draft-ietf-opsawg-tacacs-15.txt   draft-ietf-opsawg-tacacs-16.txt 
Operations T. Dahm Operations T. Dahm
Internet-Draft A. Ota Internet-Draft A. Ota
Intended status: Informational Google Inc Intended status: Informational Google Inc
Expires: March 25, 2020 D. Medway Gash Expires: May 20, 2020 D. Medway Gash
Cisco Systems, Inc. Cisco Systems, Inc.
D. Carrel D. Carrel
vIPtela, Inc. vIPtela, Inc.
L. Grant L. Grant
September 22, 2019 November 17, 2019
The TACACS+ Protocol The TACACS+ Protocol
draft-ietf-opsawg-tacacs-15 draft-ietf-opsawg-tacacs-16
Abstract Abstract
Terminal Access Controller Access-Control System Plus (TACACS+) Terminal Access Controller Access-Control System Plus (TACACS+)
provides Device Administration for routers, network access servers provides Device Administration for routers, network access servers
and other networked computing devices via one or more centralized and other networked computing devices via one or more centralized
servers. This document describes the protocol that is used by servers. This document describes the protocol that is used by
TACACS+. TACACS+.
Status of This Memo Status of This Memo
skipping to change at page 1, line 39 skipping to change at page 1, line 39
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 25, 2020. This Internet-Draft will expire on May 20, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 37 skipping to change at page 2, line 37
3.1. Client . . . . . . . . . . . . . . . . . . . . . . . . . 4 3.1. Client . . . . . . . . . . . . . . . . . . . . . . . . . 4
3.2. Server . . . . . . . . . . . . . . . . . . . . . . . . . 4 3.2. Server . . . . . . . . . . . . . . . . . . . . . . . . . 4
3.3. Packet . . . . . . . . . . . . . . . . . . . . . . . . . 5 3.3. Packet . . . . . . . . . . . . . . . . . . . . . . . . . 5
3.4. Connection . . . . . . . . . . . . . . . . . . . . . . . 5 3.4. Connection . . . . . . . . . . . . . . . . . . . . . . . 5
3.5. Session . . . . . . . . . . . . . . . . . . . . . . . . . 5 3.5. Session . . . . . . . . . . . . . . . . . . . . . . . . . 5
3.6. Treatment of Enumerated Protocol Values . . . . . . . . . 5 3.6. Treatment of Enumerated Protocol Values . . . . . . . . . 5
3.7. Treatment of Text Strings . . . . . . . . . . . . . . . . 5 3.7. Treatment of Text Strings . . . . . . . . . . . . . . . . 5
4. TACACS+ Packets and Sessions . . . . . . . . . . . . . . . . 6 4. TACACS+ Packets and Sessions . . . . . . . . . . . . . . . . 6
4.1. The TACACS+ Packet Header . . . . . . . . . . . . . . . . 6 4.1. The TACACS+ Packet Header . . . . . . . . . . . . . . . . 6
4.2. The TACACS+ Packet Body . . . . . . . . . . . . . . . . . 8 4.2. The TACACS+ Packet Body . . . . . . . . . . . . . . . . . 8
4.3. Single Connection Mode . . . . . . . . . . . . . . . . . 9 4.3. Single Connection Mode . . . . . . . . . . . . . . . . . 8
4.4. Session Completion . . . . . . . . . . . . . . . . . . . 9 4.4. Session Completion . . . . . . . . . . . . . . . . . . . 9
4.5. Data Obfuscation . . . . . . . . . . . . . . . . . . . . 11 4.5. Data Obfuscation . . . . . . . . . . . . . . . . . . . . 10
5. Authentication . . . . . . . . . . . . . . . . . . . . . . . 12 5. Authentication . . . . . . . . . . . . . . . . . . . . . . . 12
5.1. The Authentication START Packet Body . . . . . . . . . . 13 5.1. The Authentication START Packet Body . . . . . . . . . . 12
5.2. The Authentication REPLY Packet Body . . . . . . . . . . 15 5.2. The Authentication REPLY Packet Body . . . . . . . . . . 15
5.3. The Authentication CONTINUE Packet Body . . . . . . . . . 16 5.3. The Authentication CONTINUE Packet Body . . . . . . . . . 16
5.4. Description of Authentication Process . . . . . . . . . . 17 5.4. Description of Authentication Process . . . . . . . . . . 17
5.4.1. Version Behavior . . . . . . . . . . . . . . . . . . 18 5.4.1. Version Behavior . . . . . . . . . . . . . . . . . . 17
5.4.2. Common Authentication Flows . . . . . . . . . . . . . 19 5.4.2. Common Authentication Flows . . . . . . . . . . . . . 18
5.4.3. Aborting an Authentication Session . . . . . . . . . 22 5.4.3. Aborting an Authentication Session . . . . . . . . . 21
6. Authorization . . . . . . . . . . . . . . . . . . . . . . . . 23 6. Authorization . . . . . . . . . . . . . . . . . . . . . . . . 22
