draft-ietf-opsawg-tacacs-08.txt   draft-ietf-opsawg-tacacs-09.txt 
Operations T. Dahm Operations T. Dahm
Internet-Draft A. Ota Internet-Draft A. Ota
Intended status: Informational Google Inc Intended status: Informational Google Inc
Expires: August 23, 2018 D. Medway Gash Expires: September 22, 2018 D. Medway Gash
Cisco Systems, Inc. Cisco Systems, Inc.
D. Carrel D. Carrel
vIPtela, Inc. vIPtela, Inc.
L. Grant L. Grant
February 19, 2018 March 21, 2018
The TACACS+ Protocol The TACACS+ Protocol
draft-ietf-opsawg-tacacs-08 draft-ietf-opsawg-tacacs-09
Abstract Abstract
TACACS+ provides Device Administration for routers, network access TACACS+ provides Device Administration for routers, network access
servers and other networked computing devices via one or more servers and other networked computing devices via one or more
centralized servers. This document describes the protocol that is centralized servers. This document describes the protocol that is
used by TACACS+. used by TACACS+.
Status of This Memo Status of This Memo
skipping to change at page 1, line 38 skipping to change at page 1, line 38
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 23, 2018. This Internet-Draft will expire on September 22, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 22 skipping to change at page 3, line 22
9.6. TACACS+ Client Implementation Recommendations . . . . . . 40 9.6. TACACS+ Client Implementation Recommendations . . . . . . 40
9.7. TACACS+ Server Implementation Recommendations . . . . . . 41 9.7. TACACS+ Server Implementation Recommendations . . . . . . 41
9.8. TACACS+ Security and Operational Concerns . . . . . . . . 41 9.8. TACACS+ Security and Operational Concerns . . . . . . . . 41
10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 42 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 42
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 42 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 42
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 42 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 42
1. Introduction 1. Introduction
Terminal Access Controller Access-Control System Plus (TACACS+) was Terminal Access Controller Access-Control System Plus (TACACS+) was
originally conceived as a general Authentication, Authorization and conceived initially as a general Authentication, Authorization and
Accounting protocol. It is primarily used today for Device Accounting protocol. It is primarily used today for Device
Administration: authenticating access to network devices, providing Administration: authenticating access to network devices, providing
central authorization of operations, and audit of those operations. central authorization of operations, and audit of those operations.
A wide range of TACACS+ clients and servers are already deployed in A wide range of TACACS+ clients and servers are already deployed in
the field. The TACACS+ protocol they are based on is defined in a the field. The TACACS+ protocol they are based on is defined in a
draft document that was originally intended for IETF publication. draft document that was originally intended for IETF publication.
This document is known as `The Draft' [TheDraft] . This document is known as `The Draft' [TheDraft] .
It is intended that all implementations which conform to this It is intended that all implementations which conform to this
document will conform to `The Draft'. However, attention is drawn to document will conform to `The Draft'. However, attention is drawn to
the following specific adjustments of the protocol specification from the following specific adjustments of the protocol specification from
'The Draft': 'The Draft':
This document officially removes SENDPASS for security reasons. This document officially removes SENDPASS for security reasons.
The normative description of Legacy features such as ARAP and The normative description of Legacy features such as ARAP and
outbound authentication have been removed, however the required outbound authentication has been removed, however, the required
enumerations are kept. enumerations are kept.
The Support for forwarding to an alternative daemon The Support for forwarding to an alternative daemon
(TAC_PLUS_AUTHEN_STATUS_FOLLOW) has been deprecated. (TAC_PLUS_AUTHEN_STATUS_FOLLOW) has been deprecated.
The TACACS+ protocol separates the functions of Authentication, The TACACS+ protocol separates the functions of Authentication,
Authorization and Accounting. It allows for arbitrary length and Authorization and Accounting. It allows for arbitrary length and
content authentication exchanges, to support future authentication content authentication exchanges, to support future authentication
mechanisms. It is extensible to provide for site customization and mechanisms. It is extensible to provide for site customization and
future development features, and it uses TCP to ensure reliable future development features, and it uses TCP to ensure reliable
skipping to change at page 4, line 15 skipping to change at page 4, line 15
component of that request. component of that request.
The separation of authentication, authorization and accounting was a The separation of authentication, authorization and accounting was a
key element of the design of TACACS+ protocol. Essentially it makes key element of the design of TACACS+ protocol. Essentially it makes
TACACS+ a suite of three protocols. This document will address each TACACS+ a suite of three protocols. This document will address each
one in separate sections. Although TACACS+ defines all three, but an one in separate sections. Although TACACS+ defines all three, but an
implementation or configuration is not required to employ all three. implementation or configuration is not required to employ all three.
Separating the elements is useful for Device Administration use case, Separating the elements is useful for Device Administration use case,
specifically, for authorization of individual commands in a session. specifically, for authorization of individual commands in a session.
Note that there is no provision made at the protocol level for Note that there is no provision made at the protocol level for
association of an authentication to each authroization request. association of an authentication to each authorization request.
This document restricts itself to a description of the protocol that This document restricts itself to a description of the protocol that
is used by TACACS+. It does not cover deployment or best practices. is used by TACACS+. It does not cover deployment or best practices.
2. Technical Definitions 2. Technical Definitions
This section provides a few basic definitions that are applicable to This section provides a few basic definitions that are applicable to
this document this document
Client Client
skipping to change at page 5, line 47 skipping to change at page 5, line 47
The flag is only relevant for the first two packets on a connection, The flag is only relevant for the first two packets on a connection,
to allow the client and server to establish Single Connection Mode. to allow the client and server to establish Single Connection Mode.
