draft-ietf-opsawg-tacacs-07.txt   draft-ietf-opsawg-tacacs-08.txt 
Operations T. Dahm Operations T. Dahm
Internet-Draft A. Ota Internet-Draft A. Ota
Intended status: Informational Google Inc Intended status: Informational Google Inc
Expires: February 22, 2018 D. Medway Gash Expires: August 23, 2018 D. Medway Gash
Cisco Systems, Inc. Cisco Systems, Inc.
D. Carrel D. Carrel
vIPtela, Inc. vIPtela, Inc.
L. Grant L. Grant
August 21, 2017 February 19, 2018
The TACACS+ Protocol The TACACS+ Protocol
draft-ietf-opsawg-tacacs-07 draft-ietf-opsawg-tacacs-08
Abstract Abstract
TACACS+ provides Device Administration for routers, network access TACACS+ provides Device Administration for routers, network access
servers and other networked computing devices via one or more servers and other networked computing devices via one or more
centralized servers. This document describes the protocol that is centralized servers. This document describes the protocol that is
used by TACACS+. used by TACACS+.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on February 22, 2018. This Internet-Draft will expire on August 23, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
This document may contain material from IETF Documents or IETF This document may contain material from IETF Documents or IETF
Contributions published or made publicly available before November Contributions published or made publicly available before November
10, 2008. The person(s) controlling the copyright in some of this 10, 2008. The person(s) controlling the copyright in some of this
skipping to change at page 2, line 27 skipping to change at page 2, line 27
not be created outside the IETF Standards Process, except to format not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other it for publication as an RFC or to translate it into languages other
than English. than English.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Technical Definitions . . . . . . . . . . . . . . . . . . . . 4 2. Technical Definitions . . . . . . . . . . . . . . . . . . . . 4
3. TACACS+ Connections and Sessions . . . . . . . . . . . . . . 4 3. TACACS+ Connections and Sessions . . . . . . . . . . . . . . 4
3.1. Connection . . . . . . . . . . . . . . . . . . . . . . . 4 3.1. Connection . . . . . . . . . . . . . . . . . . . . . . . 4
3.2. Session . . . . . . . . . . . . . . . . . . . . . . . . . 4 3.2. Session . . . . . . . . . . . . . . . . . . . . . . . . . 5
3.3. Single Connect Mode . . . . . . . . . . . . . . . . . . . 5 3.3. Single Connection Mode . . . . . . . . . . . . . . . . . 5
3.4. Session Completion . . . . . . . . . . . . . . . . . . . 5 3.4. Session Completion . . . . . . . . . . . . . . . . . . . 6
3.5. Treatment of Enumerated Protocol Values . . . . . . . . . 6 3.5. Treatment of Enumerated Protocol Values . . . . . . . . . 7
3.6. Text Encoding . . . . . . . . . . . . . . . . . . . . . . 7 3.6. Text Encoding . . . . . . . . . . . . . . . . . . . . . . 7
3.7. Data Obfuscation . . . . . . . . . . . . . . . . . . . . 7 3.7. Data Obfuscation . . . . . . . . . . . . . . . . . . . . 7
3.8. The TACACS+ Packet Header . . . . . . . . . . . . . . . . 9 3.8. The TACACS+ Packet Header . . . . . . . . . . . . . . . . 9
3.9. The TACACS+ Packet Body . . . . . . . . . . . . . . . . . 11 3.9. The TACACS+ Packet Body . . . . . . . . . . . . . . . . . 11
4. Authentication . . . . . . . . . . . . . . . . . . . . . . . 11 4. Authentication . . . . . . . . . . . . . . . . . . . . . . . 11
4.1. The Authentication START Packet Body . . . . . . . . . . 11 4.1. The Authentication START Packet Body . . . . . . . . . . 12
4.2. The Authentication REPLY Packet Body . . . . . . . . . . 14 4.2. The Authentication REPLY Packet Body . . . . . . . . . . 14
4.3. The Authentication CONTINUE Packet Body . . . . . . . . . 15 4.3. The Authentication CONTINUE Packet Body . . . . . . . . . 16
4.4. Description of Authentication Process . . . . . . . . . . 16 4.4. Description of Authentication Process . . . . . . . . . . 16
4.4.1. Version Behaviour . . . . . . . . . . . . . . . . . . 17 4.4.1. Version Behaviour . . . . . . . . . . . . . . . . . . 17
4.4.2. Common Authentication Flows . . . . . . . . . . . . . 17 4.4.2. Common Authentication Flows . . . . . . . . . . . . . 18
4.4.3. Aborting an Authentication Session . . . . . . . . . 21 4.4.3. Aborting an Authentication Session . . . . . . . . . 21
5. Authorization . . . . . . . . . . . . . . . . . . . . . . . . 22 5. Authorization . . . . . . . . . . . . . . . . . . . . . . . . 22
5.1. The Authorization REQUEST Packet Body . . . . . . . . . . 23 5.1. The Authorization REQUEST Packet Body . . . . . . . . . . 22
5.2. The Authorization REPLY Packet Body . . . . . . . . . . . 26 5.2. The Authorization REPLY Packet Body . . . . . . . . . . . 26
6. Accounting . . . . . . . . . . . . . . . . . . . . . . . . . 27 6. Accounting . . . . . . . . . . . . . . . . . . . . . . . . . 27
6.1. The Account REQUEST Packet Body . . . . . . . . . . . . . 28 6.1. The Account REQUEST Packet Body . . . . . . . . . . . . . 28
6.2. The Accounting REPLY Packet Body . . . . . . . . . . . . 29 6.2. The Accounting REPLY Packet Body . . . . . . . . . . . . 29
7. Attribute-Value Pairs . . . . . . . . . . . . . . . . . . . . 30 7. Attribute-Value Pairs . . . . . . . . . . . . . . . . . . . . 30
7.1. Authorization Attributes . . . . . . . . . . . . . . . . 31 7.1. Value Encoding . . . . . . . . . . . . . . . . . . . . . 31
7.2. Accounting Attributes . . . . . . . . . . . . . . . . . . 34 7.2. Authorization Attributes . . . . . . . . . . . . . . . . 31
7.3. Accounting Attributes . . . . . . . . . . . . . . . . . . 34
8. Privilege Levels . . . . . . . . . . . . . . . . . . . . . . 35 8. Privilege Levels . . . . . . . . . . . . . . . . . . . . . . 35
9. TACACS+ Security Considerations . . . . . . . . . . . . . . . 36 9. TACACS+ Security Considerations . . . . . . . . . . . . . . . 36
9.1. Overall Security of The Protocol . . . . . . . . . . . . 36 9.1. General Security of The Protocol . . . . . . . . . . . . 36
9.2. Security of Authentication Sessions . . . . . . . . . . . 38 9.2. Security of Authentication Sessions . . . . . . . . . . . 38
9.3. Security of Authorization Sessions . . . . . . . . . . . 38 9.3. Security of Authorization Sessions . . . . . . . . . . . 38
9.4. Security of Accounting Sessions . . . . . . . . . . . . . 38 9.4. Security of Accounting Sessions . . . . . . . . . . . . . 39
9.5. TACACS+ Deployment Recommendations . . . . . . . . . . . 39 9.5. TACACS+ Deployment Recommendations . . . . . . . . . . . 39
9.6. TACACS+ Client Implementation Recommendations . . . . . . 39 9.6. TACACS+ Client Implementation Recommendations . . . . . . 40
9.7. TACACS+ Server Implementation Recommendations . . . . . . 40 9.7. TACACS+ Server Implementation Recommendations . . . . . . 41
9.8. TACACS+ Security and Operational Concerns . . . . . . . . 40 9.8. TACACS+ Security and Operational Concerns . . . . . . . . 41
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 41 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 42
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 41 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 42
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 42
1. Introduction 1. Introduction
Terminal Access Controller Access-Control System Plus (TACACS+) was Terminal Access Controller Access-Control System Plus (TACACS+) was
originally conceived as a general Authentication, Authorization and originally conceived as a general Authentication, Authorization and
Accounting protocol. It is primarily used today for Device Accounting protocol. It is primarily used today for Device
Administration: authenticating access to network devices, providing Administration: authenticating access to network devices, providing
central authorization of operations, and audit of those operations. central authorization of operations, and audit of those operations.
A wide range of TACACS+ clients and servers are already deployed in A wide range of TACACS+ clients and servers are already deployed in
skipping to change at page 3, line 42 skipping to change at page 3, line 43
document will conform to `The Draft'. However, attention is drawn to document will conform to `The Draft'. However, attention is drawn to
the following specific adjustments of the protocol specification from the following specific adjustments of the protocol specification from
'The Draft': 'The Draft':
This document officially removes SENDPASS for security reasons. This document officially removes SENDPASS for security reasons.
The normative description of Legacy features such as ARAP and The normative description of Legacy features such as ARAP and
outbound authentication have been removed, however the required outbound authentication have been removed, however the required
enumerations are kept. enumerations are kept.
The Support for forwarding to an alternative daemon
(TAC_PLUS_AUTHEN_STATUS_FOLLOW) has been deprecated.
The TACACS+ protocol separates the functions of Authentication, The TACACS+ protocol separates the functions of Authentication,
Authorization and Accounting. It allows for arbitrary length and Authorization and Accounting. It allows for arbitrary length and
content authentication exchanges, which will support any content authentication exchanges, to support future authentication
authentication mechanism to be utilized with TACACS+ clients. It is mechanisms. It is extensible to provide for site customization and
extensible to provide for site customization and future development future development features, and it uses TCP to ensure reliable
features, and it uses TCP to ensure reliable delivery. The protocol delivery. The protocol allows the TACACS+ client to request very
allows the TACACS+ client to request very fine-grained access control fine-grained access control and allows the server to respond to each
and allows the server to respond to each component of that request. component of that request.
The separation of authentication, authorization and accounting is a The separation of authentication, authorization and accounting was a
fundamental component of the design of TACACS+. The distinction key element of the design of TACACS+ protocol. Essentially it makes
between them is very important so this document will address each one TACACS+ a suite of three protocols. This document will address each
separately. It is important to note that TACACS+ provides for all one in separate sections. Although TACACS+ defines all three, but an
three, but an implementation or configuration is not required to implementation or configuration is not required to employ all three.
employ all three. Each one serves a unique purpose that alone is Separating the elements is useful for Device Administration use case,
useful, and together can be quite powerful. specifically, for authorization of individual commands in a session.
Note that there is no provision made at the protocol level for
association of an authentication to each authroization request.
This document restricts itself to a description of the protocol that This document restricts itself to a description of the protocol that
is used by TACACS+. It does not cover deployment or best practices. is used by TACACS+. It does not cover deployment or best practices.
2. Technical Definitions 2. Technical Definitions
This section provides a few basic definitions that are applicable to This section provides a few basic definitions that are applicable to
this document this document
Client Client
The client is any device, (often a Network Access Server) that The client is any device, (often a Network Access Server) that
provides access services. The clients usually provide a character provides access services. The clients usually provide a character
mode front end and then allow the user to telnet or rlogin to another mode front end and then allow the user to telnet or rlogin to another
host. A client may also support protocol based access services. host.
Server Server
The server receives TACACS+ protocol requests, and replies according The server receives TACACS+ protocol requests, and replies according
to its business model, in accordance with the flows defined in this to its business model, in accordance with the flows defined in this
document. document.
Packet Packet
All uses of the word packet in this document refer to TACACS+ All uses of the word packet in this document refer to TACACS+
skipping to change at page 5, line 8 skipping to change at page 5, line 18
session is a single authentication sequence, a single authorization session is a single authentication sequence, a single authorization
exchange, or a single accounting exchange. exchange, or a single accounting exchange.
An accounting and authorization session will consist of a single pair An accounting and authorization session will consist of a single pair
of packets (the request and its reply). An authentication session of packets (the request and its reply). An authentication session
may involve an arbitrary number of packets being exchanged. The may involve an arbitrary number of packets being exchanged. The
session is an operational concept that is maintained between the session is an operational concept that is maintained between the
TACACS+ client and server. It does not necessarily correspond to a TACACS+ client and server. It does not necessarily correspond to a
given user or user action. given user or user action.