6.1. The Authorization REQUEST Packet Body . . . . . . . . . . 23 6.1. The Authorization REQUEST Packet Body . . . . . . . . . . 23
6.2. The Authorization REPLY Packet Body . . . . . . . . . . . 27 6.2. The Authorization REPLY Packet Body . . . . . . . . . . . 26
7. Accounting . . . . . . . . . . . . . . . . . . . . . . . . . 28 7. Accounting . . . . . . . . . . . . . . . . . . . . . . . . . 28
7.1. The Account REQUEST Packet Body . . . . . . . . . . . . . 29 7.1. The Account REQUEST Packet Body . . . . . . . . . . . . . 28
7.2. The Accounting REPLY Packet Body . . . . . . . . . . . . 30 7.2. The Accounting REPLY Packet Body . . . . . . . . . . . . 29
8. Attribute-Value Pairs . . . . . . . . . . . . . . . . . . . . 31 8. Argument-Value Pairs . . . . . . . . . . . . . . . . . . . . 31
8.1. Value Encoding . . . . . . . . . . . . . . . . . . . . . 32 8.1. Value Encoding . . . . . . . . . . . . . . . . . . . . . 31
8.2. Authorization Attributes . . . . . . . . . . . . . . . . 32 8.2. Authorization Arguments . . . . . . . . . . . . . . . . . 32
8.3. Accounting Attributes . . . . . . . . . . . . . . . . . . 34 8.3. Accounting Arguments . . . . . . . . . . . . . . . . . . 34
9. Privilege Levels . . . . . . . . . . . . . . . . . . . . . . 36 9. Privilege Levels . . . . . . . . . . . . . . . . . . . . . . 35
10. Security Considerations . . . . . . . . . . . . . . . . . . . 37 10. Security Considerations . . . . . . . . . . . . . . . . . . . 36
10.1. General Security of the Protocol . . . . . . . . . . . . 37 10.1. General Security of the Protocol . . . . . . . . . . . . 37
10.2. Security of Authentication Sessions . . . . . . . . . . 38 10.2. Security of Authentication Sessions . . . . . . . . . . 38
10.3. Security of Authorization Sessions . . . . . . . . . . . 39 10.3. Security of Authorization Sessions . . . . . . . . . . . 38
10.4. Security of Accounting Sessions . . . . . . . . . . . . 39 10.4. Security of Accounting Sessions . . . . . . . . . . . . 39
10.5. TACACS+ Best Practices . . . . . . . . . . . . . . . . . 40 10.5. TACACS+ Best Practices . . . . . . . . . . . . . . . . . 39
10.5.1. Shared Secrets . . . . . . . . . . . . . . . . . . . 40 10.5.1. Shared Secrets . . . . . . . . . . . . . . . . . . . 39
10.5.2. Connections and Obfuscation . . . . . . . . . . . . 41 10.5.2. Connections and Obfuscation . . . . . . . . . . . . 40
10.5.3. Authentication . . . . . . . . . . . . . . . . . . . 42 10.5.3. Authentication . . . . . . . . . . . . . . . . . . . 41
10.5.4. Authorization . . . . . . . . . . . . . . . . . . . 42 10.5.4. Authorization . . . . . . . . . . . . . . . . . . . 42
10.5.5. Redirection Mechanism . . . . . . . . . . . . . . . 42 10.5.5. Redirection Mechanism . . . . . . . . . . . . . . . 42
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 43 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 42
12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 43 12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 42
13. References . . . . . . . . . . . . . . . . . . . . . . . . . 43 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 43
13.1. Normative References . . . . . . . . . . . . . . . . . . 43 13.1. Normative References . . . . . . . . . . . . . . . . . . 43
13.2. Informative References . . . . . . . . . . . . . . . . . 44 13.2. Informative References . . . . . . . . . . . . . . . . . 44
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 44 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 44
1. Introduction 1. Introduction
Terminal Access Controller Access-Control System Plus (TACACS+) was Terminal Access Controller Access-Control System Plus (TACACS+) was
conceived initially as a general Authentication, Authorization and conceived initially as a general Authentication, Authorization and
Accounting protocol. It's use today is mainly confined to Device Accounting protocol. It's use today is mainly confined to Device
Administration: authenticating access to network devices, providing Administration: authenticating access to network devices, providing
central authorization of operations, and audit of those operations. central authorization of operations, and audit of those operations.