No provision is made for changing Single Connection Mode after the No provision is made for changing Single Connection Mode after the
first two packets: the client and server MUST ignore the flag after first two packets: the client and server MUST ignore the flag after
the second packet on a connection. the second packet on a connection.
If single Connection Mode has not been established in the first two If single Connection Mode has not been established in the first two
packets of a TCP connection, then both the client and the server packets of a TCP connection, then both the client and the server
close the connection at the end of the first session. close the connection at the end of the first session.
The client negotiates single Connection Mode to improve efficiency. The client negotiates Single Connection Mode to improve efficiency.
The server may refuse to allow Single connection Mode for the client. The server may refuse to allow Single Connection Mode for the client.
For example, it may not be appropriate to allocate a long lasting TCP For example, it may not be appropriate to allocate a long-lasting TCP
connection to a specific client in some deployments. Even if the connection to a specific client in some deployments. Even if the
server is configured to permit single Connection Mode for a specific server is configured to permit single Connection Mode for a specific
client, the server may close the connection. For example: a server client, the server may close the connection. For example: a server
may be configured to time out a Single Connection Mode TCP Connection may be configured to time out a Single Connection Mode TCP Connection
after a specific period of inactivity to preserve its resources. The after a specific period of inactivity to preserve its resources. The
client MUST accommodate such closures on a TCP session even after client MUST accommodate such closures on a TCP session even after
Single Connection Mode has been established. Single Connection Mode has been established.
3.4. Session Completion 3.4. Session Completion
skipping to change at page 6, line 26 skipping to change at page 6, line 26
a regular session (one which is not aborted). a regular session (one which is not aborted).
The server responds with a PASS or a FAIL to indicate that the The server responds with a PASS or a FAIL to indicate that the
processing of the request completed and the client can apply the processing of the request completed and the client can apply the
result (PASS or FAIL) to control the execution of the action which result (PASS or FAIL) to control the execution of the action which
prompted the request to be sent to the server. prompted the request to be sent to the server.
The server responds with an ERROR to indicate that the processing of The server responds with an ERROR to indicate that the processing of
the request did not complete. The client can not apply the result the request did not complete. The client can not apply the result
and it MUST behave as if the server could not be connected to. For and it MUST behave as if the server could not be connected to. For
example, the client try alternative methods, if they are available, example, the client tries alternative methods, if they are available,
such as sending the request to a backup server, or using local such as sending the request to a backup server, or using local
configuration to determine whether the action which prompted the configuration to determine whether the action which prompted the
request should be executed. request should be executed.
Refer to the section (Section 4.4.3) on Aborting Authentication Refer to the section (Section 4.4.3) on Aborting Authentication
Sessions for details on handling additional status options. Sessions for details on handling additional status options.
When the session is complete, then the TCP connection should be When the session is complete, then the TCP connection should be
handled as follows, according to whether Single Connection Mode was handled as follows, according to whether Single Connection Mode was
negotiated: negotiated:
skipping to change at page 7, line 9 skipping to change at page 7, line 9
connection issues (such as an incorrect secret, see section connection issues (such as an incorrect secret, see section
(Section 3.7) ), then any further new sessions MUST NOT be accepted (Section 3.7) ), then any further new sessions MUST NOT be accepted
on the connection. If there are any sessions that have already been on the connection. If there are any sessions that have already been
established then they MAY be completed. Once all active sessions are established then they MAY be completed. Once all active sessions are
completed then the connection MUST be closed. completed then the connection MUST be closed.
It is recommended that client implementations provide robust schemes It is recommended that client implementations provide robust schemes
for dealing with servers which cannot be connected to. Options for dealing with servers which cannot be connected to. Options
include providing a list of servers for redundancy, and an option for include providing a list of servers for redundancy, and an option for
a local fallback configuration if no servers can be reached. Details a local fallback configuration if no servers can be reached. Details
will be implmentation specific. will be implementation specific.
The client should manage connections and handle the case of a server The client should manage connections and handle the case of a server
which establishes a connection, but does not respond. The exact which establishes a connection, but does not respond. The exact
behavior is implementation specific. It is recommended that the behavior is implementation specific. It is recommended that the
client should close the connection after a configurable timeout. client should close the connection after a configurable timeout.
3.5. Treatment of Enumerated Protocol Values 3.5. Treatment of Enumerated Protocol Values
This document describes various enumerated values in the packet This document describes various enumerated values in the packet
header and the headers for specific packet types. for example in the header and the headers for specific packet types. For example in the
Authentication start packet type, this document defines the action Authentication start packet type, this document defines the action
field with three values TAC_PLUS_AUTHEN_LOGIN, TAC_PLUS_AUTHEN_CHPASS field with three values TAC_PLUS_AUTHEN_LOGIN, TAC_PLUS_AUTHEN_CHPASS
and TAC_PLUS_AUTHEN_SENDAUTH. and TAC_PLUS_AUTHEN_SENDAUTH.
If the server does not implement one of the defined options in a If the server does not implement one of the defined options in a
packet that it receives, or it encounters an option that is not packet that it receives, or it encounters an option that is not
listed in this document for a header field, then it should respond listed in this document for a header field, then it should respond
with a ERROR and terminate the session. This will allow the client with a ERROR and terminate the session. This will allow the client
to try a different option. to try a different option.
skipping to change at page 7, line 43 skipping to change at page 7, line 43
returned to indicate an error. returned to indicate an error.
3.6. Text Encoding 3.6. Text Encoding
All text fields in TACACS+ MUST be printable US-ASCII, excepting All text fields in TACACS+ MUST be printable US-ASCII, excepting
special consideration given to user field and data fields used for special consideration given to user field and data fields used for
passwords. passwords.