3.3. Single Connect Mode 3.3. Single Connection Mode
Single Connection Mode is intended to improve performance by allowing Single Connection Mode is intended to improve performance by allowing
a client to multiplex multiple session on a single TCP connection. a client to multiplex multiple session on a single TCP connection.
The packet header contains the TAC_PLUS_SINGLE_CONNECT_FLAG used by The packet header contains the TAC_PLUS_SINGLE_CONNECT_FLAG used by
the client and server to negotiate the use of Single Connect Mode. the client and server to negotiate the use of Single Connect Mode.
The client sets this flag, to indicate that it supports multiplexing The client sets this flag, to indicate that it supports multiplexing
TACACS+ sessions over a single TCP connection. The client MUST NOT TACACS+ sessions over a single TCP connection. The client MUST NOT
send a second packet on a connection until single-connect status has send a second packet on a connection until single-connect status has
been established. been established.
To indicate it will support Single Connect Mode, the server sets this To indicate it will support Single Connection Mode, the server sets
flag in the first reply packet in response to the first request from this flag in the first reply packet in response to the first request
a client. The server may set this flag even if the client does not from a client. The server may set this flag even if the client does
set it, but the client may ignore the flag and close the connection not set it, but the client may ignore the flag and close the
after the session completes. connection after the session completes.
The flag is only relevant for the first two packets on a connection, The flag is only relevant for the first two packets on a connection,
to allow the client and server to establish Single Connect Mode. to allow the client and server to establish Single Connection Mode.
This protocol does not define a procedure for changing Single Connect No provision is made for changing Single Connection Mode after the
Mode after the first two packets. first two packets: the client and server MUST ignore the flag after
the second packet on a connection.
If single Connect Mode has not been established in the first two If single Connection Mode has not been established in the first two
packets of a TCP connection, then both the client and the server packets of a TCP connection, then both the client and the server
close the connection at the end of the first session. close the connection at the end of the first session.
The client negotiates single Connection Mode to improve efficiency. The client negotiates single Connection Mode to improve efficiency.
The server may refuse to allow Single connection Mode for the client. The server may refuse to allow Single connection Mode for the client.
For example it may not fit the specific deployment to allocate a long For example, it may not be appropriate to allocate a long lasting TCP
lasting TCP connection to a specific client. Even if the server is connection to a specific client in some deployments. Even if the
configured to permit single Connection Mode for a specific client, server is configured to permit single Connection Mode for a specific
the server may close the connection. For example: a server may be client, the server may close the connection. For example: a server
configured to time out a Single Connection Mode TCP Connection after may be configured to time out a Single Connection Mode TCP Connection
a specific period of inactivity to preserve its resources. The after a specific period of inactivity to preserve its resources. The
client MUST accommodate such closures on a TCP session even after client MUST accommodate such closures on a TCP session even after
Single Conenction Mode has been established. Single Connection Mode has been established.
3.4. Session Completion 3.4. Session Completion
The REPLY packets defined for the packets types in the sections below The REPLY packets defined for the packets types in the sections below
(Authentication, Authorization and Accounting) contain a status (Authentication, Authorization and Accounting) contain a status
field. The complete set of options for this field depend upon the field. The complete set of options for this field depend upon the
packet type, but all three REPLY packet types define values packet type, but all three REPLY packet types define values
representing PASS, ERROR and FAIL, which indicate the last packet of representing PASS, ERROR and FAIL, which indicate the last packet of
a regular session (one which is not aborted). a regular session (one which is not aborted).
skipping to change at page 6, line 22 skipping to change at page 6, line 32
The server responds with an ERROR to indicate that the processing of The server responds with an ERROR to indicate that the processing of
the request did not complete. The client can not apply the result the request did not complete. The client can not apply the result
and it MUST behave as if the server could not be connected to. For and it MUST behave as if the server could not be connected to. For
example, the client try alternative methods, if they are available, example, the client try alternative methods, if they are available,
such as sending the request to a backup server, or using local such as sending the request to a backup server, or using local
configuration to determine whether the action which prompted the configuration to determine whether the action which prompted the
request should be executed. request should be executed.
Refer to the section (Section 4.4.3) on Aborting Authentication Refer to the section (Section 4.4.3) on Aborting Authentication
Sessions for details on handling additional status options . Sessions for details on handling additional status options.
When the session is complete, then the TCP connection should be When the session is complete, then the TCP connection should be
handled as follows, according to whether Single Connect Mode was handled as follows, according to whether Single Connection Mode was
negotiated: negotiated:
If Single Connection Mode was not negotiated, then the connection If Single Connection Mode was not negotiated, then the connection
should be closed should be closed
If Single Connection Mode was enabled, then the connection SHOULD be If Single Connection Mode was enabled, then the connection SHOULD be
left open (see section (Section 3.3) ), but may still be closed after left open (see section (Section 3.3) ), but may still be closed after
a timeout period to preserve deployment resources a timeout period to preserve deployment resources
If Single Connection Mode was enabled, but an ERROR occurred due to If Single Connection Mode was enabled, but an ERROR occurred due to
connection issues (such as an incorrect secret, see section connection issues (such as an incorrect secret, see section
(Section 3.7) ), then any further new sessions MUST NOT be accepted (Section 3.7) ), then any further new sessions MUST NOT be accepted
on the connection. If there are any sessions that have already been on the connection. If there are any sessions that have already been
established then they MAY be completed. Once all active sessions are established then they MAY be completed. Once all active sessions are
completed then the connection MUST be closed. completed then the connection MUST be closed.
It is recommended that client implementations provide robust schemes
for dealing with servers which cannot be connected to. Options
include providing a list of servers for redundancy, and an option for
a local fallback configuration if no servers can be reached. Details
will be implmentation specific.
The client should manage connections and handle the case of a server
which establishes a connection, but does not respond. The exact
behavior is implementation specific. It is recommended that the
client should close the connection after a configurable timeout.
3.5. Treatment of Enumerated Protocol Values 3.5. Treatment of Enumerated Protocol Values
This document describes various enumerated values in the packet This document describes various enumerated values in the packet
header and the headers for specific packet types. for example in the header and the headers for specific packet types. for example in the
Authentication start packet type, this document defines the action Authentication start packet type, this document defines the action
field with three values TAC_PLUS_AUTHEN_LOGIN, TAC_PLUS_AUTHEN_CHPASS field with three values TAC_PLUS_AUTHEN_LOGIN, TAC_PLUS_AUTHEN_CHPASS
and TAC_PLUS_AUTHEN_SENDAUTH. and TAC_PLUS_AUTHEN_SENDAUTH.
If the server does not implement one of the defined options in a If the server does not implement one of the defined options in a
packet that it receives, or it encounters an option that is not packet that it receives, or it encounters an option that is not
skipping to change at page 7, line 15 skipping to change at page 7, line 37
with a ERROR and terminate the session. This will allow the client with a ERROR and terminate the session. This will allow the client
to try a different option. to try a different option.
If an error occurs but the type of the incoming packet cannot be If an error occurs but the type of the incoming packet cannot be
determined, a packet with the identical cleartext header but with a determined, a packet with the identical cleartext header but with a
sequence number incremented by one and the length set to zero MUST be sequence number incremented by one and the length set to zero MUST be
returned to indicate an error. returned to indicate an error.
3.6. Text Encoding 3.6. Text Encoding
All text fields in TACACS+ MUST be US-ASCII, excepting special All text fields in TACACS+ MUST be printable US-ASCII, excepting
consideration given to user field and data fields used for passwords. special consideration given to user field and data fields used for
passwords.
To ensure interoperability of current deployments, the TACACS+ client To ensure interoperability of current deployments, the TACACS+ client
and server MUST handle user fields and those data fields used for and server MUST handle user fields and those data fields used for
passwords as 8 bit octet strings. The deployment operator MUST passwords as 8 bit octet strings. The deployment operator MUST
ensure that consistent character encoding is applied. The encoding ensure that consistent character encoding is applied from the end
SHOULD be UTF-8, and other encodings outside US-ASCII SHOULD be client to the server. The encoding SHOULD be UTF-8, and other
deprecated. encodings outside printable US-ASCII SHOULD be deprecated.
3.7. Data Obfuscation 3.7. Data Obfuscation
The body of packets may be obfuscated. The following sections The body of packets may be obfuscated. The following sections
describe the obfuscation mechanism that is supported in the protocol. describe the obfuscation method that is supported in the protocol.
In 'The Draft' this process was actually referred to as Encryption, In 'The Draft' this process was actually referred to as Encryption,
but by modern day standards the mechanims would not meet the but the algorithm would not meet modern standards, and so will not be
requirements of an encryption mechanism. termed as encryption in this document.
The obfuscation mechanism relies on a secret key, it is referring to The obfuscation mechanism relies on a secret key, a shared secret
a shared secret value that is known to both the client and the value that is known to both the client and the server. This document
server. This document does not discuss the management and storage of does not discuss the management and storage of those keys, other than
those keys. It is an implementation detail of the server and client, to require that the secret keys MUST remain secret.
as to whether they will maintain only one key, or a different key for
each client or server with which they communicate. For security Server implementations MUST allow a unique secret key to be
reasons, the latter options MUST be available, but it is a site associated with every client. It is a site dependent decision as to
dependent decision as to whether the use of separate keys is whether the use of separate keys is appropriate.
appropriate.
The flag field may be set as follows: The flag field may be set as follows:
TAC_PLUS_UNENCRYPTED_FLAG == 0x0 TAC_PLUS_UNENCRYPTED_FLAG = 0x0
In this case, the packet body is obfuscated by XOR-ing it byte-wise In this case, the packet body is obfuscated by XOR-ing it byte-wise
with a pseudo random pad. with a pseudo random pad.
ENCRYPTED {data} == data ^ pseudo_pad ENCRYPTED {data} = data ^ pseudo_pad
The packet body can then be de-obfuscated by XOR-ing it byte-wise
with a pseudo random pad.
data = ENCRYPTED {data} ^ pseudo_pad
The pad is generated by concatenating a series of MD5 hashes (each 16 The pad is generated by concatenating a series of MD5 hashes (each 16
bytes long) and truncating it to the length of the input data. bytes long) and truncating it to the length of the input data.
Whenever used in this document, MD5 refers to the "RSA Data Security, Whenever used in this document, MD5 refers to the "RSA Data Security,
Inc. MD5 Message-Digest Algorithm" as specified in RFC 1321 [RFC1321] Inc. MD5 Message-Digest Algorithm" as specified in RFC 1321 [RFC1321]
. .
pseudo_pad = {MD5_1 [,MD5_2 [ ... ,MD5_n]]} truncated to len(data) pseudo_pad = {MD5_1 [,MD5_2 [ ... ,MD5_n]]} truncated to len(data)
The first MD5 hash is generated by concatenating the session_id, the The first MD5 hash is generated by concatenating the session_id, the
secret key, the version number and the sequence number and then secret key, the version number and the sequence number and then
running MD5 over that stream. All of those input values are running MD5 over that stream. All of those input values are
available in the packet header, except for the secret key which is a available in the packet header, except for the secret key which is a
shared secret between the TACACS+ client and server. shared secret between the TACACS+ client and server.
The version number is the one byte concatenation of the major and The version number and session_id are used as extracted from the
minor version numbers. header
The session id is used in network byte order.
Subsequent hashes are generated by using the same input stream, but Subsequent hashes are generated by using the same input stream, but
concatenating the previous hash value at the end of the input stream. concatenating the previous hash value at the end of the input stream.
MD5_1 = MD5{session_id, key, version, seq_no} MD5_2 = MD5{session_id, MD5_1 = MD5{session_id, key, version, seq_no} MD5_2 = MD5{session_id,
key, version, seq_no, MD5_1} .... MD5_n = MD5{session_id, key, key, version, seq_no, MD5_1} .... MD5_n = MD5{session_id, key,
version, seq_no, MD5_n-1} version, seq_no, MD5_n-1}
When a server detects that the secret(s) it has configured for the When a server detects that the secret(s) it has configured for the
device mismatch, it MUST return ERROR. The handling of the TCP device mismatch, it MUST return ERROR. For details of TCP connection
connection by the server is implementation independent. handling on ERROR, refer to section section (Section 3.4)
TAC_PLUS_UNENCRYPTED_FLAG == 0x1 TAC_PLUS_UNENCRYPTED_FLAG == 0x1
In this case, the entire packet body is in cleartext. Obfuscation In this case, the entire packet body is in cleartext. Obfuscation
and de-obfuscation are null operations. This method should be and de-obfuscation are null operations. This method should be
avoided unless absolutely required for debug purposes, when tooling avoided unless absolutely required for debug purposes, when tooling
does not permit de-obfuscation. does not permit de-obfuscation.