A wide range of TACACS+ clients and servers are already deployed in A wide range of TACACS+ clients and servers are already deployed in
the field. The TACACS+ protocol they are based on is defined in a the field. The TACACS+ protocol they are based on is defined in a
draft document that was originally intended for IETF publication, and draft document that was originally intended for IETF publication, and
is known as `The Draft' [TheDraft] . This did not address all of the is known as `The Draft' [TheDraft]. This did not address all of the
key security concerns which are considered when designing modern key security concerns which are considered when designing modern
standards. For more details please refer to security section standards. Deployment must therefore be executed with care. These
(Section 10) . concerns are addressed in the security section (Section 10).
This is intended to document the TACACS+ protocol as it is currently This is intended to document the TACACS+ protocol as it is currently
deployed. It is intended that all implementations which conform to deployed. It is intended that all implementations which conform to
this document will conform to `The Draft'. However, attention is this document will conform to `The Draft'. However, attention is
drawn to the following specific adjustments of the protocol drawn to the following specific adjustments of the protocol
specification from 'The Draft': specification from 'The Draft':
This document officially removes SENDPASS for security reasons. This document officially removes SENDPASS for security reasons.
The normative description of Legacy features such as ARAP and The normative description of Legacy features such as ARAP and
outbound authentication has been removed. outbound authentication has been removed.
The Support for forwarding to an alternative daemon The Support for forwarding to an alternative daemon
(TAC_PLUS_AUTHEN_STATUS_FOLLOW) has been deprecated. (TAC_PLUS_AUTHEN_STATUS_FOLLOW) has been deprecated.
The TACACS+ protocol separates the functions of Authentication, The TACACS+ protocol allows for arbitrary length and content
Authorization and Accounting. It allows for arbitrary length and authentication exchanges, to support alternative authentication
content authentication exchanges, to support future authentication
mechanisms. It is extensible to provide for site customization and mechanisms. It is extensible to provide for site customization and
future development features, and it uses TCP to ensure reliable future development features, and it uses TCP to ensure reliable
delivery. The protocol allows the TACACS+ client to request very delivery. The protocol allows the TACACS+ client to request fine-
fine-grained access control and allows the server to respond to each grained access control and allows the server to respond to each
component of that request. component of that request.
The separation of authentication, authorization and accounting was a The separation of authentication, authorization and accounting is a
key element of the design of TACACS+ protocol. Essentially it makes key element of the design of TACACS+ protocol. Essentially it makes
TACACS+ a suite of three protocols. This document will address each TACACS+ a suite of three protocols. This document will address each
one in separate sections. Although TACACS+ defines all three, an one in separate sections. Although TACACS+ defines all three, an
implementation or configuration is not required to employ all three. implementation or deployment is not required to employ all three.
Separating the elements is useful for Device Administration use case, Separating the elements is useful for Device Administration use case,
specifically, for authorization of individual commands in a session. specifically, for authorization of individual commands in a session.
Note that there is no provision made at the protocol level for Note that there is no provision made at the protocol level for
association of an authentication to each authorization request. association of an authentication to authorization requests.
2. Conventions 2. Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
3. Technical Definitions 3. Technical Definitions
skipping to change at page 6, line 7 skipping to change at page 6, line 7
returned to indicate an error. returned to indicate an error.
3.7. Treatment of Text Strings 3.7. Treatment of Text Strings
The TACACS+ protocol makes extensive use of text strings. The The TACACS+ protocol makes extensive use of text strings. The
original draft intended that these strings would be treated as byte original draft intended that these strings would be treated as byte
arrays where each byte would represent a US-ASCII character. arrays where each byte would represent a US-ASCII character.
More recently, server implementations have been extended to interwork More recently, server implementations have been extended to interwork
with external identity services, and so a more nuanced approach is with external identity services, and so a more nuanced approach is
needed. Text Strings in the TACACS+ protocol MUST be handled in the needed. Usernames MUST be encoded and handled using the
following way: UsernameCasePreserved Profile specified in RFC 8265 [RFC8265]. The
security considerations in Section 8 of that RFC apply.