To ensure interoperability of current deployments, the TACACS+ client To ensure interoperability of current deployments, the TACACS+ client
and server MUST handle user fields and those data fields used for and server MUST handle user fields and those data fields used for
passwords as 8 bit octet strings. The deployment operator MUST passwords as 8-bit octet strings. The deployment operator MUST
ensure that consistent character encoding is applied from the end ensure that consistent character encoding is applied from the end
client to the server. The encoding SHOULD be UTF-8, and other client to the server. The encoding SHOULD be UTF-8, and other
encodings outside printable US-ASCII SHOULD be deprecated. encodings outside printable US-ASCII SHOULD be deprecated.
3.7. Data Obfuscation 3.7. Data Obfuscation
The body of packets may be obfuscated. The following sections The body of packets may be obfuscated. The following sections
describe the obfuscation method that is supported in the protocol. describe the obfuscation method that is supported in the protocol.
In 'The Draft' this process was actually referred to as Encryption, In 'The Draft' this process was actually referred to as Encryption,
but the algorithm would not meet modern standards, and so will not be but the algorithm would not meet modern standards, and so will not be
termed as encryption in this document. termed as encryption in this document.
The obfuscation mechanism relies on a secret key, a shared secret The obfuscation mechanism relies on a secret key, a shared secret
value that is known to both the client and the server. This document value that is known to both the client and the server. This document
does not discuss the management and storage of those keys, other than does not discuss the management and storage of those keys, other than
to require that the secret keys MUST remain secret. to require that the secret keys MUST remain secret.
Server implementations MUST allow a unique secret key to be Server implementations MUST allow a unique secret key to be
associated with every client. It is a site dependent decision as to associated with every client. It is a site-dependent decision as to
whether the use of separate keys is appropriate. whether the use of separate keys is appropriate.
The flag field may be set as follows: The flag field may be set as follows:
TAC_PLUS_UNENCRYPTED_FLAG = 0x0 TAC_PLUS_UNENCRYPTED_FLAG = 0x0
In this case, the packet body is obfuscated by XOR-ing it byte-wise In this case, the packet body is obfuscated by XOR-ing it byte-wise
with a pseudo random pad. with a pseudo-random pad.
ENCRYPTED {data} = data ^ pseudo_pad ENCRYPTED {data} = data ^ pseudo_pad
The packet body can then be de-obfuscated by XOR-ing it byte-wise The packet body can then be de-obfuscated by XOR-ing it byte-wise
with a pseudo random pad. with a pseudo random pad.
data = ENCRYPTED {data} ^ pseudo_pad data = ENCRYPTED {data} ^ pseudo_pad
The pad is generated by concatenating a series of MD5 hashes (each 16 The pad is generated by concatenating a series of MD5 hashes (each 16
bytes long) and truncating it to the length of the input data. bytes long) and truncating it to the length of the input data.
skipping to change at page 9, line 11 skipping to change at page 9, line 11
Subsequent hashes are generated by using the same input stream, but Subsequent hashes are generated by using the same input stream, but
concatenating the previous hash value at the end of the input stream. concatenating the previous hash value at the end of the input stream.
MD5_1 = MD5{session_id, key, version, seq_no} MD5_2 = MD5{session_id, MD5_1 = MD5{session_id, key, version, seq_no} MD5_2 = MD5{session_id,
key, version, seq_no, MD5_1} .... MD5_n = MD5{session_id, key, key, version, seq_no, MD5_1} .... MD5_n = MD5{session_id, key,
version, seq_no, MD5_n-1} version, seq_no, MD5_n-1}
When a server detects that the secret(s) it has configured for the When a server detects that the secret(s) it has configured for the
device mismatch, it MUST return ERROR. For details of TCP connection device mismatch, it MUST return ERROR. For details of TCP connection
handling on ERROR, refer to section section (Section 3.4) handling on ERROR, refer to section (Section 3.4)
TAC_PLUS_UNENCRYPTED_FLAG == 0x1 TAC_PLUS_UNENCRYPTED_FLAG == 0x1
In this case, the entire packet body is in cleartext. Obfuscation In this case, the entire packet body is in cleartext. Obfuscation
and de-obfuscation are null operations. This method should be and de-obfuscation are null operations. This method should be
avoided unless absolutely required for debug purposes, when tooling avoided unless absolutely required for debug purposes, when tooling
does not permit de-obfuscation. does not permit de-obfuscation.
If deployment is configured for obfuscating a connection then the If deployment is configured for obfuscating a connection then the
request MUST be dropped if TAC_PLUS_UNENCRYPTED_FLAG is set to true. request MUST be dropped if TAC_PLUS_UNENCRYPTED_FLAG is set to true.
skipping to change at page 9, line 34 skipping to change at page 9, line 34
values in the packet are summed. If the sum is not identical to the values in the packet are summed. If the sum is not identical to the
cleartext datalength value from the header, the packet MUST be cleartext datalength value from the header, the packet MUST be
discarded, and an ERROR signaled. For details of TCP connection discarded, and an ERROR signaled. For details of TCP connection
handling on ERROR, refer to section (Section 3.4) handling on ERROR, refer to section (Section 3.4)
Commonly such failures are seen when the keys are mismatched between Commonly such failures are seen when the keys are mismatched between
the client and the TACACS+ server. the client and the TACACS+ server.