If deployment is configured for obfuscating a connection then do no If deployment is configured for obfuscating a connection then the
skip de-obfuscation simply because an incoming packet indicates that request MUST be dropped if TAC_PLUS_UNENCRYPTED_FLAG is set to true.
it is not obfuscated. If the flag is not set when expected, then it
must be dropped.
After a packet body is de-obfuscated, the lengths of the component After a packet body is de-obfuscated, the lengths of the component
values in the packet are summed. If the sum is not identical to the values in the packet are summed. If the sum is not identical to the
cleartext datalength value from the header, the packet MUST be cleartext datalength value from the header, the packet MUST be
discarded, and an error signalled. The underlying TCP connection MAY discarded, and an ERROR signaled. For details of TCP connection
also be closed, if it is not being used for other sessions in single- handling on ERROR, refer to section (Section 3.4)
connect mode.
Commonly such failures are seen when the keys are mismatched between Commonly such failures are seen when the keys are mismatched between
the client and the TACACS+ server. the client and the TACACS+ server.
If an error must be declared but the type of the incoming packet
cannot be determined, a packet with the identical cleartext header
but with a sequence number incremented by one and the length set to
zero MUST be returned to indicate an error.
3.8. The TACACS+ Packet Header 3.8. The TACACS+ Packet Header
All TACACS+ packets begin with the following 12 byte header. The All TACACS+ packets begin with the following 12 byte header. The
header describes the remainder of the packet: header describes the remainder of the packet:
1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
|major | minor | | | | |major | minor | | | |
|version| version| type | seq_no | flags | |version| version| type | seq_no | flags |
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
skipping to change at page 10, line 28 skipping to change at page 10, line 45
sequence number of 1. sequence number of 1.
flags flags
This field contains various bitmapped flags. This field contains various bitmapped flags.
The flag bit: The flag bit:
TAC_PLUS_UNENCRYPTED_FLAG := 0x01 TAC_PLUS_UNENCRYPTED_FLAG := 0x01
This flag indicates that the sender did not obfuscate the bode of the This flag indicates that the sender did not obfuscate the body of the
packet. The application of this flag will be covered in the security packet. The application of this flag will be covered in the security
section (Section 9) . section. section (Section 9) .
This flag SHOULD be clear in all deployments. Modern network traffic This flag SHOULD be clear in all deployments. Modern network traffic
tools easily support encryted traffic when configured with the shared tools support encrypted traffic when configured with the shared
secret (see section below), so even in test scenarios, the obfuscated secret (see section below), so obfuscated mode can and SHOULD be used
mode SHOULD be used. even during test.
The single-connection flag: The single-connection flag:
TAC_PLUS_SINGLE_CONNECT_FLAG := 0x04 TAC_PLUS_SINGLE_CONNECT_FLAG := 0x04
This flag is used to allow a client and server to negotiate Single This flag is used to allow a client and server to negotiate Single
Connection Mode. Connection Mode.
session_id session_id
skipping to change at page 11, line 16 skipping to change at page 11, line 32
The total length of the packet body (not including the header). The total length of the packet body (not including the header).
3.9. The TACACS+ Packet Body 3.9. The TACACS+ Packet Body
The TACACS+ body types are defined in the packet header. The next The TACACS+ body types are defined in the packet header. The next
sections of this document will address the contents of the different sections of this document will address the contents of the different
TACACS+ bodies. The following general rules apply to all TACACS+ TACACS+ bodies. The following general rules apply to all TACACS+
body types: body types:
- To signal that any variable length data fields are unused, their - To signal that any variable length data fields are unused, their
length value is set to zero. length value is set to zero. Such fields MUST be ignored, and
treated as if not present.
- the lengths of data and message fields in a packet are specified - the lengths of data and message fields in a packet are specified
by their corresponding length fields, (and are not null by their corresponding length fields, (and are not null
terminated.) terminated.)
- All length values are unsigned and in network byte order. - All length values are unsigned and in network byte order.
4. Authentication 4. Authentication
Authentication is the action of determining who a user (or entity) Authentication is the action of determining who a user (or entity)
is. Authentication can take many forms. Traditional authentication is. Authentication can take many forms. Traditional authentication
utilizes a name and a fixed password. However, fixed passwords have employs a name and a fixed password. However, fixed passwords are
limitations, mainly in the area of security. Many modern vulnerable security, so many modern authentication mechanisms utilize
authentication mechanisms utilize "one-time" passwords or a "one-time" passwords or a challenge-response query. TACACS+ is
challenge-response query. TACACS+ is designed to support all of designed to support all of these, and be flexible enough to handle
these, and be powerful enough to handle any future mechanisms. any future mechanisms. Authentication generally takes place when the
Authentication generally takes place when the user first logs in to a user first logs in to a machine or requests a service of it.
machine or requests a service of it.
Authentication is not mandatory; it is a site-configured option. Authentication is not mandatory; it is a site-configured option.
Some sites do not require it. Others require it only for certain Some sites do not require it. Others require it only for certain
services (see authorization below). Authentication may also take services (see authorization below). Authentication may also take
place when a user attempts to gain extra privileges, and must place when a user attempts to gain extra privileges, and must
identify himself or herself as someone who possesses the required identify himself or herself as someone who possesses the required
information (passwords, etc.) for those privileges. information (passwords, etc.) for those privileges.
4.1. The Authentication START Packet Body 4.1. The Authentication START Packet Body
1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| action | priv_lvl | authen_type | authen_service | | action | priv_lvl | authen_type | authen_service |
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| user_len | port_len | rem_addr_len | data_len | | user_len | port_len | rem_addr_len | data_len |
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| user ... | user ...
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| port ... | port ...
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
skipping to change at page 13, line 34 skipping to change at page 13, line 43
TAC_PLUS_AUTHEN_SVC_X25 := 0x07 TAC_PLUS_AUTHEN_SVC_X25 := 0x07
TAC_PLUS_AUTHEN_SVC_NASI := 0x08 TAC_PLUS_AUTHEN_SVC_NASI := 0x08
TAC_PLUS_AUTHEN_SVC_FWPROXY := 0x09 TAC_PLUS_AUTHEN_SVC_FWPROXY := 0x09
The TAC_PLUS_AUTHEN_SVC_NONE option is intended for the authorization The TAC_PLUS_AUTHEN_SVC_NONE option is intended for the authorization
application of this field that indicates that no authentication was application of this field that indicates that no authentication was
performed by the device. performed by the device.
The TAC_PLUS_AUTHEN_SVC_LOGIN option is identifies regular login (as The TAC_PLUS_AUTHEN_SVC_LOGIN option indicates regular login (as
opposed to ENABLE) to a client device. opposed to ENABLE) to a client device.
The TAC_PLUS_AUTHEN_SVC_ENABLE option identifies the ENABLE The TAC_PLUS_AUTHEN_SVC_ENABLE option identifies the ENABLE
authen_service, which refers to a service requesting authentication authen_service, which refers to a service requesting authentication
in order to grant the user different privileges. This is comparable in order to grant the user different privileges. This is comparable
to the Unix "su(1)" command. An authen_service value of NONE is only to the Unix "su(1)" command. An authen_service value of NONE is only
to be used when none of the other authen_service values are to be used when none of the other authen_service values are
appropriate. ENABLE may be requested independently, no requirements appropriate. ENABLE may be requested independently, no requirements
for previous authentications or authorizations are imposed by the for previous authentications or authorizations are imposed by the
protocol. protocol.
skipping to change at page 14, line 4 skipping to change at page 14, line 13
appropriate. ENABLE may be requested independently, no requirements appropriate. ENABLE may be requested independently, no requirements
for previous authentications or authorizations are imposed by the for previous authentications or authorizations are imposed by the
protocol. protocol.
Other options are included for legacy/backwards compatibility. Other options are included for legacy/backwards compatibility.
user, user_len user, user_len
The username is optional in this packet, depending upon the class of The username is optional in this packet, depending upon the class of
authentication. If it is absent, the client MUST set user_len to 0. authentication. If it is absent, the client MUST set user_len to 0.
If included, the user_len indicates the length of the user field, in If included, the user_len indicates the length of the user field, in
bytes. bytes.
port, port_len port, port_len
The US-ASCII name of the client port on which the authentication is The printable US-ASCII name of the client port on which the
taking place, and its length in bytes. The value of this field is authentication is taking place, and its length in bytes. The value
client specific. (For example, Cisco uses "tty10" to denote the of this field is client specific. (For example, Cisco uses "tty10"
tenth tty line and "Async10" to denote the tenth async interface). to denote the tenth tty line and "Async10" to denote the tenth async
The port_len indicates the length of the port field, in bytes. interface). The port_len indicates the length of the port field, in
bytes.
rem_addr, rem_addr_len rem_addr, rem_addr_len
An US-ASCII string indicating the remote location from which the user A printable US-ASCII string indicating the remote location from which
has connected to the client. It is intended to hold a network the user has connected to the client. It is intended to hold a
address if the user is connected via a network, a caller ID is the network address if the user is connected via a network, a caller ID
user is connected via ISDN or a POTS, or any other remote location is the user is connected via ISDN or a POTS, or any other remote
information that is available. This field is optional (since the location information that is available. This field is optional
information may not be available). The rem_addr_len indicates the (since the information may not be available). The rem_addr_len
length of the user field, in bytes. indicates the length of the user field, in bytes.
data, data_len data, data_len
This field is used to send data appropriate for the action and This field is used to send data appropriate for the action and
authen_type. It is described in more detail in the section Common authen_type. It is described in more detail in the section Common
Authentication flows (Section 4.4.2) . The data_len indicates the Authentication flows (Section 4.4.2) . The data_len indicates the
length of the data field, in bytes. length of the data field, in bytes.
4.2. The Authentication REPLY Packet Body 4.2. The Authentication REPLY Packet Body
skipping to change at page 15, line 27 skipping to change at page 15, line 43
flags flags
Bitmapped flags that modify the action to be taken. The following Bitmapped flags that modify the action to be taken. The following
values are defined: values are defined:
TAC_PLUS_REPLY_FLAG_NOECHO := 0x01 TAC_PLUS_REPLY_FLAG_NOECHO := 0x01
server_msg, server_msg_len server_msg, server_msg_len
A message to be displayed to the user. This field is optional. If A message to be displayed to the user. This field is optional. The
it exists, it is intended to be presented to the user. US-ASCII printable US-ASCII charset MUST be used. The server_msg_len
charset MUST be used. The server_msg_len indicates the length of the indicates the length of the server_msg field, in bytes.
server_msg field, in bytes.
data, data_len data, data_len
This field holds data that is a part of the authentication exchange This field holds data that is a part of the authentication exchange
and is intended for the client, not the user. Examples of its use and is intended for the client, not the user. Examples of its use
are shown in the section Common Authentication flows (Section 4.4.2) are shown in the section Common Authentication flows (Section 4.4.2)
. The data_len indicates the length of the data field, in bytes. . The data_len indicates the length of the data field, in bytes.
4.3. The Authentication CONTINUE Packet Body 4.3. The Authentication CONTINUE Packet Body
skipping to change at page 16, line 33 skipping to change at page 16, line 48
TAC_PLUS_CONTINUE_FLAG_ABORT := 0x01 TAC_PLUS_CONTINUE_FLAG_ABORT := 0x01
4.4. Description of Authentication Process 4.4. Description of Authentication Process
The action, authen_type and authen_service fields (described above) The action, authen_type and authen_service fields (described above)
combine to indicate what kind of authentication is to be performed. combine to indicate what kind of authentication is to be performed.