Usernames
Usernames MUST be encoded and handled using the UsernameCasePreserved
Profile specified in RFC 8265 [RFC8265]. The security considerations
in Section 8 of that RFC apply.
Passwords
Passwords MUST be handled and processed using the OpaqueString
Profile specified in RFC 8265 [RFC8265]. The security considerations
in Section 8 of that RFC apply.
Binary Data Strings
Where specifically mentioned, data fields contain arrays of arbitrary Where specifically mentioned, data fields contain arrays of arbitrary
bytes as required for protocol processing. These are not intended to bytes as required for protocol processing. These are not intended to
be made visible through user interface to users. be made visible through user interface to users.
Printable Text String
All other text fields in TACACS+ MUST be treated as printable byte All other text fields in TACACS+ MUST be treated as printable byte
arrays of US-ASCII as defined by RFC 20 [RFC0020]. The term arrays of US-ASCII as defined by RFC 20 [RFC0020]. The term
"printable" used here means the fields MUST exclude the "Control "printable" used here means the fields MUST exclude the "Control
Characters" defined in section 5.2 of RFC 20 [RFC0020]. Characters" defined in section 5.2 of RFC 20 [RFC0020].
4. TACACS+ Packets and Sessions 4. TACACS+ Packets and Sessions
4.1. The TACACS+ Packet Header 4.1. The TACACS+ Packet Header
All TACACS+ packets begin with the following 12-byte header. The All TACACS+ packets begin with the following 12-byte header. The
skipping to change at page 7, line 44 skipping to change at page 7, line 30
TAC_PLUS_AUTHEN := 0x01 (Authentication) TAC_PLUS_AUTHEN := 0x01 (Authentication)
TAC_PLUS_AUTHOR := 0x02 (Authorization) TAC_PLUS_AUTHOR := 0x02 (Authorization)
TAC_PLUS_ACCT := 0x03 (Accounting) TAC_PLUS_ACCT := 0x03 (Accounting)
seq_no seq_no
This is the sequence number of the current packet. The first packet This is the sequence number of the current packet. The first packet
in a session MUST have the sequence number 1 and each subsequent in a session MUST have the sequence number 1 and each subsequent
packet will increment the sequence number by one. Clients only send packet will increment the sequence number by one. TACACS+ Clients
packets containing odd sequence numbers, and TACACS+ servers only only send packets containing odd sequence numbers, and TACACS+
send packets containing even sequence numbers. servers only send packets containing even sequence numbers.
The sequence number must never wrap i.e. if the sequence number 2^8-1 The sequence number must never wrap i.e. if the sequence number 2^8-1
is ever reached, that session must terminate and be restarted with a is ever reached, that session must terminate and be restarted with a
sequence number of 1. sequence number of 1.
flags flags
This field contains various bitmapped flags. This field contains various bitmapped flags.
The flag bit: The flag bit:
TAC_PLUS_UNENCRYPTED_FLAG := 0x01 TAC_PLUS_UNENCRYPTED_FLAG := 0x01
This flag indicates that the sender did not obfuscate the body of the This flag indicates that the sender did not obfuscate the body of the
packet. The application of this flag will be covered in the security packet. The application of this flag will be covered in the security
section (Section 10) . section (Section 10).
This flag SHOULD be clear in all deployments. Modern network traffic This flag SHOULD be clear in all deployments. Modern network traffic
tools support encrypted traffic when configured with the shared tools support encrypted traffic when configured with the shared
secret (see section below), so obfuscated mode can and SHOULD be used secret (see section below), so obfuscated mode can and SHOULD be used
even during test. even during test.
The single-connection flag: The single-connection flag:
TAC_PLUS_SINGLE_CONNECT_FLAG := 0x04 TAC_PLUS_SINGLE_CONNECT_FLAG := 0x04
This flag is used to allow a client and server to negotiate Single This flag is used to allow a client and server to negotiate Single
Connection Mode. Connection Mode (Section 4.3).