3.8. The TACACS+ Packet Header 3.8. The TACACS+ Packet Header
All TACACS+ packets begin with the following 12 byte header. The All TACACS+ packets begin with the following 12-byte header. The
header describes the remainder of the packet: header describes the remainder of the packet:
1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
|major | minor | | | | |major | minor | | | |
|version| version| type | seq_no | flags | |version| version| type | seq_no | flags |
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| | | |
| session_id | | session_id |
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
skipping to change at page 13, line 49 skipping to change at page 13, line 49
The TAC_PLUS_AUTHEN_SVC_NONE option is intended for the authorization The TAC_PLUS_AUTHEN_SVC_NONE option is intended for the authorization
application of this field that indicates that no authentication was application of this field that indicates that no authentication was
performed by the device. performed by the device.
The TAC_PLUS_AUTHEN_SVC_LOGIN option indicates regular login (as The TAC_PLUS_AUTHEN_SVC_LOGIN option indicates regular login (as
opposed to ENABLE) to a client device. opposed to ENABLE) to a client device.
The TAC_PLUS_AUTHEN_SVC_ENABLE option identifies the ENABLE The TAC_PLUS_AUTHEN_SVC_ENABLE option identifies the ENABLE
authen_service, which refers to a service requesting authentication authen_service, which refers to a service requesting authentication
in order to grant the user different privileges. This is comparable in order to grant the user different privileges. This is comparable
to the Unix "su(1)" command. An authen_service value of NONE is only to the Unix "su(1)" command, which substitutes the current user's
to be used when none of the other authen_service values are identity with another. An authen_service value of NONE is only to be
appropriate. ENABLE may be requested independently, no requirements used when none of the other authen_service values are appropriate.
for previous authentications or authorizations are imposed by the
protocol. ENABLE may be requested independently, no requirements for previous
authentications or authorizations are imposed by the protocol.
Other options are included for legacy/backwards compatibility. Other options are included for legacy/backwards compatibility.
user, user_len user, user_len
The username is optional in this packet, depending upon the class of The username is optional in this packet, depending upon the class of
authentication. If it is absent, the client MUST set user_len to 0. authentication. If it is absent, the client MUST set user_len to 0.
If included, the user_len indicates the length of the user field, in If included, the user_len indicates the length of the user field, in
bytes. bytes.
skipping to change at page 19, line 23 skipping to change at page 19, line 23
field and the data field is a concatenation of the PPP id, the field and the data field is a concatenation of the PPP id, the
challenge and the response. challenge and the response.
The length of the challenge value can be determined from the length The length of the challenge value can be determined from the length
of the data field minus the length of the id (always 1 octet) and the of the data field minus the length of the id (always 1 octet) and the
length of the response field (always 16 octets). length of the response field (always 16 octets).
To perform the authentication, the server calculates the PPP hash as To perform the authentication, the server calculates the PPP hash as
defined in the PPP Authentication RFC RFC 1334 [RFC1334] and then defined in the PPP Authentication RFC RFC 1334 [RFC1334] and then
compare that value with the response. The MD5 algorithm option is compare that value with the response. The MD5 algorithm option is
alays used. The REPLY from the server MUST be a PASS, FAIL or ERROR. always used. The REPLY from the server MUST be a PASS, FAIL or
ERROR.
In cases where the client conducts the exchange with the endstation In cases where the client conducts the exchange with the endstation
and then sends the resulting materials (challenge and responsee) to and then sends the resulting materials (challenge and response) to
the server, the selection of the challenge and its length are not an the server, the selection of the challenge and its length are not an
aspect of the TACACS+ protocol. However, it is strongly recommended aspect of the TACACS+ protocol. However, it is strongly recommended
that the client/endstation interaction is configured with a secure that the client/endstation interaction is configured with a secure
challenge. The TACACS+ server can help by rejecting authentications challenge. The TACACS+ server can help by rejecting authentications
where the challenge is below a minimum length (Minimum recommended is where the challenge is below a minimum length (Minimum recommended is
8 bytes). 8 bytes).
In cases where the TACACS+ Server generates the challenge then it In cases where the TACACS+ Server generates the challenge then it
MUST change for every request and MUST be derived from a strong MUST change for every request and MUST be derived from a strong
cryptographic source. cryptographic source.
skipping to change at page 20, line 15 skipping to change at page 20, line 15
The length of the challenge value can be determined from the length The length of the challenge value can be determined from the length
of the data field minus the length of the id (always 1 octet) and the of the data field minus the length of the id (always 1 octet) and the
length of the response field (always 49 octets). length of the response field (always 49 octets).
To perform the authentication, the server will use a combination of To perform the authentication, the server will use a combination of
MD4 and DES on the user's secret and the challenge, as defined in RFC MD4 and DES on the user's secret and the challenge, as defined in RFC
2433 [RFC2433] and then compare the resulting value with the 2433 [RFC2433] and then compare the resulting value with the
response. The REPLY from the server MUST be a PASS or FAIL. response. The REPLY from the server MUST be a PASS or FAIL.
For best practices, please refer to RFC 2433 [RFC2433] . The TACACS+ For best practices, please refer to RFC 2433 [RFC2433] . The TACACS+
server MUST rejects authentications where the challenge deviates from server MUST reject authentications where the challenge deviates from
8 bytes as defined in the RFC. 8 bytes as defined in the RFC.
4.4.2.5. MS-CHAP v2 login 4.4.2.5. MS-CHAP v2 login
action = TAC_PLUS_AUTHEN_LOGIN action = TAC_PLUS_AUTHEN_LOGIN
authen_type = TAC_PLUS_AUTHEN_TYPE_MSCHAPV2 authen_type = TAC_PLUS_AUTHEN_TYPE_MSCHAPV2
minor_version = 0x1 minor_version = 0x1
The entire exchange MUST consist of a single START packet and a The entire exchange MUST consist of a single START packet and a
single REPLY. The START packet MUST contain the username in the user single REPLY. The START packet MUST contain the username in the user
skipping to change at page 21, line 34 skipping to change at page 21, line 34
TAC_PLUS_AUTHEN_STATUS_GETDATA. TAC_PLUS_AUTHEN_STATUS_GETDATA.