Every authentication START, REPLY and CONTINUE packet includes a data Every authentication START, REPLY and CONTINUE packet includes a data
field. The use of this field is dependent upon the kind of the field. The use of this field is dependent upon the kind of the
Authentication. Authentication.
This document defines a standard set of the kinds of authentication This document defines a core set of authentication flows to be
supported by TACACS+. Each authentication flow consists of a START supported by TACACS+. Each authentication flow consists of a START
packet. The server responds either with a request for more packet. The server responds either with a request for more
information (GETDATA, GETUSER or GETPASS) or a termination PASS, information (GETDATA, GETUSER or GETPASS) or a termination PASS,
FAIL, ERROR, RESTART or FOLLOW. The actions and meanings when the FAIL, ERROR or RESTART. The actions and meanings when the server
server sends a RESTART, ERROR or FOLLOW are common and are described sends a RESTART or ERROR are common and are described further below.
further below.
When the REPLY status equals TAC_PLUS_AUTHEN_STATUS_GETDATA, When the REPLY status equals TAC_PLUS_AUTHEN_STATUS_GETDATA,
TAC_PLUS_AUTHEN_STATUS_GETUSER or TAC_PLUS_AUTHEN_STATUS_GETPASS, TAC_PLUS_AUTHEN_STATUS_GETUSER or TAC_PLUS_AUTHEN_STATUS_GETPASS,
then authentication continues and the server SHOULD provide then authentication continues and the server SHOULD provide
server_msg content for the client to prompt the user for more server_msg content for the client to prompt the user for more
information. The client MUST then return a CONTINUE packet information. The client MUST then return a CONTINUE packet
containing the requested information in the user_msg field. containing the requested information in the user_msg field.
The client should interpret TAC_PLUS_AUTHEN_STATUS_GETUSER as a The client should interpret TAC_PLUS_AUTHEN_STATUS_GETUSER as a
request for username and TAC_PLUS_AUTHEN_STATUS_GETPASS as a request request for username and TAC_PLUS_AUTHEN_STATUS_GETPASS as a request
skipping to change at page 17, line 38 skipping to change at page 18, line 5
The '-' symbol represents that the option is not valid. The '-' symbol represents that the option is not valid.
All authorisation and accounting and ASCII authentication use All authorisation and accounting and ASCII authentication use
minor_version number of 0. minor_version number of 0.
PAP, CHAP and MS-CHAP login use minor_version 1. The normal exchange PAP, CHAP and MS-CHAP login use minor_version 1. The normal exchange
is a single START packet from the client and a single REPLY from the is a single START packet from the client and a single REPLY from the
server. server.
SENDAUTH is only used for PPP when performing outbound
authentication.
The removal of SENDPASS was prompted by security concerns, and is no The removal of SENDPASS was prompted by security concerns, and is no
longer considered part of the TACACS+ protocol. longer considered part of the TACACS+ protocol.
4.4.2. Common Authentication Flows 4.4.2. Common Authentication Flows
This section describes common authentication flows. If the server This section describes common authentication flows. If the server
does not implement an option, it MUST respond with does not implement an option, it MUST respond with
TAC_PLUS_AUTHEN_STATUS_FAIL. TAC_PLUS_AUTHEN_STATUS_FAIL.
Inbound ASCII Login 4.4.2.1. ASCII Login
action = TAC_PLUS_AUTHEN_LOGIN action = TAC_PLUS_AUTHEN_LOGIN
authen_type = TAC_PLUS_AUTHEN_TYPE_ASCII authen_type = TAC_PLUS_AUTHEN_TYPE_ASCII
minor_version = 0x0 minor_version = 0x0
This is a standard ASCII authentication. The START packet MAY This is a standard ASCII authentication. The START packet MAY
contain the username. If the user does not include the username then contain the username. If the user does not include the username then
the server MUST obtain it from the client with a CONTINUE the server MUST obtain it from the client with a CONTINUE
TAC_PLUS_AUTHEN_STATUS_GETUSER. When the server has the username, it TAC_PLUS_AUTHEN_STATUS_GETUSER. If the user does not provide a
will obtain the password using a continue with username then the server can send another
TAC_PLUS_AUTHEN_STATUS_GETPASS. ASCII login uses the user_msg field TAC_PLUS_AUTHEN_STATUS_GETUSER request, but the server MUST limit the
for both the username and password. The data fields in both the number of retries that are permitted, recommended limit is three
START and CONTINUE packets are not used for ASCII logins, any content attempts. When the server has the username, it will obtain the
MUST be ignored. The session is composed of a single START followed password using a continue with TAC_PLUS_AUTHEN_STATUS_GETPASS. ASCII
by zero or more pairs of REPLYs and CONTINUEs, followed by a final login uses the user_msg field for both the username and password.
REPLY indicating PASS, FAIL or ERROR. The data fields in both the START and CONTINUE packets are not used
for ASCII logins, any content MUST be ignored. The session is
composed of a single START followed by zero or more pairs of REPLYs
and CONTINUEs, followed by a final REPLY indicating PASS, FAIL or
ERROR.
Inbound PAP Login 4.4.2.2. PAP Login
action = TAC_PLUS_AUTHEN_LOGIN action = TAC_PLUS_AUTHEN_LOGIN
authen_type = TAC_PLUS_AUTHEN_TYPE_PAP authen_type = TAC_PLUS_AUTHEN_TYPE_PAP
minor_version = 0x1 minor_version = 0x1
The entire exchange MUST consist of a single START packet and a The entire exchange MUST consist of a single START packet and a
single REPLY. The START packet MUST contain a username and the data single REPLY. The START packet MUST contain a username and the data
field MUST contain the PAP ASCII password. A PAP authentication only field MUST contain the PAP ASCII password. A PAP authentication only
consists of a username and password RFC 1334 [RFC1334] . The REPLY consists of a username and password RFC 1334 [RFC1334] . The REPLY
from the server MUST be either a PASS, FAIL or ERROR. from the server MUST be either a PASS, FAIL or ERROR.
Inbound CHAP login 4.4.2.3. CHAP login
action = TAC_PLUS_AUTHEN_LOGIN action = TAC_PLUS_AUTHEN_LOGIN
authen_type = TAC_PLUS_AUTHEN_TYPE_CHAP authen_type = TAC_PLUS_AUTHEN_TYPE_CHAP
minor_version = 0x1 minor_version = 0x1
The entire exchange MUST consist of a single START packet and a The entire exchange MUST consist of a single START packet and a
single REPLY. The START packet MUST contain the username in the user single REPLY. The START packet MUST contain the username in the user
field and the data field is a concatenation of the PPP id, the field and the data field is a concatenation of the PPP id, the
challenge and the response. challenge and the response.
The length of the challenge value can be determined from the length The length of the challenge value can be determined from the length
of the data field minus the length of the id (always 1 octet) and the of the data field minus the length of the id (always 1 octet) and the
length of the response field (always 16 octets). length of the response field (always 16 octets).
To perform the authentication, the server calculates the PAP hash as To perform the authentication, the server calculates the PPP hash as
defined in the PPP Authentication RFC RFC 1334 [RFC1334] and then defined in the PPP Authentication RFC RFC 1334 [RFC1334] and then
compare that value with the response. The REPLY from the server MUST compare that value with the response. The MD5 algorithm option is
be a PASS, FAIL or ERROR. alays used. The REPLY from the server MUST be a PASS, FAIL or ERROR.
The client condcuts the exchange with the endstation and then sends In cases where the client conducts the exchange with the endstation
the resulting materials (challenge and responsee) to the server. So and then sends the resulting materials (challenge and responsee) to
although the selection of the challenge and its length are not an the server, the selection of the challenge and its length are not an
aspect of the TACACS+ protocol, it is strongly recommended that the aspect of the TACACS+ protocol. However, it is strongly recommended
client/endstation interaction is configured with a secure challenge that the client/endstation interaction is configured with a secure
in mind, and the TACACS+ server can help by rejecting authentications challenge. The TACACS+ server can help by rejecting authentications
where the challenge is below a minimum length (for example, 8 bytes). where the challenge is below a minimum length (Minimum recommended is
8 bytes).
Inbound MS-CHAP v1 login In cases where the TACACS+ Server generates the challenge then it
MUST change for every request and MUST be derived from a strong
cryptographic source.
4.4.2.4. MS-CHAP v1 login
action = TAC_PLUS_AUTHEN_LOGIN action = TAC_PLUS_AUTHEN_LOGIN
authen_type = TAC_PLUS_AUTHEN_TYPE_MSCHAP authen_type = TAC_PLUS_AUTHEN_TYPE_MSCHAP
minor_version = 0x1 minor_version = 0x1
The entire exchange MUST consist of a single START packet and a The entire exchange MUST consist of a single START packet and a
single REPLY. The START packet MUST contain the username in the user single REPLY. The START packet MUST contain the username in the user
field and the data field will be a concatenation of the PPP id, the field and the data field will be a concatenation of the PPP id, the
MS-CHAP challenge and the MS-CHAP response. MS-CHAP challenge and the MS-CHAP response.
The length of the challenge value can be determined from the length The length of the challenge value can be determined from the length
of the data field minus the length of the id (always 1 octet) and the of the data field minus the length of the id (always 1 octet) and the
length of the response field (always 49 octets). length of the response field (always 49 octets).
To perform the authentication, the server will use a combination of To perform the authentication, the server will use a combination of
MD4 and DES on the user's secret and the challenge, as defined in RFC MD4 and DES on the user's secret and the challenge, as defined in RFC
2433 [RFC2433] and then compare the resulting value with the 2433 [RFC2433] and then compare the resulting value with the
response. The REPLY from the server MUST be a PASS or FAIL. response. The REPLY from the server MUST be a PASS or FAIL.
For best practices, please refer to RFC 2433 [RFC2433] For best practices, please refer to RFC 2433 [RFC2433] . The TACACS+
server MUST rejects authentications where the challenge deviates from
8 bytes as defined in the RFC.
Inbound MS-CHAP v2 login 4.4.2.5. MS-CHAP v2 login
action = TAC_PLUS_AUTHEN_LOGIN action = TAC_PLUS_AUTHEN_LOGIN
authen_type = TAC_PLUS_AUTHEN_TYPE_MSCHAPV2 authen_type = TAC_PLUS_AUTHEN_TYPE_MSCHAPV2
minor_version = 0x1 minor_version = 0x1
The entire exchange MUST consist of a single START packet and a The entire exchange MUST consist of a single START packet and a
single REPLY. The START packet MUST contain the username in the user single REPLY. The START packet MUST contain the username in the user
field and the data field will be a concatenation of the PPP id, the field and the data field will be a concatenation of the PPP id, the
MS-CHAP challenge and the MS-CHAP response. MS-CHAP challenge and the MS-CHAP response.
The length of the challenge value can be determined from the length The length of the challenge value can be determined from the length
of the data field minus the length of the id (always 1 octet) and the of the data field minus the length of the id (always 1 octet) and the
length of the response field (always 49 octets). length of the response field (always 49 octets).
To perform the authentication, the server will use the algorithm To perform the authentication, the server will use the algorithm
specified RFC 2759 [RFC2759] on the user's secret and challenge and specified RFC 2759 [RFC2759] on the user's secret and challenge and
then compare the resulting value with the response. The REPLY from then compare the resulting value with the response. The REPLY from
the server MUST be a PASS or FAIL. the server MUST be a PASS or FAIL.
For best practices for MS-CHAP v2, please refer to RFC2759 [RFC2759] For best practices for MS-CHAP v2, please refer to RFC2759 [RFC2759]
. The TACACS+ server MUST rejects authentications where the challenge
deviates from 16 bytes as defined in the RFC.
Enable Requests 4.4.2.6. Enable Requests
action = TAC_PLUS_AUTHEN_LOGIN action = TAC_PLUS_AUTHEN_LOGIN
priv_lvl = implementation dependent priv_lvl = implementation dependent
authen_type = not used authen_type = not used
service = TAC_PLUS_AUTHEN_SVC_ENABLE service = TAC_PLUS_AUTHEN_SVC_ENABLE
This is an ENABLE request, used to change the current running This is an ENABLE request, used to change the current running
privilege level of a user. The exchange MAY consist of multiple privilege level of a user. The exchange MAY consist of multiple
messages while the server collects the information it requires in messages while the server collects the information it requires in
order to allow changing the principal's privilege level. This order to allow changing the principal's privilege level. This
exchange is very similar to an Inbound ASCII login. exchange is very similar to an ASCII login (Section 4.4.2.1) .