All other bits MUST be ignored when reading, and SHOULD be set to All other bits MUST be ignored when reading, and SHOULD be set to
zero when writing. zero when writing.
session_id session_id
The Id for this TACACS+ session. This field does not change for the The Id for this TACACS+ session. This field does not change for the
duration of the TACACS+ session. This number MUST be generated by a duration of the TACACS+ session. This number MUST be generated by a
cryptographically strong random number generation method. Failure to cryptographically strong random number generation method. Failure to
do so will compromise security of the session. For more details do so will compromise security of the session. For more details
refer to RFC 4086 [RFC4086] refer to RFC 4086 [RFC4086].
length length
The total length of the packet body (not including the header). The total length of the packet body (not including the header).
4.2. The TACACS+ Packet Body 4.2. The TACACS+ Packet Body
The TACACS+ body types are defined in the packet header. The next The TACACS+ body types are defined in the packet header. The next
sections of this document will address the contents of the different sections of this document will address the contents of the different
TACACS+ bodies. TACACS+ bodies.
skipping to change at page 10, line 29 skipping to change at page 10, line 13
Sessions for details on handling additional status options. Sessions for details on handling additional status options.
When the session is complete, then the TCP connection should be When the session is complete, then the TCP connection should be
handled as follows, according to whether Single Connection Mode was handled as follows, according to whether Single Connection Mode was
negotiated: negotiated:
If Single Connection Mode was not negotiated, then the connection If Single Connection Mode was not negotiated, then the connection
should be closed should be closed
If Single Connection Mode was enabled, then the connection SHOULD be If Single Connection Mode was enabled, then the connection SHOULD be
left open (see section (Section 4.3) ), but may still be closed after left open (see section (Section 4.3)), but may still be closed after
a timeout period to preserve deployment resources. a timeout period to preserve deployment resources.
If Single Connection Mode was enabled, but an ERROR occurred due to If Single Connection Mode was enabled, but an ERROR occurred due to
connection issues (such as an incorrect secret, see section connection issues (such as an incorrect secret, see section
(Section 4.5) ), then any further new sessions MUST NOT be accepted (Section 4.5)), then any further new sessions MUST NOT be accepted on
on the connection. If there are any sessions that have already been the connection. If there are any sessions that have already been
established then they MAY be completed. Once all active sessions are established then they MAY be completed. Once all active sessions are
completed then the connection MUST be closed. completed then the connection MUST be closed.
It is recommended that client implementations provide robust schemes It is recommended that client implementations provide robust schemes
for dealing with servers which cannot be connected to. Options for dealing with servers which cannot be connected to. Options
include providing a list of servers for redundancy, and an option for include providing a list of servers for redundancy, and an option for
a local fallback configuration if no servers can be reached. Details a local fallback configuration if no servers can be reached. Details
will be implementation specific. will be implementation specific.
The client should manage connections and handle the case of a server The client should manage connections and handle the case of a server
skipping to change at page 11, line 39 skipping to change at page 11, line 18
The packet body can then be de-obfuscated by XOR-ing it byte-wise The packet body can then be de-obfuscated by XOR-ing it byte-wise
with a pseudo random pad. with a pseudo random pad.
data = ENCRYPTED {data} ^ pseudo_pad data = ENCRYPTED {data} ^ pseudo_pad
The pad is generated by concatenating a series of MD5 hashes (each 16 The pad is generated by concatenating a series of MD5 hashes (each 16
bytes long) and truncating it to the length of the input data. bytes long) and truncating it to the length of the input data.
Whenever used in this document, MD5 refers to the "RSA Data Security, Whenever used in this document, MD5 refers to the "RSA Data Security,
Inc. MD5 Message-Digest Algorithm" as specified in RFC 1321 [RFC1321] Inc. MD5 Message-Digest Algorithm" as specified in RFC 1321
. [RFC1321].
pseudo_pad = {MD5_1 [,MD5_2 [ ... ,MD5_n]]} truncated to len(data) pseudo_pad = {MD5_1 [,MD5_2 [ ... ,MD5_n]]} truncated to len(data)
The first MD5 hash is generated by concatenating the session_id, the The first MD5 hash is generated by concatenating the session_id, the
secret key, the version number and the sequence number and then secret key, the version number and the sequence number and then
running MD5 over that stream. All of those input values are running MD5 over that stream. All of those input values are
available in the packet header, except for the secret key which is a available in the packet header, except for the secret key which is a
shared secret between the TACACS+ client and server. shared secret between the TACACS+ client and server.