4.4.3. Aborting an Authentication Session 4.4.3. Aborting an Authentication Session
The client may prematurely terminate a session by setting the The client may prematurely terminate a session by setting the
TAC_PLUS_CONTINUE_FLAG_ABORT flag in the CONTINUE message. If this TAC_PLUS_CONTINUE_FLAG_ABORT flag in the CONTINUE message. If this
flag is set, the data portion of the message may contain an ASCII flag is set, the data portion of the message may contain an ASCII
message explaining the reason for the abort. This information will message explaining the reason for the abort. This information will
be handled by the server according to the requirements of the be handled by the server according to the requirements of the
deployment. The session is terminated, for more details about deployment. The session is terminated, for more details about
session temrination, oplease refer to section (Section 3.4) session termination, refer to section (Section 3.4)
In the case of PALL, FAIL or ERROR, the server can insert a message In the case of PALL, FAIL or ERROR, the server can insert a message
into server_msg to be displayed to the user. into server_msg to be displayed to the user.
The Draft `The Draft' [TheDraft] defined a mechanism to direct The Draft `The Draft' [TheDraft] defined a mechanism to direct
authentication requests to an alternative server. This mechanism is authentication requests to an alternative server. This mechanism is
regarded as insecure, is deprecated, and not covered here. The regarded as insecure, is deprecated, and not covered here. The
client should treat TAC_PLUS_AUTHEN_STATUS_FOLLOW as client should treat TAC_PLUS_AUTHEN_STATUS_FOLLOW as
TAC_PLUS_AUTHEN_STATUS_FAIL TAC_PLUS_AUTHEN_STATUS_FAIL
skipping to change at page 22, line 30 skipping to change at page 22, line 30
authorization, though it is not mandatory that a client use the same authorization, though it is not mandatory that a client use the same
service for authentication that it will use for authorization. An service for authentication that it will use for authorization. An
authorization request may indicate that the user is not authenticated authorization request may indicate that the user is not authenticated
(we don't know who they are). In this case it is up to the server to (we don't know who they are). In this case it is up to the server to
determine, according to its configuration, if an unauthenticated user determine, according to its configuration, if an unauthenticated user
is allowed the services in question. is allowed the services in question.
Authorization does not merely provide yes or no answers, but it may Authorization does not merely provide yes or no answers, but it may
also customize the service for the particular user. A common use of also customize the service for the particular user. A common use of
authorization is to provision a shell session when a user first logs authorization is to provision a shell session when a user first logs
in to a device to administer it. The TACACS+ server might respond to into a device to administer it. The TACACS+ server might respond to
the request by allowing the service, but placing a time restriction the request by allowing the service, but placing a time restriction
on the login shell. For a list of common attributes used in on the login shell. For a list of common attributes used in
authorization, see the Authorization Attributes section (Section 7.2) authorization, see the Authorization Attributes section (Section 7.2)
. .
In the TACACS+ protocol an authorization is always a single pair of In the TACACS+ protocol an authorization is always a single pair of
messages: a REQUEST from the client followed by a REPLY from the messages: a REQUEST from the client followed by a REPLY from the
server. server.
The authorization REQUEST message contains a fixed set of fields that The authorization REQUEST message contains a fixed set of fields that
indicate how the user was authenticated and a variable set of indicate how the user was authenticated and a variable set of
arguments that describe the services and options for which arguments that describe the services and options for which
authorization is requested. authorization is requested.
The REPLY contains a variable set of response arguments (attribute- The REPLY contains a variable set of response arguments (attribute-
value pairs) that can restrict or modify the clients actions. value pairs) that can restrict or modify the client's actions.
5.1. The Authorization REQUEST Packet Body 5.1. The Authorization REQUEST Packet Body
1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| authen_method | priv_lvl | authen_type | authen_service | | authen_method | priv_lvl | authen_type | authen_service |
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| user_len | port_len | rem_addr_len | arg_cnt | | user_len | port_len | rem_addr_len | arg_cnt |
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| arg_1_len | arg_2_len | ... | arg_N_len | | arg_1_len | arg_2_len | ... | arg_N_len |
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
skipping to change at page 24, line 26 skipping to change at page 24, line 26
priv_lvl priv_lvl
This field is used in the same way as the priv_lvl field in This field is used in the same way as the priv_lvl field in
authentication request and is described in the Privilege Level authentication request and is described in the Privilege Level
section (Section 8) below. It indicates the users current privilege section (Section 8) below. It indicates the users current privilege
level. level.
authen_type authen_type
This field corrsponds to the authen_type field in the authentication This field coresponds to the authen_type field in the authentication
section (Section 4) above. It indicates the type of authentication section (Section 4) above. It indicates the type of authentication
that was performed. If this information is not available, then the that was performed. If this information is not available, then the
client will set authen_type to: TAC_PLUS_AUTHEN_TYPE_NOT_SET := 0x00. client will set authen_type to: TAC_PLUS_AUTHEN_TYPE_NOT_SET := 0x00.