In order to readily distinguish enable requests from other types of In order to readily distinguish enable requests from other types of
request, the value of the authen_service field MUST be set to request, the value of the authen_service field MUST be set to
TAC_PLUS_AUTHEN_SVC_ENABLE when requesting an ENABLE. It MUST NOT be TAC_PLUS_AUTHEN_SVC_ENABLE when requesting an ENABLE. It MUST NOT be
set to this value when requesting any other operation. set to this value when requesting any other operation.
ASCII change password request 4.4.2.7. ASCII change password request
action = TAC_PLUS_AUTHEN_CHPASS action = TAC_PLUS_AUTHEN_CHPASS
authen_type = TAC_PLUS_AUTHEN_TYPE_ASCII authen_type = TAC_PLUS_AUTHEN_TYPE_ASCII
This exchange consists of multiple messages while the server collects This exchange consists of multiple messages while the server collects
the information it requires in order to change the user's password. the information it requires in order to change the user's password.
It is very similar to an ASCII login. The status value It is very similar to an ASCII login. The status value
TAC_PLUS_AUTHEN_STATUS_GETPASS MUST only be used when requesting the TAC_PLUS_AUTHEN_STATUS_GETPASS MUST only be used when requesting the
"new" password. It MAY be sent multiple times. When requesting the "new" password. It MAY be sent multiple times. When requesting the
"old" password, the status value MUST be set to "old" password, the status value MUST be set to
skipping to change at page 21, line 20 skipping to change at page 21, line 41
message explaining the reason for the abort. This information will message explaining the reason for the abort. This information will
be handled by the server according to the requirements of the be handled by the server according to the requirements of the
deployment. The session is terminated, for more details about deployment. The session is terminated, for more details about
session temrination, oplease refer to section (Section 3.4) session temrination, oplease refer to section (Section 3.4)
In the case of PALL, FAIL or ERROR, the server can insert a message In the case of PALL, FAIL or ERROR, the server can insert a message
into server_msg to be displayed to the user. into server_msg to be displayed to the user.
The Draft `The Draft' [TheDraft] defined a mechanism to direct The Draft `The Draft' [TheDraft] defined a mechanism to direct
authentication requests to an alternative server. This mechanism is authentication requests to an alternative server. This mechanism is
regarded as legacy and its implementation is optional. regarded as insecure, is deprecated, and not covered here. The
client should treat TAC_PLUS_AUTHEN_STATUS_FOLLOW as
If this feature is not implemented, then the client should treat TAC_PLUS_AUTHEN_STATUS_FAIL
TAC_PLUS_AUTHEN_STATUS_FOLLOW as TAC_PLUS_AUTHEN_STATUS_FAIL
When the status equals TAC_PLUS_AUTHEN_STATUS_FOLLOW the packet
indicates that the TACACS+ server requests that authentication is
performed with an alternate server. The data field MUST contain
ASCII text describing one or more servers. A server description
appears like this:
[@<protocol>@]<host>>[@<key>]
If more than one host is specified, they MUST be separated into rows
by an ASCII Carriage Return (0x0D).
The protocol and key are optional, and apply only to host in the same
row. The protocol can describe an alternate way of performing the
authentication, other than TACACS+. If the protocol is not present,
then TACACS+ is assumed.
Protocols are ASCII numbers corresponding to the methods listed in
the authen_method field of authorization packets (defined below).
The host is specified as either a fully qualified domain name, or an
ASCII numeric IPV4 address specified as octets separated by dots
('.'), or IPV6 address text representation defined in RFC 4291.
If a key is supplied, the client MAY use the key in order to
authenticate to that host. The client may use a preconfigured key
for the host if it has one.
Use of the hosts in a TAC_PLUS_AUTHEN_STATUS_FOLLOW packet is at the
discretion of the TACACS+ client. It may choose to use any one, all
or none of these hosts. If it chooses to use none, then it MUST
treat the authentication as if the return status was
TAC_PLUS_AUTHEN_STATUS_FAIL.
If the status equals TAC_PLUS_AUTHEN_STATUS_ERROR, then the host is If the status equals TAC_PLUS_AUTHEN_STATUS_ERROR, then the host is
indicating that it is experiencing an unrecoverable error and the indicating that it is experiencing an unrecoverable error and the
authentication will proceed as if that host could not be contacted. authentication will proceed as if that host could not be contacted.
The data field may contain a message to be printed on an The data field may contain a message to be printed on an
administrative console or log. administrative console or log.
If the status equals TAC_PLUS_AUTHEN_STATUS_RESTART, then the If the status equals TAC_PLUS_AUTHEN_STATUS_RESTART, then the
authentication sequence is restarted with a new START packet from the authentication sequence is restarted with a new START packet from the
client, with new session Id, and seq_no set to 1. This REPLY packet client, with new session Id, and seq_no set to 1. This REPLY packet
skipping to change at page 22, line 42 skipping to change at page 22, line 33
(we don't know who they are). In this case it is up to the server to (we don't know who they are). In this case it is up to the server to
determine, according to its configuration, if an unauthenticated user determine, according to its configuration, if an unauthenticated user
is allowed the services in question. is allowed the services in question.
Authorization does not merely provide yes or no answers, but it may Authorization does not merely provide yes or no answers, but it may
also customize the service for the particular user. A common use of also customize the service for the particular user. A common use of
authorization is to provision a shell session when a user first logs authorization is to provision a shell session when a user first logs
in to a device to administer it. The TACACS+ server might respond to in to a device to administer it. The TACACS+ server might respond to
the request by allowing the service, but placing a time restriction the request by allowing the service, but placing a time restriction
on the login shell. For a list of common attributes used in on the login shell. For a list of common attributes used in
authorization, see the Authorization Attributes section (Section 7.1) authorization, see the Authorization Attributes section (Section 7.2)
. .
In the TACACS+ protocol an authorization is always a single pair of In the TACACS+ protocol an authorization is always a single pair of
messages: a REQUEST from the client followed by a REPLY from the messages: a REQUEST from the client followed by a REPLY from the
server. server.
The authorization REQUEST message contains a fixed set of fields that The authorization REQUEST message contains a fixed set of fields that
indicate how the user was authenticated and a variable set of indicate how the user was authenticated and a variable set of
arguments that describe the services and options for which arguments that describe the services and options for which
authorization is requested. authorization is requested.
skipping to change at page 23, line 38 skipping to change at page 23, line 30
| arg_2 ... | arg_2 ...
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| ... | ...
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| arg_N ... | arg_N ...
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
authen_method authen_method
This indicates the authentication method used by the client to This indicates the authentication method used by the client to
acquire the user information. acquire the user information. As this information is not always
subject to verification, it is recommended that this field is
ignored.
TAC_PLUS_AUTHEN_METH_NOT_SET := 0x00 TAC_PLUS_AUTHEN_METH_NOT_SET := 0x00
TAC_PLUS_AUTHEN_METH_NONE := 0x01 TAC_PLUS_AUTHEN_METH_NONE := 0x01
TAC_PLUS_AUTHEN_METH_KRB5 := 0x02 TAC_PLUS_AUTHEN_METH_KRB5 := 0x02
TAC_PLUS_AUTHEN_METH_LINE := 0x03 TAC_PLUS_AUTHEN_METH_LINE := 0x03
TAC_PLUS_AUTHEN_METH_ENABLE := 0x04 TAC_PLUS_AUTHEN_METH_ENABLE := 0x04
skipping to change at page 24, line 40 skipping to change at page 24, line 34
authen_type authen_type
This field corrsponds to the authen_type field in the authentication This field corrsponds to the authen_type field in the authentication
section (Section 4) above. It indicates the type of authentication section (Section 4) above. It indicates the type of authentication
that was performed. If this information is not available, then the that was performed. If this information is not available, then the
client will set authen_type to: TAC_PLUS_AUTHEN_TYPE_NOT_SET := 0x00. client will set authen_type to: TAC_PLUS_AUTHEN_TYPE_NOT_SET := 0x00.
This value is valid only in authorization and accounting requests. This value is valid only in authorization and accounting requests.
authen_service authen_service
This field matches the authen_service field in the authentication This field is the same as the authen_service field in the
section (Section 4) above. It indicates the service through which authentication section (Section 4) above. It indicates the service
the user authenticated. through which the user authenticated.
user, user_len user, user_len
This field contains the user's account name. The user_len MUST This field contains the user's account name. The user_len MUST
indicate the length of the user field, in bytes. indicate the length of the user field, in bytes.
port, port_len port, port_len
This field matches the port field in the authentication section This field matches the port field in the authentication section
(Section 4) above. The port_len indicates the length of the port (Section 4) above. The port_len indicates the length of the port
field, in bytes. field, in bytes.
rem_addr, rem_addr_len rem_addr, rem_addr_len
This field matches the rem_addr field in the authentication section This field matches the rem_addr field in the authentication section
(Section 4) above. The rem_addr_len indicates the length of the port (Section 4) above. The rem_addr_len indicates the length of the port
field, in bytes. field, in bytes.
arg_cnt arg_cnt
The number of authorization arguments to follow The number of authorization arguments to follow
arg_1 ... arg_N, arg_1_len .... arg_N_len arg_1 ... arg_N, arg_1_len .... arg_N_len
skipping to change at page 25, line 29 skipping to change at page 25, line 23
The arguments are the primary elements of the authorization The arguments are the primary elements of the authorization
interaction. In the request packet they describe the specifics of interaction. In the request packet they describe the specifics of
the authorization that is being requested. Each argument is encoded the authorization that is being requested. Each argument is encoded
in the packet as a single arg filed (arg_1... arg_N) with a in the packet as a single arg filed (arg_1... arg_N) with a
corresponding length fields (which indicates the length of each corresponding length fields (which indicates the length of each
argument in bytes). argument in bytes).
The authorization arguments in both the REQUEST and the REPLY are The authorization arguments in both the REQUEST and the REPLY are
attribute-value pairs. The attribute and the value are in a single attribute-value pairs. The attribute and the value are in a single
US-ASCII string and are separated by either a "=" (0X3D) or a "*" printable US-ASCII string and are separated by either a "=" (0X3D) or
(0X2A). The equals sign indicates a mandatory argument. The a "*" (0X2A). The equals sign indicates a mandatory argument. The
asterisk indicates an optional one. asterisk indicates an optional one.
It is not legal for an attribute name to contain either of the It is not legal for an attribute name to contain either of the
separators. It is legal for attribute values to contain the separators. It is legal for attribute values to contain the
separators. separators. This means that the arguments must be parsed until the
first separator is encountered, all characters in the argument, after
this separator, are interpreted as the argument value.
Optional arguments are ones that may be disregarded by either client Optional arguments are ones that may be disregarded by either client
or server. Mandatory arguments require that the receiving side can or server. Mandatory arguments require that the receiving side can
handle the attribute, that is: its implementation and configuration handle the attribute, that is: its implementation and configuration
includes the details of how to act on it. If the client receives a includes the details of how to act on it. If the client receives a
mandatory argument that it cannot handle, it MUST consider the mandatory argument that it cannot handle, it MUST consider the
authorization to have failed. It is legal to send an attribute-value authorization to have failed. It is legal to send an attribute-value
pair with a zero length value. pair with a zero length value.
Attribute-value strings are not NULL terminated, rather their length Attribute-value strings are not NULL terminated, rather their length
value indicates their end. The maximum length of an attribute-value value indicates their end. The maximum length of an attribute-value
string is 255 characters. The minimum is two characters (one name string is 255 characters. The minimum is two characters (one name
value character and the separator) value character and the separator)
Though the attributes allow extensibility, a common core set of Though the attributes allow extensibility, a common core set of
authorization attributes SHOULD be supported by clients and servers, authorization attributes SHOULD be supported by clients and servers,
these are listed in the Authorization Attributes (Section 7.1) these are listed in the Authorization Attributes (Section 7.2)
section below. section below.