The version number and session_id are extracted from the header The version number and session_id are extracted from the header
skipping to change at page 12, line 4 skipping to change at page 11, line 30
pseudo_pad = {MD5_1 [,MD5_2 [ ... ,MD5_n]]} truncated to len(data) pseudo_pad = {MD5_1 [,MD5_2 [ ... ,MD5_n]]} truncated to len(data)
The first MD5 hash is generated by concatenating the session_id, the The first MD5 hash is generated by concatenating the session_id, the
secret key, the version number and the sequence number and then secret key, the version number and the sequence number and then
running MD5 over that stream. All of those input values are running MD5 over that stream. All of those input values are
available in the packet header, except for the secret key which is a available in the packet header, except for the secret key which is a
shared secret between the TACACS+ client and server. shared secret between the TACACS+ client and server.
The version number and session_id are extracted from the header The version number and session_id are extracted from the header
Subsequent hashes are generated by using the same input stream, but Subsequent hashes are generated by using the same input stream, but
concatenating the previous hash value at the end of the input stream. concatenating the previous hash value at the end of the input stream.
MD5_1 = MD5{session_id, key, version, seq_no} MD5_2 = MD5{session_id, MD5_1 = MD5{session_id, key, version, seq_no} MD5_2 = MD5{session_id,
key, version, seq_no, MD5_1} .... MD5_n = MD5{session_id, key, key, version, seq_no, MD5_1} .... MD5_n = MD5{session_id, key,
version, seq_no, MD5_n-1} version, seq_no, MD5_n-1}
When a server detects that the secret(s) it has configured for the When a server detects that the secret(s) it has configured for the
device mismatch, it MUST return ERROR. For details of TCP connection device mismatch, it MUST return ERROR. For details of TCP connection
handling on ERROR, refer to section (Section 4.4) . handling on ERROR, refer to section (Section 4.4).
TAC_PLUS_UNENCRYPTED_FLAG == 0x1 TAC_PLUS_UNENCRYPTED_FLAG == 0x1
In this case, the entire packet body is in cleartext. Obfuscation In this case, the entire packet body is in cleartext. Obfuscation
and de-obfuscation are null operations. This method should be and de-obfuscation are null operations. This method should be
avoided unless absolutely required for debug purposes, when tooling avoided unless absolutely required for debug purposes, when tooling
does not permit de-obfuscation. does not permit de-obfuscation.
If deployment is configured for obfuscating a connection then the If deployment is configured for obfuscating a connection then the
request MUST be dropped if TAC_PLUS_UNENCRYPTED_FLAG is set to true. request MUST be dropped if TAC_PLUS_UNENCRYPTED_FLAG is set to true.
After a packet body is de-obfuscated, the lengths of the component After a packet body is de-obfuscated, the lengths of the component
values in the packet are summed. If the sum is not identical to the values in the packet are summed. If the sum is not identical to the
cleartext datalength value from the header, the packet MUST be cleartext datalength value from the header, the packet MUST be
discarded, and an ERROR signaled. For details of TCP connection discarded, and an ERROR signaled. For details of TCP connection
handling on ERROR, refer to section (Section 4.4) . handling on ERROR, refer to section (Section 4.4).
Commonly such failures are seen when the keys are mismatched between Commonly such failures are seen when the keys are mismatched between
the client and the TACACS+ server. the client and the TACACS+ server.
5. Authentication 5. Authentication
Authentication is the action of determining who a user (or entity) Authentication is the action of determining who a user (or entity)
is. Authentication can take many forms. Traditional authentication is. Authentication can take many forms. Traditional authentication
employs a name and a fixed password. However, fixed passwords are employs a name and a fixed password. However, fixed passwords are
vulnerable security, so many modern authentication mechanisms utilize vulnerable security, so many modern authentication mechanisms utilize
skipping to change at page 13, line 43 skipping to change at page 13, line 21
TAC_PLUS_AUTHEN_SENDAUTH := 0x04 TAC_PLUS_AUTHEN_SENDAUTH := 0x04
priv_lvl priv_lvl
This indicates the privilege level that the user is authenticating This indicates the privilege level that the user is authenticating
as. Please refer to the Privilege Level section (Section 9) below. as. Please refer to the Privilege Level section (Section 9) below.