This value is valid only in authorization and accounting requests. This value is valid only in authorization and accounting requests.
authen_service authen_service
This field is the same as the authen_service field in the This field is the same as the authen_service field in the
authentication section (Section 4) above. It indicates the service authentication section (Section 4) above. It indicates the service
through which the user authenticated. through which the user authenticated.
skipping to change at page 25, line 43 skipping to change at page 25, line 43
Optional arguments are ones that may be disregarded by either client Optional arguments are ones that may be disregarded by either client
or server. Mandatory arguments require that the receiving side can or server. Mandatory arguments require that the receiving side can
handle the attribute, that is: its implementation and configuration handle the attribute, that is: its implementation and configuration
includes the details of how to act on it. If the client receives a includes the details of how to act on it. If the client receives a
mandatory argument that it cannot handle, it MUST consider the mandatory argument that it cannot handle, it MUST consider the
authorization to have failed. It is legal to send an attribute-value authorization to have failed. It is legal to send an attribute-value
pair with a zero length value. pair with a zero length value.
Attribute-value strings are not NULL terminated, rather their length Attribute-value strings are not NULL terminated, rather their length
value indicates their end. The maximum length of an attribute-value value indicates their end. The maximum length of an attribute-value
string is 255 characters. The minimum is two characters (one name string is 255 characters. The minimum is two characters (one name-
value character and the separator) value character and the separator)
Though the attributes allow extensibility, a common core set of Though the attributes allow extensibility, a common core set of
authorization attributes SHOULD be supported by clients and servers, authorization attributes SHOULD be supported by clients and servers,
these are listed in the Authorization Attributes (Section 7.2) these are listed in the Authorization Attributes (Section 7.2)
section below. section below.
5.2. The Authorization REPLY Packet Body 5.2. The Authorization REPLY Packet Body
1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
skipping to change at page 30, line 31 skipping to change at page 30, line 31
| 0 | 1 | 1 | 6 | INVALID | | 0 | 1 | 1 | 6 | INVALID |
| 1 | 0 | 0 | 8 | Watchdog, no update | | 1 | 0 | 0 | 8 | Watchdog, no update |
| 1 | 0 | 1 | A | Watchdog, with update | | 1 | 0 | 1 | A | Watchdog, with update |
| 1 | 1 | 0 | C | INVALID | | 1 | 1 | 0 | C | INVALID |
| 1 | 1 | 1 | E | INVALID | | 1 | 1 | 1 | E | INVALID |
+----------+-------+-------+-------------+-------------------------+ +----------+-------+-------+-------------+-------------------------+
The START and STOP flags are mutually exclusive. The START and STOP flags are mutually exclusive.
The WATCHDOG flag is used by the client to communicate ongoing status The WATCHDOG flag is used by the client to communicate ongoing status
of a long running task. Update records are sent at the client's of a long-running task. Update records are sent at the client's
discretion. The frequency of the update depends upon the intended discretion. The frequency of the update depends upon the intended
application: A watchdog to provide progress indication will require application: A watchdog to provide progress indication will require
higher frequency than a daily keep-alive. When the WATCHDOG flag is higher frequency than a daily keep-alive. When the WATCHDOG flag is
set along with the START flag, it indicates that the update record set along with the START flag, it indicates that the update record
provides additional or updated arguments from the original START provides additional or updated arguments from the original START
record. If the START flag is not set, then this indicates only that record. If the START flag is not set, then this indicates only that
task is still running, and no new information is provided (servers task is still running, and no new information is provided (servers
MUST ignore any arguments). The STOP flag MUST NOT be set in MUST ignore any arguments). The STOP flag MUST NOT be set in
conjunction with the WATCHDOG flag. conjunction with the WATCHDOG flag.
skipping to change at page 33, line 44 skipping to change at page 33, line 44
authorization. authorization.
noescape (Boolean) noescape (Boolean)
Prevents user from using an escape character. Applicable only to Prevents user from using an escape character. Applicable only to
session-based shell authorization. session-based shell authorization.
nohangup (Boolean) nohangup (Boolean)
Boolean. Do not disconnect after an automatic command. Applicable Boolean. Do not disconnect after an automatic command. Applicable
only to session-based shell authorization.y. only to session-based shell authorization.
priv-lvl (Numeric) priv-lvl (Numeric)
privilege level to be assigned. Please refer to the Privilege Level privilege level to be assigned. Please refer to the Privilege Level
section (Section 8) below. section (Section 8) below.
remote_user (String) remote_user (String)
remote userid (authen_method must have the value remote userid (authen_method must have the value
TAC_PLUS_AUTHEN_METH_RCMD). In the case of rcmd authorizations, the TAC_PLUS_AUTHEN_METH_RCMD). In the case of rcmd authorizations, the
authen_method will be set to TAC_PLUS_AUTHEN_METH_RCMD and the authen_method will be set to TAC_PLUS_AUTHEN_METH_RCMD and the
skipping to change at page 34, line 50 skipping to change at page 34, line 50
The elapsed time in seconds for the action. The elapsed time in seconds for the action.
timezone (String) timezone (String)
The timezone abbreviation for all timestamps included in this packet. The timezone abbreviation for all timestamps included in this packet.
event (String) event (String)
Used only when "service=system". Current values are "net_acct", Used only when "service=system". Current values are "net_acct",
"cmd_acct", "conn_acct", "shell_acct" "sys_acct" and "clock_change". "cmd_acct", "conn_acct", "shell_acct" "sys_acct" and "clock_change".
These indicate system level changes. The flags field SHOULD indicate These indicate system-level changes. The flags field SHOULD indicate
whether the service started or stopped. whether the service started or stopped.
reason (String) reason (String)
Accompanies an event attribute. It describes why the event occurred. Accompanies an event attribute. It describes why the event occurred.
bytes (Numeric) bytes (Numeric)
The number of bytes transferred by this action The number of bytes transferred by this action
skipping to change at page 35, line 46 skipping to change at page 35, line 46
err_msg (String) err_msg (String)
A printable US-ASCII string describing the status of the action. A printable US-ASCII string describing the status of the action.
