for this session. Valid uses of this field are described
below. below. The data_len MUST indicate the length of the data field, in
bytes.
flags flags
This holds the bitmapped flags that modify the action to be taken. This holds the bitmapped flags that modify the action to be taken.
The following values are defined: The following values are defined:
TAC_PLUS_CONTINUE_FLAG_ABORT := 0x01 TAC_PLUS_CONTINUE_FLAG_ABORT := 0x01
4.4. Description of Authentication Process 4.4. Description of Authentication Process
The action, authen_type and service fields (described above) combine The action, authen_type and authen_service fields (described above)
to determine what kind of authentication is to be performed Every combine to determine what kind of authentication is to be performed
authentication START, REPLY and CONTINUE packet includes a data Every authentication START, REPLY and CONTINUE packet includes a data
field. The use of this field is dependent upon the kind of the field. The use of this field is dependent upon the kind of the
Authentication. Authentication.
A set of standard kinds of authentication is defined in this A set of standard kinds of authentication is defined in this
document. Each authentication flow consists of a START packet. The document. Each authentication flow consists of a START packet. The
server responds either with a request for more information (GETDATA, server responds either with a request for more information (GETDATA,
GETUSER or GETPASS) or a termination (PASS or FAIL). The actions and GETUSER or GETPASS) or a termination (PASS or FAIL). The actions and
meanings when the server sends a RESTART, ERROR or FOLLOW are common meanings when the server sends a RESTART, ERROR or FOLLOW are common
and are described further below. and are described further below.
skipping to change at page 16, line 42 skipping to change at page 16, line 46
LOGIN CHPASS SENDAUTH LOGIN CHPASS SENDAUTH
ASCII v0 v0 - ASCII v0 v0 -
PAP v1 - v1 PAP v1 - v1
CHAP v1 - v1 CHAP v1 - v1
MS-CHAPv1/2 v1 - v1 MS-CHAPv1/2 v1 - v1
The '-' symbol represents that the option is not valid. The '-' symbol represents that the option is not valid.
When a server receives a packet with a minor_version that it does not When a server receives a packet with a minor_version that it does not
support, it should return an ERROR status with the minor_version set support, it will return an ERROR status with the minor_version set to
to the closest supported value. the closest supported value.
In minor_version 0, Inbound PAP performed a normal LOGIN, sending the In minor_version 0, Inbound PAP performed a normal LOGIN, sending the
username in the START packet and then waiting for a GETPASS and username in the START packet and then waiting for a GETPASS and
sending the password in a CONTINUE packet. sending the password in a CONTINUE packet.
In minor_version 1, CHAP and inbound PAP use LOGIN to perform inbound In minor_version 1, CHAP and inbound PAP use LOGIN to perform inbound
authentication and the exchanges use the data field so that the authentication and the exchanges use the data field so that the
client only sends a single START packet and expects to receive a PASS client only sends a single START packet and expects to receive a PASS
or FAIL. SENDAUTH is only used for PPP when performing outbound or FAIL. SENDAUTH is only used for PPP when performing outbound
authentication. authentication.
NOTE: Only those requests which have changed from their minor_version NOTE: Only those requests which have changed from their minor_version
0 implementation (i.e. CHAP, MS-CHAP and PAP authentications) should 0 implementation (i.e. CHAP, MS-CHAP and PAP authentications) will
use the new minor_version number of 1. All other requests (i.e. all use the new minor_version number of 1. All other requests (i.e. all
authorisation and accounting and ASCII authentication) MUST continue authorisation and accounting and ASCII authentication) MUST continue
to use the same minor_version number of 0. The removal of SENDPASS to use the same minor_version number of 0. The removal of SENDPASS
was prompted by security concerns, and is no longer considered part was prompted by security concerns, and is no longer considered part
of the TACACS+ protocol. of the TACACS+ protocol.
4.4.2. Common Authentication Flows 4.4.2. Common Authentication Flows
This section describes common authentication flows. If the options This section describes common authentication flows. If the options
are implemented, they MUST follow the description. If the server are implemented, they MUST follow the description. If the server
does not implement an option, it should respond with does not implement an option, it will respond with
TAC_PLUS_AUTHEN_STATUS_ERROR. TAC_PLUS_AUTHEN_STATUS_ERROR.