5.2. The Authorization REPLY Packet Body 5.2. The Authorization REPLY Packet Body
1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| status | arg_cnt | server_msg len | | status | arg_cnt | server_msg len |
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
+ data_len | arg_1_len | arg_2_len | + data_len | arg_1_len | arg_2_len |
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
skipping to change at page 26, line 42 skipping to change at page 26, line 40
TAC_PLUS_AUTHOR_STATUS_PASS_REPL := 0x02 TAC_PLUS_AUTHOR_STATUS_PASS_REPL := 0x02
TAC_PLUS_AUTHOR_STATUS_FAIL := 0x10 TAC_PLUS_AUTHOR_STATUS_FAIL := 0x10
TAC_PLUS_AUTHOR_STATUS_ERROR := 0x11 TAC_PLUS_AUTHOR_STATUS_ERROR := 0x11
TAC_PLUS_AUTHOR_STATUS_FOLLOW := 0x21 TAC_PLUS_AUTHOR_STATUS_FOLLOW := 0x21
server_msg, server_msg_len server_msg, server_msg_len
This is an US-ASCII string that may be presented to the user. The This is a printable US-ASCII string that may be presented to the
server_msg_len indicates the length of the server_msg field, in user. The server_msg_len indicates the length of the server_msg
bytes. field, in bytes.
data, data_len data, data_len
This is an US-ASCII string that may be presented on an administrative This is a printable US-ASCII string that may be presented on an
display, console or log. The decision to present this message is administrative display, console or log. The decision to present this
client specific. The data_len indicates the length of the data message is client specific. The data_len indicates the length of the
field, in bytes. data field, in bytes.
arg_cnt arg_cnt
The number of authorization arguments to follow. The number of authorization arguments to follow.
arg_1 ... arg_N, arg_1_len .... arg_N_len arg_1 ... arg_N, arg_1_len .... arg_N_len
The arguments describe the specifics of the authorization that is The arguments describe the specifics of the authorization that is
being requested. For details of the content of the args, refer to: being requested. For details of the content of the args, refer to:
Authorization Attributes (Section 7.1) section below. Each argument Authorization Attributes (Section 7.2) section below. Each argument
is encoded in the packet as a single arg field (arg_1... arg_N) with is encoded in the packet as a single arg field (arg_1... arg_N) with
a corresponding length fields (which indicates the length of each a corresponding length fields (which indicates the length of each
argument in bytes). argument in bytes).
If the status equals TAC_PLUS_AUTHOR_STATUS_FAIL, then the requested If the status equals TAC_PLUS_AUTHOR_STATUS_FAIL, then the requested
authorization MUST be denied. authorization MUST be denied.
If the status equals TAC_PLUS_AUTHOR_STATUS_PASS_ADD, then the If the status equals TAC_PLUS_AUTHOR_STATUS_PASS_ADD, then the
arguments specified in the request are authorized and the arguments arguments specified in the request are authorized and the arguments
in the response MUST be applied according to the rules described in the response MUST be applied according to the rules described
skipping to change at page 29, line 38 skipping to change at page 29, line 36
This is the return status. Values are: This is the return status. Values are:
TAC_PLUS_ACCT_STATUS_SUCCESS := 0x01 TAC_PLUS_ACCT_STATUS_SUCCESS := 0x01
TAC_PLUS_ACCT_STATUS_ERROR := 0x02 TAC_PLUS_ACCT_STATUS_ERROR := 0x02
TAC_PLUS_ACCT_STATUS_FOLLOW := 0x21 TAC_PLUS_ACCT_STATUS_FOLLOW := 0x21
server_msg, server_msg_len server_msg, server_msg_len
This is a US-ASCII string that may be presented to the user. The This is a printable US-ASCII string that may be presented to the
server_msg_len indicates the length of the server_msg field, in user. The server_msg_len indicates the length of the server_msg
bytes. field, in bytes.
data, data_len data, data_len
This is a US-ASCII string that may be presented on an administrative This is a printable US-ASCII string that may be presented on an
display, console or log. The decision to present this message is administrative display, console or log. The decision to present this
client specific. The data_len indicates the length of the data message is client specific. The data_len indicates the length of the
field, in bytes. data field, in bytes.
When the status equals TAC_PLUS_ACCT_STATUS_FOLLOW, then the actions When the status equals TAC_PLUS_ACCT_STATUS_FOLLOW, then the actions
to be taken and the contents of the data field are identical to the to be taken and the contents of the data field are identical to the
TAC_PLUS_AUTHEN_STATUS_FOLLOW status for Authentication. TAC_PLUS_AUTHEN_STATUS_FOLLOW status for Authentication.
TACACS+ accounting is intended to record various types of events on TACACS+ accounting is intended to record various types of events on
clients, for example: login sessions, command entry, and others as clients, for example: login sessions, command entry, and others as
required by the client implementation. These events are collectively required by the client implementation. These events are collectively
referred to in `The Draft' [TheDraft] as "tasks". referred to in `The Draft' [TheDraft] as "tasks".
The TAC_PLUS_ACCT_FLAG_START flag indicates that this is a start The TAC_PLUS_ACCT_FLAG_START flag indicates that this is a start
accounting message. Start messages will only be sent once when a accounting message. Start messages will only be sent once when a
task is started. The TAC_PLUS_ACCT_FLAG_STOP indicates that this is task is started. The TAC_PLUS_ACCT_FLAG_STOP indicates that this is
a stop record and that the task has terminated. The a stop record and that the task has terminated. The
TAC_PLUS_ACCT_FLAG_WATCHDOG flag means that this is an update record. TAC_PLUS_ACCT_FLAG_WATCHDOG flag means that this is an update record.
Update records are sent at the client's discretion if the task has
not finished.
Summary of Accounting Packets Summary of Accounting Packets
+----------+-------+-------+-------------+-------------------------+ +----------+-------+-------+-------------+-------------------------+
| Watchdog | Stop | Start | Flags & 0xE | Meaning | | Watchdog | Stop | Start | Flags & 0xE | Meaning |
+----------+-------+-------+-------------+-------------------------+ +----------+-------+-------+-------------+-------------------------+
| 0 | 0 | 0 | 0 | INVALID | | 0 | 0 | 0 | 0 | INVALID |
| 0 | 0 | 1 | 2 | Start Accounting Record | | 0 | 0 | 1 | 2 | Start Accounting Record |
| 0 | 1 | 0 | 4 | Stop Accounting Record | | 0 | 1 | 0 | 4 | Stop Accounting Record |
| 0 | 1 | 1 | 6 | INVALID | | 0 | 1 | 1 | 6 | INVALID |
| 1 | 0 | 0 | 8 | Watchdog, no update | | 1 | 0 | 0 | 8 | Watchdog, no update |
| 1 | 0 | 1 | A | Watchdog, with update | | 1 | 0 | 1 | A | Watchdog, with update |
| 1 | 1 | 0 | C | INVALID | | 1 | 1 | 0 | C | INVALID |
| 1 | 1 | 1 | E | INVALID | | 1 | 1 | 1 | E | INVALID |
+----------+-------+-------+-------------+-------------------------+ +----------+-------+-------+-------------+-------------------------+
The START and STOP flags are mutually exclusive. When the WATCHDOG The START and STOP flags are mutually exclusive.
flag is set along with the START flag, it indicates that the update
record is a duplicate of the original START record. If the START The WATCHDOG flag is used by the client to communicate ongoing status
flag is not set, then this indicates only that task is still running. of a long running task. Update records are sent at the client's
The STOP flag MUST NOT be set in conjunction with the WATCHDOG flag. discretion. The frequency of the update depends upon the intended
application: A watchdog to provide progress indication will require
higher frequency than a daily keep-alive. When the WATCHDOG flag is
set along with the START flag, it indicates that the update record
provides additional or updated arguments from the original START
record. If the START flag is not set, then this indicates only that
task is still running, and no new information is provided (servers
MUST ignore any arguments). The STOP flag MUST NOT be set in
conjunction with the WATCHDOG flag.
The Server MUST respond with TAC_PLUS_ACCT_STATUS_ERROR if the client The Server MUST respond with TAC_PLUS_ACCT_STATUS_ERROR if the client
requests an INVALID option. requests an INVALID option.
7. Attribute-Value Pairs 7. Attribute-Value Pairs
TACACS+ is intended to be an extensible protocol. The attributes TACACS+ is intended to be an extensible protocol. The attributes
used in Authorization and Accounting are not limited by thsi used in Authorization and Accounting are not limited by this
document. Some attributes are defined below for common use cases, document. Some attributes are defined below for common use cases,
clients MUST use these attributes when supporting the corresponding clients MUST use these attributes when supporting the corresponding
use cases. use cases.
7.1. Value Encoding
All attribute values are encoded as printable US-ASCII strings. The
following type representations SHOULD be followed
Numeric
All numeric values in an attribute-value string are provided as All numeric values in an attribute-value string are provided as
decimal US-ASCII numbers, unless otherwise stated. decimal printable US-ASCII numbers, unless otherwise stated.
All boolean attributes are encoded with values "true" or "false". Boolean
All boolean attributes are encoded as printable US-ASCII with values
"true" or "false".
IP-Address
It is recommended that hosts be specified as a IP address so as to It is recommended that hosts be specified as a IP address so as to
avoid any ambiguities. ASCII numeric IPV4 address are specified as avoid any ambiguities. IPV4 address are specified as US-ASCII octet
octets separated by dots ('.'), IPV6 address text representation numerics separated by dots ('.'), IPV6 address text representation
defined in RFC 4291. defined in RFC 4291.
Absolute times are specified in seconds since the epoch, 12:00am Jan Date Time
1 1970. The timezone MUST be UTC unless a timezone attribute is
specified. Absolute date/times are specified in seconds since the epoch, 12:00am
Jan 1 1970. The timezone MUST be UTC unless a timezone attribute is
specified. Stardate is canonically inconsistent and so SHOULD NOT be
used.
String
Many values have no specific type representation and so are
interpreted as plain strings.
Empty Values
Attributes may be submitted with no value, in which case they consist Attributes may be submitted with no value, in which case they consist
of the name and the mandatory or optional separator. For example, of the name and the mandatory or optional separator. For example,
the attribute "cmd" which has no value is transmitted as a string of the attribute "cmd" which has no value is transmitted as a string of
four characters "cmd=" four characters "cmd="
7.1. Authorization Attributes 7.2. Authorization Attributes
service service (String)
The primary service. Specifying a service attribute indicates that The primary service. Specifying a service attribute indicates that
this is a request for authorization or accounting of that service. this is a request for authorization or accounting of that service.
For example: "shell", "tty-server", "connection", "system" and For example: "shell", "tty-server", "connection", "system" and
"firewall". This attribute MUST always be included. "firewall". This attribute MUST always be included.
protocol protocol (String)
the ptotocol field may be used to indicate a subset of a setvice. the protocol field may be used to indicate a subset of a service.
cmd cmd (String)
a shell (exec) command. This indicates the command name of the a shell (exec) command. This indicates the command name of the
command that is to be run. The "cmd" attribute MUST be specified if command that is to be run. The "cmd" attribute MUST be specified if
service equals "shell". service equals "shell".
Authorization of shell commands is a common use-case for the TACACS+ Authorization of shell commands is a common use-case for the TACACS+
protocol. Command Authorization generally takes one of two forms: protocol. Command Authorization generally takes one of two forms:
session-based and command-based. session-based and command-based.
For session-based shell authorization, the "cmd" argument will have For session-based shell authorization, the "cmd" argument will have
an empty value. The client determines which commands are allowed in an empty value. The client determines which commands are allowed in
a session according to the arguments present in the authorization. a session according to the arguments present in the authorization.