8. Privilege Levels 8. Privilege Levels
The TACACS+ Protocol supports flexible authorization schemes through The TACACS+ Protocol supports flexible authorization schemes through
the extensible attributes. the extensible attributes.
One scheme is built in to the protocol and has been extensively used One scheme is built into the protocol and has been extensively used
for Session-based shell authorization: Privilege Levels. Privilege for Session-based shell authorization: Privilege Levels. Privilege
Levels are ordered values from 0 to 15 with each level being a Levels are ordered values from 0 to 15 with each level being a
superset of the next lower value. Configuration and implementation superset of the next lower value. Configuration and implementation
of the client will map actions ()such as the permission to execute of of the client will map actions (such as the permission to execute of
specific commands) to different privilege levels. Pre-defined values specific commands) to different privilege levels. Pre-defined values
are: are:
TAC_PLUS_PRIV_LVL_MAX := 0x0f TAC_PLUS_PRIV_LVL_MAX := 0x0f
TAC_PLUS_PRIV_LVL_ROOT := 0x0f TAC_PLUS_PRIV_LVL_ROOT := 0x0f
TAC_PLUS_PRIV_LVL_USER := 0x01 TAC_PLUS_PRIV_LVL_USER := 0x01
TAC_PLUS_PRIV_LVL_MIN := 0x00 TAC_PLUS_PRIV_LVL_MIN := 0x00
A Privilege level can be assigned to a shell (EXEC) session when it A Privilege level can be assigned to a shell (EXEC) session when it
starts starts (for example, TAC_PLUS_PRIV_LVL_USER). The client will starts (for example, TAC_PLUS_PRIV_LVL_USER). The client will permit
permit the actions associated with this level to be executed. This the actions associated with this level to be executed. This
privilege level is returned by the Server in a session-based shell privilege level is returned by the Server in a session-based shell
authorization (when "service" equals "shell" and "cmd" is empty). authorization (when "service" equals "shell" and "cmd" is empty).
When a user required to perform actions that are mapped to a higher When a user required to perform actions that are mapped to a higher
privilege level, then an ENABLE type reuthentication can be initiated privilege level, then an ENABLE type reauthentication can be
by the client, in a way similar to su in unix. The client will initiated by the client. The client will insert the required
insert the required privilege level into the authentication header privilege level into the authentication header for enable
for enable authentication request. authentication request.
The use of Privilege levels to determine session-based access to The use of Privilege levels to determine session-based access to
commands and resources is not mandatory for clients. Although the commands and resources is not mandatory for clients. Although the
privilege level scheme is widely supported, its lack of flexibility privilege level scheme is widely supported, its lack of flexibility
in requiring a single monotonic hierarchy of permissions means that in requiring a single monotonic hierarchy of permissions means that
other session-based command authorization schemes have evolved, and other session-based command authorization schemes have evolved, and
so it is no longer mandatory for clients to use it. However, it is so it is no longer mandatory for clients to use it. However, it is
still common enough that it SHOULD be supported by servers. still common enough that it SHOULD be supported by servers.
9. TACACS+ Security Considerations 9. TACACS+ Security Considerations
skipping to change at page 36, line 51 skipping to change at page 36, line 51
Multiple implementations of the protocol described in the draft[1] Multiple implementations of the protocol described in the draft[1]
have been deployed. As the protocol was never standardised, current have been deployed. As the protocol was never standardised, current
implementations may be incompatible in non-obvious ways, giving rise implementations may be incompatible in non-obvious ways, giving rise
to additional security risks about which authors might not be aware to additional security risks about which authors might not be aware
of. This section does not claim to enumerate all possible security of. This section does not claim to enumerate all possible security
vulnerabilities. vulnerabilities.
9.1. General Security of The Protocol 9.1. General Security of The Protocol
TACACS+ protocol does not include a security mechanism that would TACACS+ protocol does not include a security mechanism that would
meet modern day requirements. Support for MD5-based crypto pad meet modern-day requirements. Support for MD5-based crypto pad
encryption fails to provide any kind of transport integrity, which encryption fails to provide any kind of transport integrity, which
presents at least the following risks: presents at least the following risks:
Accounting information may be modified by the man-in-the-middle Accounting information may be modified by the man-in-the-middle
attacker, making such logs unsuitable and untrustable for auditing attacker, making such logs unsuitable and untrustable for auditing
purposes. purposes.
Only the body of the request is encrypted which leaves all header Only the body of the request is encrypted which leaves all header
fields open to trivial modification by the man-in-the-middle fields open to trivial modification by the man-in-the-middle
attacker. attacker.
skipping to change at page 37, line 46 skipping to change at page 37, line 46
information is available that it is best referred to as "obfuscation" information is available that it is best referred to as "obfuscation"
and not "encryption". and not "encryption".
For example, a "session_id" can be replaced by an alternate one, For example, a "session_id" can be replaced by an alternate one,
which could allow an unprivileged administrator to "steal" the which could allow an unprivileged administrator to "steal" the
authorization from a session for a privileged administrator. An authorization from a session for a privileged administrator. An
attacker could also update the "flags" field to indicate that one or attacker could also update the "flags" field to indicate that one or
the other end of a connection requires TAC_PLUS_UNENCRYPTED_FLAG, the other end of a connection requires TAC_PLUS_UNENCRYPTED_FLAG,
which would subvert the obfuscation mechanism. which would subvert the obfuscation mechanism.