Inbound ASCII Login Inbound ASCII Login
action = TAC_PLUS_AUTHEN_LOGIN action = TAC_PLUS_AUTHEN_LOGIN
authen_type = TAC_PLUS_AUTHEN_TYPE_ASCII authen_type = TAC_PLUS_AUTHEN_TYPE_ASCII
minor_version = 0x0 minor_version = 0x0
This is a standard ASCII authentication. The START packet may This is a standard ASCII authentication. The START packet may
contain the username, but need not do so. The data fields in both contain the username, but need not do so. The data fields in both
skipping to change at page 19, line 35 skipping to change at page 19, line 38
authen_type = not used authen_type = not used
service = TAC_PLUS_AUTHEN_SVC_ENABLE service = TAC_PLUS_AUTHEN_SVC_ENABLE
This is an ENABLE request, used to change the current running This is an ENABLE request, used to change the current running
privilege level of a principal. The exchange MAY consist of multiple privilege level of a principal. The exchange MAY consist of multiple
messages while the server collects the information it requires in messages while the server collects the information it requires in
order to allow changing the principal's privilege level. This order to allow changing the principal's privilege level. This
exchange is very similar to an Inbound ASCII login. exchange is very similar to an Inbound ASCII login.
In order to readily distinguish enable requests from other types of In order to readily distinguish enable requests from other types of
request, the value of the service field MUST be set to request, the value of the authen_service field MUST be set to
TAC_PLUS_AUTHEN_SVC_ENABLE when requesting an ENABLE. It MUST NOT be TAC_PLUS_AUTHEN_SVC_ENABLE when requesting an ENABLE. It MUST NOT be
set to this value when requesting any other operation. set to this value when requesting any other operation.
ASCII change password request ASCII change password request
action = TAC_PLUS_AUTHEN_CHPASS action = TAC_PLUS_AUTHEN_CHPASS
authen_type = TAC_PLUS_AUTHEN_TYPE_ASCII authen_type = TAC_PLUS_AUTHEN_TYPE_ASCII
This exchange consists of multiple messages while the server collects This exchange consists of multiple messages while the server collects
the information it requires in order to change the user's password. the information it requires in order to change the user's password.
skipping to change at page 20, line 16 skipping to change at page 20, line 22
The client may prematurely terminate a session by setting the The client may prematurely terminate a session by setting the
TAC_PLUS_CONTINUE_FLAG_ABORT flag in the CONTINUE message. If this TAC_PLUS_CONTINUE_FLAG_ABORT flag in the CONTINUE message. If this
flag is set, the data portion of the message may contain an ASCII flag is set, the data portion of the message may contain an ASCII
message explaining the reason for the abort. The session is message explaining the reason for the abort. The session is
terminated and no REPLY message is sent. terminated and no REPLY message is sent.
There are three other possible return status values that can be used There are three other possible return status values that can be used
in a REPLY packet. These can be sent regardless of the action or in a REPLY packet. These can be sent regardless of the action or
authen_type. Each of these indicates that the TACACS+ authentication authen_type. Each of these indicates that the TACACS+ authentication
session should be terminated. In each case, the server_msg may session is terminated. In each case, the server_msg may contain a
contain a message to be displayed to the user. message to be displayed to the user.
When the status equals TAC_PLUS_AUTHEN_STATUS_FOLLOW the packet When the status equals TAC_PLUS_AUTHEN_STATUS_FOLLOW the packet
indicates that the TACACS+ server requests that authentication should indicates that the TACACS+ server requests that authentication is
be performed with an alternate server. The data field MUST contain performed with an alternate server. The data field MUST contain
ASCII text describing one or more servers. A server description ASCII text describing one or more servers. A server description
appears like this: appears like this:
[@<protocol>@]<host>>[@<key>] [@<protocol>@]<host>>[@<key>]
If more than one host is specified, they MUST be separated into rows If more than one host is specified, they MUST be separated into rows
by an ASCII Carriage Return (0x0D). by an ASCII Carriage Return (0x0D).
The protocol and key are optional, and apply only to host in the same The protocol and key are optional, and apply only to host in the same
row. The protocol can describe an alternate way of performing the row. The protocol can describe an alternate way of performing the
authentication, other than TACACS+. If the protocol is not present, authentication, other than TACACS+. If the protocol is not present,
then TACACS+ is assumed. then TACACS+ is assumed.
Protocols are ASCII numbers corresponding to the methods listed in Protocols are ASCII numbers corresponding to the methods listed in
the authen_method field of authorization packets (defined below). the authen_method field of authorization packets (defined below).