authen_type authen_type
The type of authentication. Please see section Common Authentication The type of authentication. Please see section Common Authentication
Flows (Section 5.4.2) . Valid values are: Flows (Section 5.4.2). Valid values are:
TAC_PLUS_AUTHEN_TYPE_ASCII := 0x01 TAC_PLUS_AUTHEN_TYPE_ASCII := 0x01
TAC_PLUS_AUTHEN_TYPE_PAP := 0x02 TAC_PLUS_AUTHEN_TYPE_PAP := 0x02
TAC_PLUS_AUTHEN_TYPE_CHAP := 0x03 TAC_PLUS_AUTHEN_TYPE_CHAP := 0x03
TAC_PLUS_AUTHEN_TYPE_MSCHAP := 0x05 TAC_PLUS_AUTHEN_TYPE_MSCHAP := 0x05
TAC_PLUS_AUTHEN_TYPE_MSCHAPV2 := 0x06 TAC_PLUS_AUTHEN_TYPE_MSCHAPV2 := 0x06
authen_service authen_service
This is the service that is requesting the authentication. Valid This is the service that is requesting the authentication. Valid
values are: values are:
TAC_PLUS_AUTHEN_SVC_NONE := 0x00 TAC_PLUS_AUTHEN_SVC_NONE := 0x00
TAC_PLUS_AUTHEN_SVC_LOGIN := 0x01 TAC_PLUS_AUTHEN_SVC_LOGIN := 0x01
skipping to change at page 15, line 4 skipping to change at page 14, line 30
used when none of the other authen_service values are appropriate. used when none of the other authen_service values are appropriate.
ENABLE may be requested independently, no requirements for previous ENABLE may be requested independently, no requirements for previous
authentications or authorizations are imposed by the protocol. authentications or authorizations are imposed by the protocol.
Other options are included for legacy/backwards compatibility. Other options are included for legacy/backwards compatibility.
user, user_len user, user_len
The username is optional in this packet, depending upon the class of The username is optional in this packet, depending upon the class of
authentication. If it is absent, the client MUST set user_len to 0. authentication. If it is absent, the client MUST set user_len to 0.
If included, the user_len indicates the length of the user field, in If included, the user_len indicates the length of the user field, in
bytes. bytes.
port, port_len port, port_len
The name of the client port on which the authentication is taking The name of the client port on which the authentication is taking
place, and its length in bytes. The value of this field is client place. The value of this field is free format text and is client
specific. The port_len indicates the length of the port field, in specific. Examples of this this argument include "tty10" to denote
bytes. For details of text encoding, see (Section 3.7) . the tenth tty line and "async10" to denote the tenth async interface.
The client documentation SHOULD define the values and their meanings
for this field. For details of text encoding, see (Section 3.7).
port_len indicates the length of the port field, in bytes.
rem_addr, rem_addr_len rem_addr, rem_addr_len
A string indicating the remote location from which the user has A string indicating the remote location from which the user has
connected to the client. For details of text encoding, see connected to the client. For details of text encoding, see
(Section 3.7) . (Section 3.7).
When TACACS+ was used for dial-up services, this value contained the When TACACS+ was used for dial-up services, this value contained the
caller ID caller ID
When TACACS+ is used for Device Administration, the user is normally When TACACS+ is used for Device Administration, the user is normally
connected via a network, and in this case the value is intended to connected via a network, and in this case the value is intended to
hold a network address, IPv4 or IPv6. For IPv6 address text hold a network address, IPv4 or IPv6. For IPv6 address text
representation defined please see RFC 5952 [RFC5952] . representation defined please see RFC 5952 [RFC5952].
This field is optional (since the information may not be available). This field is optional (since the information may not be available).
The rem_addr_len indicates the length of the user field, in bytes. The rem_addr_len indicates the length of the user field, in bytes.
data, data_len data, data_len
This field is used to send data appropriate for the action and This field is used to send data appropriate for the action and
authen_type. It is described in more detail in the section Common authen_type. It is described in more detail in the section Common
Authentication flows (Section 5.4.2) . The data_len indicates the Authentication flows (Section 5.4.2). The data_len indicates the
length of the data field, in bytes. length of the data field, in bytes.
5.2. The Authentication REPLY Packet Body 5.2. The Authentication REPLY Packet Body
The TACACS+ server sends only one type of authentication packet (a The TACACS+ server sends only one type of authentication packet (a
REPLY packet) to the client. REPLY packet) to the client.