For this reasons, users deploying TACACS+ protocol in their For these reasons, users deploying TACACS+ protocol in their
environments MUST limit access to known clients and MUST control the environments MUST limit access to known clients and MUST control the
security of the entire transmission path. Attacks who can guess the security of the entire transmission path. Attacks who can guess the
key or otherwise break the obfuscation will gain unrestricted and key or otherwise break the obfuscation will gain unrestricted and
undetected access to all TACACS+ traffic. The security risk of such undetected access to all TACACS+ traffic. The security risk of such
attack succeeding against a centralised AAA system like TACACS+ attack succeeding against a centralised AAA system like TACACS+
cannot be overstated. cannot be overstated.
The following parts of this section enumerate only the session- The following parts of this section enumerate only the session-
specific risks which are in addition to general risk associated with specific risks which are in addition to general risk associated with
bare obfuscation and lack of integrity checking. bare obfuscation and lack of integrity checking.
9.2. Security of Authentication Sessions 9.2. Security of Authentication Sessions
Authentication sessions SHOULD NOT be used via unsecure transport as Authentication sessions SHOULD NOT be used via insecure transport as
the man-in-the-middle attack may completely subvert them. Even CHAP, the man-in-the-middle attack may completely subvert them. Even CHAP,
which may me considered resistant to password interception, is unsafe which may be considered resistant to password interception, is unsafe
as it does not protect the username from a trivial man-in-the-middle as it does not protect the username from a trivial man-in-the-middle
attack. attack.
Section 4.4.3 permits the redirection of a session to another server Section 4.4.3 permits the redirection of a session to another server
via the TAC_PLUS_AUTHEN_STATUS_FOLLOW mechanism. As part of this via the TAC_PLUS_AUTHEN_STATUS_FOLLOW mechanism. As part of this
process, the secret key for a new server can be sent to the client. process, the secret key for a new server can be sent to the client.
This public exchange of secret keys means that once one session is This public exchange of secret keys means that once one session is
broken, it may be possible to leverage that key to attacking broken, it may be possible to leverage that key to attacking
connections to other servers. This option MUST NOT be used outside a connections to other servers. This option MUST NOT be used outside a
secured deployment of protocol clients or outside of secure secured deployment of protocol clients or outside of secure
skipping to change at page 40, line 4 skipping to change at page 40, line 4
unknown clients. unknown clients.
Due to the security deficiencies of the protocol, it is critical that Due to the security deficiencies of the protocol, it is critical that
it be deployed in a secure manner. The following recommendations are it be deployed in a secure manner. The following recommendations are
made for those deploying and configuring TACACS+ as a solution for made for those deploying and configuring TACACS+ as a solution for
device administration: device administration:
Secure the Deployment: TACACS+ MUST BE deployed over networks Secure the Deployment: TACACS+ MUST BE deployed over networks
which ensure an appropriate privacy and integrity of the which ensure an appropriate privacy and integrity of the
communication. Definition of an appropriate level of privacy and communication. Definition of an appropriate level of privacy and
integrity is organisation-dependent What is apropriate level of integrity is organisation-dependent What is appropriate level of
The way this is ensured will depend upon the organisational means: The way this is ensured will depend upon the organisational means:
a dedicated and secure management network where available in a dedicated and secure management network where available in
enterprise deployments, or IPsec where dedicated networks are not enterprise deployments, or IPsec where dedicated networks are not
available. available.
Always set a secret key (recommended minimum 14 characters) on the Always set a secret key (recommended minimum 14 characters) on the
client and server when configuring the connection between them. client and server when configuring the connection between them.
Servers MUST be configured with a list of known clients. Servers Servers MUST be configured with a list of known clients. Servers
MUST be configured to reject requests from clients not on the MUST be configured to reject requests from clients not on the
skipping to change at page 40, line 31 skipping to change at page 40, line 31
Restrict to TAC_PLUS_AUTHEN_TYPE_CHAP for authen_type where Restrict to TAC_PLUS_AUTHEN_TYPE_CHAP for authen_type where
possible. Use other options only when unavoidable due to possible. Use other options only when unavoidable due to
requirements of identity/password systems. requirements of identity/password systems.
Servers SHOULD be restricted to requiring TACACS+ authentication Servers SHOULD be restricted to requiring TACACS+ authentication
for authorization requests (i.e. TAC_PLUS_AUTHEN_METH_TACACSPLUS for authorization requests (i.e. TAC_PLUS_AUTHEN_METH_TACACSPLUS
is used). is used).
Avoid the use of the redirection mechanism. Avoid the use of the redirection mechanism.
TAC_PLUS_AUTHEN_STATUS_FOLLOW, specifically avoid the option to TAC_PLUS_AUTHEN_STATUS_FOLLOW, specifically avoid the option to
send send secret keys in the server list. send secret keys in the server list.
Take case when applying extensions to the dictionary of Take case when applying extensions to the dictionary of
authorization/accounting arguments. Ensure that the client and authorization/accounting arguments. Ensure that the client and
server use of new argument names are consistent. server use of new argument names are consistent.
9.6. TACACS+ Client Implementation Recommendations 9.6. TACACS+ Client Implementation Recommendations
When implementing TACACS+ Clients it is recommended: When implementing TACACS+ Clients it is recommended:
Clients SHOULD not use TAC_PLUS_UNENCRYPTED_FLAG, even on networks Clients SHOULD not use TAC_PLUS_UNENCRYPTED_FLAG, even on networks
 End of changes. 38 change blocks. 
48 lines changed or deleted 50 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/