The host is specified as either a fully qualified domain name, or an The host is specified as either a fully qualified domain name, or an
ASCII numeric IPV4 address specified as octets separated by dots ASCII numeric IPV4 address specified as octets separated by dots
('.'), or IPV6 adress test representation defined in RFC 4291. ('.'), or IPV6 address test representation defined in RFC 4291.
If a key is supplied, the client MAY use the key in order to If a key is supplied, the client MAY use the key in order to
authenticate to that host. The client may use a preconfigured key authenticate to that host. The client may use a preconfigured key
for the host if it has one. If not then the client may communicate for the host if it has one. If not then the client may communicate
with the host using unencrypted option. with the host using unencrypted option.
Use of the hosts in a TAC_PLUS_AUTHEN_STATUS_FOLLOW packet is at the Use of the hosts in a TAC_PLUS_AUTHEN_STATUS_FOLLOW packet is at the
discretion of the TACACS+ client. It may choose to use any one, all discretion of the TACACS+ client. It may choose to use any one, all
or none of these hosts. If it chooses to use none, then it MUST or none of these hosts. If it chooses to use none, then it MUST
treat the authentication as if the return status was treat the authentication as if the return status was
TAC_PLUS_AUTHEN_STATUS_FAIL. TAC_PLUS_AUTHEN_STATUS_FAIL.
While the order of hosts in this packet indicates a preference, but While the order of hosts in this packet indicates a preference, but
the client is not obliged to use that ordering. the client is not obliged to use that ordering.
If the status equals TAC_PLUS_AUTHEN_STATUS_ERROR, then the host is If the status equals TAC_PLUS_AUTHEN_STATUS_ERROR, then the host is
indicating that it is experiencing an unrecoverable error and the indicating that it is experiencing an unrecoverable error and the
authentication should proceed as if that host could not be contacted. authentication will proceed as if that host could not be contacted.
The data field may contain a message to be printed on an The data field may contain a message to be printed on an
administrative console or log. administrative console or log.
If the status equals TAC_PLUS_AUTHEN_STATUS_RESTART, then the If the status equals TAC_PLUS_AUTHEN_STATUS_RESTART, then the
authentication sequence should be restarted with a new START packet authentication sequence is restarted with a new START packet from the
from the client. This REPLY packet indicates that the current client. This REPLY packet indicates that the current authen_type
authen_type value (as specified in the START packet) is not value (as specified in the START packet) is not acceptable for this
acceptable for this session, but that others may be. session, but that others may be.
If a client chooses not to accept the TAC_PLUS_AUTHEN_STATUS_RESTART If a client chooses not to accept the TAC_PLUS_AUTHEN_STATUS_RESTART
packet, then it should be TREATED as if the status was packet, then it is TREATED as if the status was
TAC_PLUS_AUTHEN_STATUS_FAIL. TAC_PLUS_AUTHEN_STATUS_FAIL.
5. Authorization 5. Authorization
This part of the TACACS+ protocol provides an extensible way of This part of the TACACS+ protocol provides an extensible way of
providing remote authorization services. An authorization session is providing remote authorization services. An authorization session is
defined as a single pair of messages, a REQUEST followed by a defined as a single pair of messages, a REQUEST followed by a
RESPONSE. RESPONSE.
The authorization REQUEST message contains a fixed set of fields that The authorization REQUEST message contains a fixed set of fields that
skipping to change at page 22, line 4 skipping to change at page 22, line 6
The arguments in both a REQUEST and a RESPONSE can be specified as The arguments in both a REQUEST and a RESPONSE can be specified as
either mandatory or optional. An optional argument is one that may either mandatory or optional. An optional argument is one that may
or may not be used, modified or even understood by the recipient. or may not be used, modified or even understood by the recipient.
A mandatory argument MUST be both understood and used. This allows A mandatory argument MUST be both understood and used. This allows
for extending the attribute list while providing secure backwards for extending the attribute list while providing secure backwards
compatibility. compatibility.
5.1. The Authorization REQUEST Packet Body 5.1. The Authorization REQUEST Packet Body
1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| authen_method | priv_lvl | authen_type | authen_service | | authen_method | priv_lvl | authen_type | authen_service |
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| user len | port len | rem_addr len | arg_cnt | | user_len | port_len | rem_addr_len | arg_cnt |
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| arg 1 len | arg 2 len | ... | arg N len | | arg_1_len | arg_2_len | ... | arg_N_len |
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| user ... | user ...