In command-based authorization, the client requests that the server In command-based authorization, the client requests that the server
determine whether a command is allowed by making an authorization determine whether a command is allowed by making an authorization
request for each command. The "cmd" argument will have the command request for each command. The "cmd" argument will have the command
name as its value. name as its value.
cmd-arg cmd-arg (String)
an argument to a shell (exec) command. This indicates an argument an argument to a shell (exec) command. This indicates an argument
for the shell command that is to be run. Multiple cmd-arg attributes for the shell command that is to be run. Multiple cmd-arg attributes
may be specified, and they are order dependent. may be specified, and they are order dependent.
acl acl (Numeric)
US-ASCII number representing a connection access list. Applicable printable US-ASCII number representing a connection access list.
only to session-based shell authorization. Applicable only to session-based shell authorization.
inacl inacl (String)
US-ASCII identifier for an interface input access list. printable US-ASCII identifier for an interface input access list.
outacl outacl (String)
US-ASCII identifier for an interface output access list. printable US-ASCII identifier for an interface output access list.
addr addr (IP-Address)
a network address a network address
addr-pool (String)
addr-pool
The identifier of an address pool from which the client can assign an The identifier of an address pool from which the client can assign an
address. address.
routing routing (Boolean)
Boolean. Specifies whether routing information is to be propagated Specifies whether routing information is to be propagated to, and
to, and accepted from this interface. accepted from this interface.
route route (String)
Indicates a route that is to be applied to this interface. Values Indicates a route that is to be applied to this interface. Values
MUST be of the form "<dst_address> <mask> [<routing_addr>]". If a MUST be of the form "<dst_address> <mask> [<routing_addr>]". If a
<routing_addr> is not specified, the resulting route is via the <routing_addr> is not specified, the resulting route is via the
requesting peer. requesting peer.
timeout timeout (Numeric)
an absolute timer for the connection (in minutes). A value of zero an absolute timer for the connection (in minutes). A value of zero
indicates no timeout. indicates no timeout.
idletime idletime (Numeric)
an idle-timeout for the connection (in minutes). A value of zero an idle-timeout for the connection (in minutes). A value of zero
indicates no timeout. indicates no timeout.
autocmd autocmd (String)
an auto-command to run. Applicable only to session-based shell an auto-command to run. Applicable only to session-based shell
authorization. authorization.
noescape noescape (Boolean)
Boolean. Prevents user from using an escape character. Applicable Prevents user from using an escape character. Applicable only to
only to session-based shell authorization. session-based shell authorization.
nohangup nohangup (Boolean)
Boolean. Do not disconnect after an automatic command. Applicable Boolean. Do not disconnect after an automatic command. Applicable
only to session-based shell authorization.y. only to session-based shell authorization.y.
priv-lvl priv-lvl (Numeric)
privilege level to be assigned. Please refer to the Privilege Level privilege level to be assigned. Please refer to the Privilege Level
section (Section 8) below. section (Section 8) below.
remote_user remote_user (String)
remote userid (authen_method must have the value remote userid (authen_method must have the value
TAC_PLUS_AUTHEN_METH_RCMD). In the case of rcmd authorizations, the TAC_PLUS_AUTHEN_METH_RCMD). In the case of rcmd authorizations, the
authen_method will be set to TAC_PLUS_AUTHEN_METH_RCMD and the authen_method will be set to TAC_PLUS_AUTHEN_METH_RCMD and the
remote_user and remote_host attributes will provide the remote user remote_user and remote_host attributes will provide the remote user
and host information to enable rhost style authorization. The and host information to enable rhost style authorization. The
response may request that a privilege level be set for the user. response may request that a privilege level be set for the user.
remote_host remote_host (String)
remote host (authen_method must have the value remote host (authen_method must have the value
TAC_PLUS_AUTHEN_METH_RCMD) TAC_PLUS_AUTHEN_METH_RCMD)
callback-dialstring 7.3. Accounting Attributes
Indicates that callback is to be done. Value is a dialstring, or
empty. Empty value indicates that the service MAY choose to get the
dialstring through other means.
callback-line
The line number to use for a callback.
callback-rotary
The rotary number to use for a callback.
nocallback-verify
Do not require authentication after callback.
7.2. Accounting Attributes
The following attributes are defined for TACACS+ accounting only. The following attributes are defined for TACACS+ accounting only.
They MUST precede any attribute-value pairs that are defined in the They MUST precede any attribute-value pairs that are defined in the
authorization section (Section 5) above. authorization section (Section 5) above.
task_id task_id (String)
Start and stop records for the same event MUST have matching task_id Start and stop records for the same event MUST have matching task_id
attribute values. The client MUST ensure that active task_ids are attribute values. The client MUST ensure that active task_ids are
not duplicated: a client MUST NOT reuse a task_id a start record not duplicated: a client MUST NOT reuse a task_id a start record
until it has sent a stop record for that task_id. Servers MUST not until it has sent a stop record for that task_id. Servers MUST not
make assumptions about the format of a task_id. make assumptions about the format of a task_id.
start_time start_time (Date Time)
The time the action started (in seconds since the epoch.). The time the action started (in seconds since the epoch.).
stop_time stop_time (Date Time)
The time the action stopped (in seconds since the epoch.) The time the action stopped (in seconds since the epoch.)
elapsed_time elapsed_time (Numeric)
The elapsed time in seconds for the action. The elapsed time in seconds for the action.
timezone timezone (String)
The timezone abbreviation for all timestamps included in this packet. The timezone abbreviation for all timestamps included in this packet.
event event (String)
Used only when "service=system". Current values are "net_acct", Used only when "service=system". Current values are "net_acct",
"cmd_acct", "conn_acct", "shell_acct" "sys_acct" and "clock_change". "cmd_acct", "conn_acct", "shell_acct" "sys_acct" and "clock_change".
These indicate system level changes. The flags field SHOULD indicate These indicate system level changes. The flags field SHOULD indicate
whether the service started or stopped. whether the service started or stopped.
reason reason (String)
Accompanies an event attribute. It describes why the event occurred. Accompanies an event attribute. It describes why the event occurred.
bytes bytes (Numeric)
The number of bytes transferred by this action The number of bytes transferred by this action
bytes_in bytes_in (Numeric)
The number of input bytes transferred by this action to the port The number of bytes transferred by this action from the endstation to
the client port
bytes_out bytes_out (Numeric)
The number of output bytes transferred by this action from the port The number of bytes transferred by this action from the client to the
endstation port
paks paks (Numeric)
The number of packets transferred by this action. The number of packets transferred by this action.
paks_in paks_in (Numeric)
The number of input packets transferred by this action to the port. The number of input packets transferred by this action from the
endstation to the client port.
paks_out paks_out (Numeric)
The number of output packets transferred by this action from the The number of output packets transferred by this action from the
port. client port to the endstation.
status
The numeric status value associated with the action. This is a
signed four (4) byte word in network byte order. 0 is defined as
success. Negative numbers indicate errors. Positive numbers
indicate non-error failures. The exact status values may be defined
by the client.
err_msg err_msg (String)
An US-ASCII string describing the status of the action. A printable US-ASCII string describing the status of the action.
8. Privilege Levels 8. Privilege Levels
The TACACS+ Protocol supports flexible authorization schemes through The TACACS+ Protocol supports flexible authorization schemes through
the extensible attributes. the extensible attributes.
One scheme is built in to the protocol and has been extensively used One scheme is built in to the protocol and has been extensively used
for Session-based shell authorization: Privilege Levels. Privilege for Session-based shell authorization: Privilege Levels. Privilege
Levels are ordered values from 0 to 15 with each level being a Levels are ordered values from 0 to 15 with each level being a
superset of the next lower value. Configuration and implementation superset of the next lower value. Configuration and implementation
skipping to change at page 36, line 18 skipping to change at page 36, line 18
TAC_PLUS_PRIV_LVL_USER := 0x01 TAC_PLUS_PRIV_LVL_USER := 0x01
TAC_PLUS_PRIV_LVL_MIN := 0x00 TAC_PLUS_PRIV_LVL_MIN := 0x00
A Privilege level can be assigned to a shell (EXEC) session when it A Privilege level can be assigned to a shell (EXEC) session when it
starts starts (for example, TAC_PLUS_PRIV_LVL_USER). The client will starts starts (for example, TAC_PLUS_PRIV_LVL_USER). The client will
permit the actions associated with this level to be executed. This permit the actions associated with this level to be executed. This
privilege level is returned by the Server in a session-based shell privilege level is returned by the Server in a session-based shell
authorization (when "service" equals "shell" and "cmd" is empty). authorization (when "service" equals "shell" and "cmd" is empty).
When a user required to perfrom actions that are mapped to a higher When a user required to perform actions that are mapped to a higher
privilege level, then an ENABLE type reuthentication can be initiated privilege level, then an ENABLE type reuthentication can be initiated
by the client, in a way similar to su in unix. The client will by the client, in a way similar to su in unix. The client will
insert the required privilege level into the authentication header insert the required privilege level into the authentication header
for enable authentication request. for enable authentication request.
The use of Privilege levels to determine session-based access to The use of Privilege levels to determine session-based access to
commands and resources is not mandatory for clients. Although the commands and resources is not mandatory for clients. Although the
privilege level scheme is widely supported, its lack of flexibility privilege level scheme is widely supported, its lack of flexibility
in requiring a single monotonic hierarchy of permissions means that in requiring a single monotonic hierarchy of permissions means that
other session-based command authorization schemes have evolved, and other session-based command authorization schemes have evolved, and
so it is no longer mandatory for clients to use it. However, it is so it is no longer mandatory for clients to use it. However, it is
still common enough that it SHOULD be supported by servers. still common enough that it SHOULD be supported by servers.
9. TACACS+ Security Considerations 9. TACACS+ Security Considerations
Although in widespread use, the TACACS+ protocol (as defined in "the The original TACACS+ Draft[1] from 1998 did not address all of the
Draft") does not meet modern security standards on its own. For this key security concerns which are considered when designing modern
reason, the authors intend to follow up this document with a more standards. This section addresses known limitations and concerns
secure version of the protocol. which will impact overall security of the protocol and systems where
this protocol is deployed to manage central authentication,
authorization or accounting for network device administration.
TACACS+ was originally specified in "The Draft" (1998) is incomplete, Multiple implementations of the protocol described in the draft[1]
and leaves key points unspecified. As a result, software authors have been deployed. As the protocol was never standardised, current
have had to make implementation choices about what should, or should implementations may be incompatible in non-obvious ways, giving rise
not, be done in certain situations. These implementation choices are to additional security risks about which authors might not be aware
somewhat constrained by ad hoc interoperability tests. That is, all of. This section does not claim to enumerate all possible security
TACACS+ clients and servers interoperate, so there is a rough vulnerabilities.
consensus on how the protocol works.
9.1. Overall Security of The Protocol 9.1. General Security of The Protocol
TACACS+ protocol does not include a security mechanism that would TACACS+ protocol does not include a security mechanism that would
meet modern day requirements. Support for MD5-based crypto pad meet modern day requirements. Support for MD5-based crypto pad
encryption fails to provide any kind of transport integrity, which encryption fails to provide any kind of transport integrity, which
presents at least the following risks: presents at least the following risks:
Accounting information may be modified by the man-in-the-middle Accounting information may be modified by the man-in-the-middle
attacker, making such logs unsuitable and untrustable for auditing attacker, making such logs unsuitable and untrustable for auditing
purposes. purposes.
skipping to change at page 37, line 30 skipping to change at page 37, line 32
Brute force attacks exploiting increased efficiency of MD5 digest Brute force attacks exploiting increased efficiency of MD5 digest
computation. computation.
Known plaintext attacks which may decrease the cost of brute force Known plaintext attacks which may decrease the cost of brute force
attack. attack.
Chosen plaintext attacks which may decrease the cost of a brute Chosen plaintext attacks which may decrease the cost of a brute
force attack. force attack.
No forward secrecy means that original data may be revealed at the No forward secrecy.
later time and still provide valuable information to the attacker.
Even though, to the best knowledge of authors, this method of Even though, to the best knowledge of authors, this method of
encryption wasn't rigorously tested, authors feel that enough encryption wasn't rigorously tested, authors feel that enough
information is available that it is best referred to as "obfuscation" information is available that it is best referred to as "obfuscation"
and not "encryption" and as such it MUST NOT BE relied upon to and not "encryption".
provide privacy.
For example, a "session_id" can be replaced by an alternate one, For example, a "session_id" can be replaced by an alternate one,
which could allow an unprivileged administrator to "steal" the which could allow an unprivileged administrator to "steal" the
authorization from a session for a privileged administrator. An authorization from a session for a privileged administrator. An
attacker could also update the "flags" field to indicate that one or attacker could also update the "flags" field to indicate that one or
the other end of a connection requires TAC_PLUS_UNENCRYPTED_FLAG, the other end of a connection requires TAC_PLUS_UNENCRYPTED_FLAG,
which would subvert the obfuscation mechanism. which would subvert the obfuscation mechanism.