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| port ... | port ...
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| rem_addr ... | rem_addr ...
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| arg 1 ... | arg_1 ...
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| arg 2 ... | arg_2 ...
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| ... | ...
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| arg N ... | arg_N ...
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
authen_method authen_method
This indicates the authentication method used by the client to This indicates the authentication method used by the client to
acquire the user information. acquire the user information.
TAC_PLUS_AUTHEN_METH_NOT_SET := 0x00 TAC_PLUS_AUTHEN_METH_NOT_SET := 0x00
TAC_PLUS_AUTHEN_METH_NONE := 0x01 TAC_PLUS_AUTHEN_METH_NONE := 0x01
skipping to change at page 22, line 49 skipping to change at page 23, line 4
TAC_PLUS_AUTHEN_METH_ENABLE := 0x04 TAC_PLUS_AUTHEN_METH_ENABLE := 0x04
TAC_PLUS_AUTHEN_METH_LOCAL := 0x05 TAC_PLUS_AUTHEN_METH_LOCAL := 0x05
TAC_PLUS_AUTHEN_METH_TACACSPLUS := 0x06 TAC_PLUS_AUTHEN_METH_TACACSPLUS := 0x06
TAC_PLUS_AUTHEN_METH_GUEST := 0x08 TAC_PLUS_AUTHEN_METH_GUEST := 0x08
TAC_PLUS_AUTHEN_METH_RADIUS := 0x10 TAC_PLUS_AUTHEN_METH_RADIUS := 0x10
TAC_PLUS_AUTHEN_METH_KRB4 := 0x11 TAC_PLUS_AUTHEN_METH_KRB4 := 0x11
TAC_PLUS_AUTHEN_METH_RCMD := 0x20 TAC_PLUS_AUTHEN_METH_RCMD := 0x20
KRB5 and KRB4 are Kerberos version 5 and 4. LINE refers to a fixed KRB5 and KRB4 are Kerberos version 5 and 4. LINE refers to a fixed
password associated with the terminal line used to gain access. password associated with the terminal line used to gain access.
LOCAL is a client local user database. ENABLE is a command that LOCAL is a client local user database. ENABLE is a command that
authenticates in order to grant new privileges. TACACSPLUS is, of authenticates in order to grant new privileges. TACACSPLUS is, of
course, TACACS+. GUEST is an unqualified guest authentication, such course, TACACS+. GUEST is an unqualified guest authentication, such
as an ARAP guest login. RADIUS is the Radius authentication as an ARAP guest login. RADIUS is the Radius authentication
protocol. RCMD refers to authentication provided via the R-command protocol. RCMD refers to authentication provided via the R-command
protocols from Berkeley Unix. (One should be aware of the security protocols from Berkeley Unix.
limitations to R-command authentication.)
priv_lvl priv_lvl
This field is used in the same way as the priv_lvl field in This field is used in the same way as the priv_lvl field in
authentication request and is described in the Privilege Level authentication request and is described in the Privilege Level
section (Section 8) below. It indicates the users current privilege section (Section 8) below. It indicates the users current privilege
level. level.
authen_type authen_type
This field matches the authen_type field in the authentication This field matches the authen_type field in the authentication
section (Section 4) above. It indicates the type of authentication section (Section 4) above. It indicates the type of authentication
that was performed. If this information is not available, then the that was performed. If this information is not available, then the
client should set authen_type to: TAC_PLUS_AUTHEN_TYPE_NOT_SET := client will set authen_type to: TAC_PLUS_AUTHEN_TYPE_NOT_SET := 0x00.
0x00. This value is valid only in authorization and accounting This value is valid only in authorization and accounting requests.
requests.
authen_service authen_service
This field matches the service field in the authentication section This field matches the authen_service field in the authentication
(Section 4) above. It indicates the service through which the user section (Section 4) above. It indicates the service through which
authenticated. the user authenticated.
user user, user_len
This field contains the user's account name. This field contains the user's account name. The user_len MUST
indicate the length of the user field, in bytes.
port port, port_len
This field matches the port field in the authentication section This field matches the port field in the authentication section
(Section 4) above. (Section 4) above. The port_len MUST indicate the length of the port
field, in bytes.
rem_addr
rem_addr, rem_addr_len
This field matches the rem_addr field in the authentication section This field matches the rem_addr field in the authentication section
(Section 4) above. (Section 4) above. The rem_addr_len MUST indicate the length of the
port field, in bytes.
arg_cnt arg_cnt
The number of authorization arguments to follow The number of authorization arguments to follow
arg arg_1 ... arg_N, arg_1_len .... arg_N_len
An attribute-value pair that describes the command to be performed. The attribute-value pair that describes the authorization to be
(see below) performed. (see below), and their corresponding length fields (which
MUST indicate the length of each argument in bytes).
The authorization arguments in both the REQUEST and the RESPONSE are The authorization arguments in both the REQUEST and the RESPONSE are
attribute-value pairs. The attribute and the value are in a single attribute-value pairs. The attribute and the value are in a single
US-ASCII string and are separated by either a "=" (0X3D) or a "*" US-ASCII string and are separated by either a "=" (0X3D) or a "*"
(0X2A). The equals sign indicates a mandatory argument. The (0X2A). The equals sign indicates a mandatory argument. The
asterisk indicates an optional one. asterisk indicates an optional one.
It is not legal for an attribute name to contain either of the It is not legal for an attribute name to contain either of the
separators. It is legal for attribute values to contain the separators. It is legal for attribute values to contain the
separators. separators.
skipping to change at page 25, line 8 skipping to change at page 25, line 8
Attribute-value strings are not NULL terminated, rather their length Attribute-value strings are not NULL terminated, rather their length
value indicates their end. The maximum length of an attribute-value value indicates their end. The maximum length of an attribute-value
string is 255 characters. the minimum is two characters (one name string is 255 characters. the minimum is two characters (one name
value and the separator) value and the separator)
5.2. The Authorization RESPONSE Packet Body 5.2. The Authorization RESPONSE Packet Body
1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| status | arg_cnt | server_msg len | | status | arg_cnt | server_msg len |
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
+ data len | arg 1 len | arg 2 len | + data_len | arg_1_len | arg_2_len |
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| ... | arg N len | server_msg ... | ... | arg_N_len | server_msg ...
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| data ... | data ...
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| arg 1 ... | arg_1 ...
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| arg 2 ... | arg_2 ...
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| ... | ...
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| arg N ... | arg_N ...
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
status This field indicates the authorization status status This field indicates the authorization status
TAC_PLUS_AUTHOR_STATUS_PASS_ADD := 0x01 TAC_PLUS_AUTHOR_STATUS_PASS_ADD := 0x01
TAC_PLUS_AUTHOR_STATUS_PASS_REPL := 0x02 TAC_PLUS_AUTHOR_STATUS_PASS_REPL := 0x02
TAC_PLUS_AUTHOR_STATUS_FAIL := 0x10 TAC_PLUS_AUTHOR_STATUS_FAIL := 0x10
TAC_PLUS_AUTHOR_STATUS_ERROR := 0x11 TAC_PLUS_AUTHOR_STATUS_ERROR := 0x11
TAC_PLUS_AUTHOR_STATUS_FOLLOW := 0x21 TAC_PLUS_AUTHOR_STATUS_FOLLOW := 0x21
server_msg server_msg, server_msg_len
This is an US-ASCII string that may be presented to the user. The This is an US-ASCII string that may be presented to the user. The
decision to present this message is client specific. decision to present this message is client specific. The
server_msg_len MUST indicate the length of the server_msg field, in
bytes.
data data, data_len
This is an US-ASCII string that may be presented on an administrative This is an US-ASCII string that may be presented on an administrative
display, console or log. The decision to present this message is display, console or log. The decision to present this message is
client specific. client specific. The data_len MUST indicate the length of the data
field, in bytes.
arg_cnt arg_cnt
The number of authorization arguments to follow. The number of authorization arguments to follow.
arg arg_1 ... arg_N, arg_1_len .... arg_N_len
An attribute-value pair that describes the command to be performed.
(see below) The attribute-value pair that describes the authorization to be
performed. (see below), and their corresponding length fields (which
MUST indicate the length of each argument in bytes).
If the status equals TAC_PLUS_AUTHOR_STATUS_FAIL, then the If the status equals TAC_PLUS_AUTHOR_STATUS_FAIL, then the
appropriate action is to deny the user action. appropriate action is to deny the user action.
If the status equals TAC_PLUS_AUTHOR_STATUS_PASS_ADD, then the If the status equals TAC_PLUS_AUTHOR_STATUS_PASS_ADD, then the
arguments specified in the request are authorized and the arguments arguments specified in the request are authorized and the arguments
in the response are to be used IN ADDITION to those arguments. in the response are to be used IN ADDITION to those arguments.