For this reasons, users deploying TACACS+ protocol in their For this reasons, users deploying TACACS+ protocol in their
environments MUST limit access to known clients and MUST control the environments MUST limit access to known clients and MUST control the
security of the entire transmission path. Attacks who can guess the security of the entire transmission path. Attacks who can guess the
key or otherwise break the obfuscation WILL gain unrestricted and key or otherwise break the obfuscation will gain unrestricted and
undetected access to all TACACS+ traffic. The security risk of such undetected access to all TACACS+ traffic. The security risk of such
attack succeeding against a centralised AAA system like TACACS+ attack succeeding against a centralised AAA system like TACACS+
cannot be overstated. cannot be overstated.
The following parts of this section enumerate only the session-
specific risks which are in addition to general risk associated with
bare obfuscation and lack of integrity checking.
9.2. Security of Authentication Sessions 9.2. Security of Authentication Sessions
The authentication options include options which MUST NOT be used Authentication sessions SHOULD NOT be used via unsecure transport as
outside a secured deployment. Specifically, options which permit the the man-in-the-middle attack may completely subvert them. Even CHAP,
exchange of clear-text passwords or MSCHAPv1 and MS-CHAPv2. As of which may me considered resistant to password interception, is unsafe
the publication of this document, there has been no similar attacks as it does not protect the username from a trivial man-in-the-middle
on the CHAP protocol. attack.
Section 4.4.3 permits the redirection of a session to another server Section 4.4.3 permits the redirection of a session to another server
via the TAC_PLUS_AUTHEN_STATUS_FOLLOW mechanism. As part of this via the TAC_PLUS_AUTHEN_STATUS_FOLLOW mechanism. As part of this
process, the secret key for a new server can be sent to the client. process, the secret key for a new server can be sent to the client.
This public exchange of secret keys means that once one session is This public exchange of secret keys means that once one session is
broken, it may be possible to leverage that attack to attacking broken, it may be possible to leverage that key to attacking
connections to other servers. This option MUST NOT be used outside a connections to other servers. This option MUST NOT be used outside a
secured deployment. secured deployment of protocol clients or outside of secure
transport.
9.3. Security of Authorization Sessions 9.3. Security of Authorization Sessions
TACACS+ authorization is specifically separate from authentication. Authorization sessions MUST be used via secure transport only as it's
Careful consideration must be given to whether this mode is trivial to execute a successful man-in-the-middle attacks that
appropriate for the target deployment. Authorization sessions are changes well-known plaintext in either requests or responses.
not cryptographically linked to any authentication sessions.
Instead, sessions are tied together implicitly by the contents of the
other fields, such as "use", "port", "rem_addr", etc.
The specification allows for the exchange of attribute-value pairs. As an example, take the field "authen_method". It's not unusual in
While a few such attributes are defined here, the protocol is actual deployments to authorize all commands received via the device
extensible, and vendors can define their own attributes. There is no local serial port (a console port) as that one is usually considered
registry for such attributes, and in the absence of a published secure by virtue of the device located in a physically secure
specification, no way for a client or server to know the meaning of a location. If an administrator would configure the authorization
new attribute. system to allow all commands entered by the user on a local console
to aid in troubleshooting, that would give all access to all commands
to any attacker that would be able to change the "authen_method" from
TAC_PLUS_AUTHEN_METH_TACACSPLUS to TAC_PLUS_AUTHEN_METH_LINE. In
this regard, the obfuscation provided by the protocol itself wouldn't
help much, because:
As a result, implemetors MUST ensure that new attribute-value pairs Lack of integrity means that any byte in the payload may be
are used consistently to communicate between client and server changed w/o either side detecting the change.
implementations.
Known plaintext means that an attacker would know with certainty
which octet is the target of the attack (in this case, 1st octet
after the header).
In combination with known plaintext, the attacker can determine
with certainty the value of the crypto-pad octet used to obfuscate
the original octet.
9.4. Security of Accounting Sessions 9.4. Security of Accounting Sessions
The security considerations for accounting sessions are largely the Accounting sessions are not directly involved in authentication or
same as for authorization sessions. This section describes authorizing operations on the device. However, man-in-the-middle
additional issues specific to accounting sessions. attacker may do any of the following:
There is no way in TACACS+ to signal that accounting is required. Replace accounting data with new valid or garbage which prevents
There is no way for a server to signal a client how often accounting to provide distraction or hide information related to their
is required. The accounting packets are received solely at the authentication and/or authorization attack attempts.
clients discretion. Adding such functionality would assist with
auditing of user actions.
The "task_id" field is defined only for accounting packets, and not Try and poison accounting log with entries designed to make
for authentication or authorization packets. As such, it is systems behave in unintended ways (which includes TACACS+ server
difficult to correlate accounting data with a previous authentication and any other systems that would manage accounting entries).
or authorization request.
In addition to these direct manipulations, different client
implementations pass different fidelity of accounting data. Some
vendors have been observed in the wild that pass sensitive data like
passwords, encryption keys and similar as part of the accounting log.
Due to lack of strong encryption with perfect forward secrecy, this
data may be revealed in future, leading to a security incident.
9.5. TACACS+ Deployment Recommendations 9.5. TACACS+ Deployment Recommendations
Due to the above concerns with the protocol, it is critical that it Due to above observations about the TACACS+ protocol, it is critical
be deployed in a secure manner. The following recommendations are to only deploy it using secure transport. A secure transport for
TACACS+ is defined as any means that ensure privacy and integrity of
all data passed between clients and servers. There are multiple
means of achieving this, all of them beyond the scope of this
document.
Symmetric encryption key represents a possible attack vector at the
protocol itself. For this reason, servers SHOULD accept only those
network connection attempts that arrive from known clients. This
limits the exposure and prevents remote brute force attacks from
unknown clients.
Due to the security deficiencies of the protocol, it is critical that
it be deployed in a secure manner. The following recommendations are
made for those deploying and configuring TACACS+ as a solution for made for those deploying and configuring TACACS+ as a solution for
Device Administration: device administration:
Secure the Deployment: TACACS+ does not provide modern security so Secure the Deployment: TACACS+ MUST BE deployed over networks
TACACS+ MUST BE employed over networks which ensure privacy and which ensure an appropriate privacy and integrity of the
integrity of the communication. The way this is ensured will communication. Definition of an appropriate level of privacy and
depend upon the organisational means: a dedicated and secure integrity is organisation-dependent What is apropriate level of
management network where available in enterprise deployments, or The way this is ensured will depend upon the organisational means:
IPsec where dedicated networks are not available. a dedicated and secure management network where available in
enterprise deployments, or IPsec where dedicated networks are not
available.
Always set a secret key (recommended minimum 14 characters) on the Always set a secret key (recommended minimum 14 characters) on the
client and server when configuring the connection between them. client and server when configuring the connection between them.
Servers MUST be configured with a list of known clients. Servers Servers MUST be configured with a list of known clients. Servers
MUST be configured to reject requests from clients not on the MUST be configured to reject requests from clients not on the
list. A unique secret key SHOULD be configured for every list. A unique secret key SHOULD be configured for every
individual client. individual client.
Implementors should consider shared secrets to be sensitive data,
and managed securely.
Restrict to TAC_PLUS_AUTHEN_TYPE_CHAP for authen_type where Restrict to TAC_PLUS_AUTHEN_TYPE_CHAP for authen_type where
possible. Use other options only when unavoidable due to possible. Use other options only when unavoidable due to
requirements of identity/password systems. requirements of identity/password systems.
Servers SHOULD be restricted to requiring TACACS+ authentication Servers SHOULD be restricted to requiring TACACS+ authentication
for authorization requests (i.e. TAC_PLUS_AUTHEN_METH_TACACSPLUS for authorization requests (i.e. TAC_PLUS_AUTHEN_METH_TACACSPLUS
is used). is used).
Avoid the use of the redirection mechanism. Avoid the use of the redirection mechanism.
TAC_PLUS_AUTHEN_STATUS_FOLLOW, specifically avoid the option to TAC_PLUS_AUTHEN_STATUS_FOLLOW, specifically avoid the option to
skipping to change at page 41, line 21 skipping to change at page 42, line 9
Potential confusion between clients and servers from different Potential confusion between clients and servers from different
vendors of the meaning of specific argument attributes. vendors of the meaning of specific argument attributes.
Potential confusion between clients and servers from different Potential confusion between clients and servers from different
vendors of the meaning of specific commands. vendors of the meaning of specific commands.
In summary: It is strongly advised that TACACS+ MUST be used within a In summary: It is strongly advised that TACACS+ MUST be used within a
secure deployment. Failure to do so may impact overall network secure deployment. Failure to do so may impact overall network
security. security.
10. References 10. Acknowledgements
The Authors would like to thank the following reviewers whose
comments and contributions made considerable improvements to the
document: Alan DeKok (who provided significant insights and
recommendations on all aspects of documenting the protocol),
Alexander Clouter, Chris Janicki, Tom Petch, Robert Drake
The Authors would also like to thanks the support from the OPSAWG
Chairs and advisors.
11. References
[RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, [RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321,
April 1992. April 1992.
[RFC1334] Lloyd, B. and W. Simpson, "PPP Authentication Protocols", [RFC1334] Lloyd, B. and W. Simpson, "PPP Authentication Protocols",
RFC 1334, DOI 10.17487/RFC1334, October 1992, RFC 1334, DOI 10.17487/RFC1334, October 1992,
<http://www.rfc-editor.org/info/rfc1334>. <http://www.rfc-editor.org/info/rfc1334>.
[RFC1750] Eastlake 3rd, D., Crocker, S., and J. Schiller, [RFC1750] Eastlake 3rd, D., Crocker, S., and J. Schiller,
"Randomness Recommendations for Security", RFC 1750, "Randomness Recommendations for Security", RFC 1750,
skipping to change at page 41, line 45 skipping to change at page 42, line 44
[RFC2433] Zorn, G. and S. Cobb, "Microsoft PPP CHAP Extensions", [RFC2433] Zorn, G. and S. Cobb, "Microsoft PPP CHAP Extensions",
RFC 2433, DOI 10.17487/RFC2433, October 1998, RFC 2433, DOI 10.17487/RFC2433, October 1998,
<http://www.rfc-editor.org/info/rfc2433>. <http://www.rfc-editor.org/info/rfc2433>.
[RFC2759] Zorn, G., "Microsoft PPP CHAP Extensions, Version 2", [RFC2759] Zorn, G., "Microsoft PPP CHAP Extensions, Version 2",
RFC 2759, DOI 10.17487/RFC2759, January 2000, RFC 2759, DOI 10.17487/RFC2759, January 2000,
<http://www.rfc-editor.org/info/rfc2759>. <http://www.rfc-editor.org/info/rfc2759>.
[TheDraft] [TheDraft]
Carrel, D. and L. Grant, "The TACACS+ Protocol Version Carrel, D. and L. Grant, "The TACACS+ Protocol Version
1.78", June 1997, <https://tools.ietf.org/html/draft- 1.78", June 1997,
grant-tacacs-02>. <https://tools.ietf.org/html/draft-grant-tacacs-02>.
Authors' Addresses Authors' Addresses
Thorsten Dahm Thorsten Dahm
Google Inc Google Inc
1600 Amphitheatre Parkway 1600 Amphitheatre Parkway
Mountain View, CA 94043 Mountain View, CA 94043
US US
EMail: thorstendlux@google.com EMail: thorstendlux@google.com
skipping to change at line 1969 skipping to change at page 43, line 38
David Carrel David Carrel
vIPtela, Inc. vIPtela, Inc.
1732 North First St. 1732 North First St.
San Jose, CA 95112 San Jose, CA 95112
US US
EMail: dcarrel@viptela.com EMail: dcarrel@viptela.com
Lol Grant Lol Grant
EMail: lol.grant@gmail.com
 End of changes. 163 change blocks. 
377 lines changed or deleted 424 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/