If the status equals TAC_PLUS_AUTHOR_STATUS_PASS_REPL then the If the status equals TAC_PLUS_AUTHOR_STATUS_PASS_REPL then the
arguments in the request are to be completely replaced by the arguments in the request are to be completely replaced by the
arguments in the response. arguments in the response.
If the intended action is to approve the authorization with no If the intended action is to approve the authorization with no
modifications, then the status should be set to modifications, then the status is set to
TAC_PLUS_AUTHOR_STATUS_PASS_ADD and the arg_cnt should be set to 0. TAC_PLUS_AUTHOR_STATUS_PASS_ADD and the arg_cnt is set to 0.
A status of TAC_PLUS_AUTHOR_STATUS_ERROR indicates an error occurred A status of TAC_PLUS_AUTHOR_STATUS_ERROR indicates an error occurred
on the server. on the server.
When the status equals TAC_PLUS_AUTHOR_STATUS_FOLLOW, then the When the status equals TAC_PLUS_AUTHOR_STATUS_FOLLOW, then the
arg_cnt MUST be 0. In that case, the actions to be taken and the arg_cnt MUST be 0. In that case, the actions to be taken and the
contents of the data field are identical to the contents of the data field are identical to the
TAC_PLUS_AUTHEN_STATUS_FOLLOW status for Authentication. None of the TAC_PLUS_AUTHEN_STATUS_FOLLOW status for Authentication. None of the
arg values have any relevance if an ERROR is set, and must be arg values have any relevance if an ERROR is set, and must be
ignored. ignored.
skipping to change at page 27, line 9 skipping to change at page 27, line 9
TACACS+ accounting is very similar to authorization. The packet TACACS+ accounting is very similar to authorization. The packet
format is also similar. There is a fixed portion and an extensible format is also similar. There is a fixed portion and an extensible
portion. The extensible portion uses all the same attribute-value portion. The extensible portion uses all the same attribute-value
pairs that authorization uses, and adds several more. pairs that authorization uses, and adds several more.
1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| flags | authen_method | priv_lvl | authen_type | | flags | authen_method | priv_lvl | authen_type |
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| authen_service | user len | port len | rem_addr len | | authen_service | user_len | port_len | rem_addr_len |
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| arg_cnt | arg 1 len | arg 2 len | ... | | arg_cnt | arg_1_len | arg_2_len | ... |
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| arg N len | user ... | arg_N_len | user ...
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| port ... | port ...
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| rem_addr ... | rem_addr ...
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| arg 1 ... | arg_1 ...
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| arg 2 ... | arg_2 ...
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| ... | ...
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| arg N ... | arg_N ...
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
flags flags
This holds bitmapped flags. This holds bitmapped flags.
TAC_PLUS_ACCT_FLAG_START := 0x02 TAC_PLUS_ACCT_FLAG_START := 0x02
TAC_PLUS_ACCT_FLAG_STOP := 0x04 TAC_PLUS_ACCT_FLAG_STOP := 0x04
skipping to change at page 27, line 47 skipping to change at page 27, line 47
All other fields are defined in the authorization and authentication All other fields are defined in the authorization and authentication
sections above and have the same semantics. sections above and have the same semantics.
See section 12 Accounting Attribute-value Pairs for the dictionary of See section 12 Accounting Attribute-value Pairs for the dictionary of
attributes relevant to accounting. attributes relevant to accounting.
6.2. The Accounting REPLY Packet Body 6.2. The Accounting REPLY Packet Body
The response to an accounting message is used to indicate that the The response to an accounting message is used to indicate that the
accounting function on the server has completed. The server should accounting function on the server has completed. The server will
reply with success only when the record has been committed to the reply with success only when the record has been committed to the
required level of security, relieving the burden on the client from required level of security, relieving the burden on the client from
ensuring any better form of accounting is required. ensuring any better form of accounting is required.
1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| server_msg len | data len | | server_msg len | data_len |
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| status | server_msg ... | status | server_msg ...
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| data ... | data ...
+----------------+ +----------------+
status status
This is the return status. Values are: This is the return status. Values are:
TAC_PLUS_ACCT_STATUS_SUCCESS := 0x01 TAC_PLUS_ACCT_STATUS_SUCCESS := 0x01
TAC_PLUS_ACCT_STATUS_ERROR := 0x02 TAC_PLUS_ACCT_STATUS_ERROR := 0x02
TAC_PLUS_ACCT_STATUS_FOLLOW := 0x21 TAC_PLUS_ACCT_STATUS_FOLLOW := 0x21
server_msg server_msg, server_msg_len
This is a US-ASCII string that may be presented to the user. The This is a US-ASCII string that may be presented to the user. The
decision to present this message is client specific. decision to present this message is client specific. The
server_msg_len MUST indicate the length of the server_msg field, in
bytes.
data data, data_len
This is a US-ASCII string that may be presented on an administrative This is a US-ASCII string that may be presented on an administrative
display, console or log. The decision to present this message is display, console or log. The decision to present this message is
client specific. client specific. The data_len MUST indicate the length of the data
field, in bytes.
When the status equals TAC_PLUS_ACCT_STATUS_FOLLOW, then the actions When the status equals TAC_PLUS_ACCT_STATUS_FOLLOW, then the actions
to be taken and the contents of the data field are identical to the to be taken and the contents of the data field are identical to the
TAC_PLUS_AUTHEN_STATUS_FOLLOW status for Authentication. TAC_PLUS_AUTHEN_STATUS_FOLLOW status for Authentication.
The server MUST terminate the session after sending a REPLY. The server MUST terminate the session after sending a REPLY.
The TAC_PLUS_ACCT_FLAG_START flag indicates that this is a start The TAC_PLUS_ACCT_FLAG_START flag indicates that this is a start
accounting message. Start messages should only be sent once when a accounting message. Start messages will only be sent once when a
task is started. The TAC_PLUS_ACCT_FLAG_STOP indicates that this is task is started. The TAC_PLUS_ACCT_FLAG_STOP indicates that this is
a stop record and that the task has terminated. The a stop record and that the task has terminated. The
TAC_PLUS_ACCT_FLAG_WATCHDOG flag means that this is an update record. TAC_PLUS_ACCT_FLAG_WATCHDOG flag means that this is an update record.
Update records are sent at the client's discretion when the task is Update records are sent at the client's discretion when the task is
still running. still running.
Summary of Accounting Packets Summary of Accounting Packets
+----------+-------+-------+-------------+-------------------------+ +----------+-------+-------+-------------+-------------------------+
| Watchdog | Stop | Start | Flags & 0xE | Meaning | | Watchdog | Stop | Start | Flags & 0xE | Meaning |
+----------+-------+-------+-------------+-------------------------+ +----------+-------+-------+-------------+-------------------------+
skipping to change at page 29, line 42 skipping to change at page 29, line 42
attributes when supporting the corresponding use cases. attributes when supporting the corresponding use cases.
All numeric values in an attribute-value string are provided as All numeric values in an attribute-value string are provided as
decimal US-ASCII numbers, unless otherwise stated. decimal US-ASCII numbers, unless otherwise stated.
All boolean attributes are encoded with values "true" or "false". All boolean attributes are encoded with values "true" or "false".
It is recommended that hosts be specified as a numeric address so as It is recommended that hosts be specified as a numeric address so as
to avoid any ambiguities. to avoid any ambiguities.
Absolute times should be specified in seconds since the epoch, Absolute times are specified in seconds since the epoch, 12:00am Jan
12:00am Jan 1 1970. The timezone MUST be UTC unless a timezone 1 1970. The timezone MUST be UTC unless a timezone attribute is
attribute is specified. specified.
Attributes may be submitted with no value, in which case they consist Attributes may be submitted with no value, in which case they consist
of the name and the mandatory or optional separator. For example, of the name and the mandatory or optional separator. For example,
the attribute "cmd" which has no value is transmitted as a string of the attribute "cmd" which has no value is transmitted as a string of
4 characters "cmd=" 4 characters "cmd="
7.1. Authorization Attributes 7.1. Authorization Attributes
service service
skipping to change at page 31, line 8 skipping to change at page 31, line 8
zonelist zonelist
A numeric zonelist value. (Applicable to AppleTalk only). A numeric zonelist value. (Applicable to AppleTalk only).
addr addr
a network address a network address
addr-pool addr-pool
The identifier of an address pool from which the client should assign The identifier of an address pool from which the client can assign an
an address. address.
routing routing
A boolean. Specifies whether routing information is to be propagated A boolean. Specifies whether routing information is to be propagated
to, and accepted from this interface. to, and accepted from this interface.
route route
Indicates a route that is to be applied to this interface. Values Indicates a route that is to be applied to this interface. Values
MUST be of the form "<dst_address> <mask> [<routing_addr>]". If a MUST be of the form "<dst_address> <mask> [<routing_addr>]". If a
<routing_addr> is not specified, the resulting route should be via <routing_addr> is not specified, the resulting route is via the
the requesting peer. requesting peer.
timeout timeout
an absolute timer for the connection (in minutes). A value of zero an absolute timer for the connection (in minutes). A value of zero
indicates no timeout. indicates no timeout.
idletime idletime
an idle-timeout for the connection (in minutes). A value of zero an idle-timeout for the connection (in minutes). A value of zero
indicates no timeout. indicates no timeout.
skipping to change at page 32, line 21 skipping to change at page 32, line 21
and host information to enable rhost style authorization. The and host information to enable rhost style authorization. The
response may request that a privilege level be set for the user. response may request that a privilege level be set for the user.
remote_host remote_host
remote host (authen_method must have the value remote host (authen_method must have the value
TAC_PLUS_AUTHEN_METH_RCMD) TAC_PLUS_AUTHEN_METH_RCMD)
callback-dialstring callback-dialstring
Indicates that callback should be done. Value is NULL, or a Indicates that callback is to be done. Value is NULL, or a
dialstring. A NULL value indicates that the service MAY choose to dialstring. A NULL value indicates that the service MAY choose to
get the dialstring through other means. get the dialstring through other means.
callback-line callback-line
The line number to use for a callback. The line number to use for a callback.
callback-rotary callback-rotary
The rotary number to use for a callback. The rotary number to use for a callback.
nocallback-verify nocallback-verify
Do not require authentication after callback. Do not require authentication after callback.
7.2. Accounting Attributes 7.2. Accounting Attributes
The following new attributes are defined for TACACS+ accounting only. The following new attributes are defined for TACACS+ accounting only.
When these attribute-value pairs are included in the argument list, When these attribute-value pairs are included in the argument list,
they should precede any attribute-value pairs that are defined in the they will precede any attribute-value pairs that are defined in the
authorization section (Section 5) above. authorization section (Section 5) above.
task_id task_id
Start and stop records for the same event MUST have matching task_id Start and stop records for the same event MUST have matching task_id
attribute values. The client must not reuse a specific task_id in a attribute values. The client must not reuse a specific task_id in a
start record until it has sent a stop record for that task_id. start record until it has sent a stop record for that task_id.
start_time start_time
skipping to change at page 35, line 5 skipping to change at page 35, line 5
- In the packet headers for Authentication, Authorization and - In the packet headers for Authentication, Authorization and
Accounting. The privilege level in the header is primarily Accounting. The privilege level in the header is primarily
significant in the Authentication phase for enable authentication significant in the Authentication phase for enable authentication
where a different privilege level is required. where a different privilege level is required.
The use of Privilege levels to determine session-based access to The use of Privilege levels to determine session-based access to
commands and resources is not mandatory for clients, but it is in commands and resources is not mandatory for clients, but it is in
common use so SHOULD be supported by servers. common use so SHOULD be supported by servers.
9. References 9. TACACS+ Security Considerations
The protocol described in this document has been in widespread use
since specified in "The Draft" (1998). However it does not meet
modern security standards, and faces vulnerabilities with privacy and
authenticity.
For current deployments, it is recommended:
To separate the TACACS+ management traffic from the regular
network access traffic.
To use IPsec where available.
Because of the security issues with TACACS+, the authors intend to
follow up this document with an enhanced specification of the
protocol employing modern security mechanisms.
10. References
[TheDraft] [TheDraft]
Carrel, D. and L. Grant, "The TACACS+ Protocol Version Carrel, D. and L. Grant, "The TACACS+ Protocol Version
1.78", June 1997, <https://tools.ietf.org/html/draft- 1.78", June 1997, <https://tools.ietf.org/html/draft-
grant-tacacs-02>. grant-tacacs-02>.
[RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, [RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321,
April 1992. April 1992.
[RFC1334] Lloyd, B. and W. Simpson, "PPP Authentication Protocols", [RFC1334] Lloyd, B. and W. Simpson, "PPP Authentication Protocols",
 End of changes. 99 change blocks. 
150 lines changed or deleted 180 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/