1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| status | flags | server_msg_len | | status | flags | server_msg_len |
skipping to change at page 16, line 35 skipping to change at page 16, line 16
Bitmapped flags that modify the action to be taken. The following Bitmapped flags that modify the action to be taken. The following
values are defined: values are defined:
TAC_PLUS_REPLY_FLAG_NOECHO := 0x01 TAC_PLUS_REPLY_FLAG_NOECHO := 0x01
server_msg, server_msg_len server_msg, server_msg_len
A message to be displayed to the user. This field is optional. The A message to be displayed to the user. This field is optional. The
server_msg_len indicates the length of the server_msg field, in server_msg_len indicates the length of the server_msg field, in
bytes. For details of text encoding, see (Section 3.7) . bytes. For details of text encoding, see (Section 3.7).
data, data_len data, data_len
This field holds data that is a part of the authentication exchange This field holds data that is a part of the authentication exchange
and is intended for client processing, not the user. It is not a and is intended for client processing, not the user. It is not a
printable text encoding. Examples of its use are shown in the printable text encoding. Examples of its use are shown in the
section Common Authentication flows (Section 5.4.2) . The data_len section Common Authentication flows (Section 5.4.2). The data_len
indicates the length of the data field, in bytes. indicates the length of the data field, in bytes.
5.3. The Authentication CONTINUE Packet Body 5.3. The Authentication CONTINUE Packet Body
This packet is sent from the client to the server following the This packet is sent from the client to the server following the
receipt of a REPLY packet. receipt of a REPLY packet.
1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| user_msg len | data_len | | user_msg len | data_len |
skipping to change at page 20, line 15 skipping to change at page 19, line 37
The entire exchange MUST consist of a single START packet and a The entire exchange MUST consist of a single START packet and a
single REPLY. The START packet MUST contain the username in the user single REPLY. The START packet MUST contain the username in the user
field and the data field is a concatenation of the PPP id, the field and the data field is a concatenation of the PPP id, the
challenge and the response. challenge and the response.
The length of the challenge value can be determined from the length The length of the challenge value can be determined from the length
of the data field minus the length of the id (always 1 octet) and the of the data field minus the length of the id (always 1 octet) and the
length of the response field (always 16 octets). length of the response field (always 16 octets).
To perform the authentication, the server calculates the PPP hash as To perform the authentication, the server calculates the PPP hash as
defined in the PPP Authentication RFC RFC 1334 [RFC1334] and then defined in the PPP Authentication RFC 1334 [RFC1334] and then
compares that value with the response. The MD5 algorithm option is compares that value with the response. The MD5 algorithm option is
always used. The REPLY from the server MUST be a PASS, FAIL or always used. The REPLY from the server MUST be a PASS, FAIL or
ERROR. ERROR.
The selection of the challenge and its length are not an aspect of The selection of the challenge and its length are not an aspect of
the TACACS+ protocol. However, it is strongly recommended that the the TACACS+ protocol. However, it is strongly recommended that the
client/endstation interaction is configured with a secure challenge. client/endstation interaction is configured with a secure challenge.
The TACACS+ server can help by rejecting authentications where the The TACACS+ server can help by rejecting authentications where the
challenge is below a minimum length (Minimum recommended is 8 bytes). challenge is below a minimum length (Minimum recommended is 8 bytes).
skipping to change at page 20, line 46 skipping to change at page 20, line 25
The length of the challenge value can be determined from the length The length of the challenge value can be determined from the length
of the data field minus the length of the id (always 1 octet) and the of the data field minus the length of the id (always 1 octet) and the
length of the response field (always 49 octets). length of the response field (always 49 octets).
To perform the authentication, the server will use a combination of To perform the authentication, the server will use a combination of
MD4 and DES on the user's secret and the challenge, as defined in RFC MD4 and DES on the user's secret and the challenge, as defined in RFC
2433 [RFC2433] and then compare the resulting value with the 2433 [RFC2433] and then compare the resulting value with the
response. The REPLY from the server MUST be a PASS or FAIL. response. The REPLY from the server MUST be a PASS or FAIL.
For best practices, please refer to RFC 2433 [RFC2433] . The TACACS+ For best practices, please refer to RFC 2433 [RFC2433]. The TACACS+
server MUST reject authentications where the challenge deviates from server MUST reject authentications where the challenge deviates from
8 bytes as defined in the RFC. 8 bytes as defined in the RFC.
5.4.2.5. MS-CHAP v2 login 5.4.2.5. MS-CHAP v2 login
action = TAC_PLUS_AUTHEN_LOGIN action = TAC_PLUS_AUTHEN_LOGIN
authen_type = TAC_PLUS_AUTHEN_TYPE_MSCHAPV2 authen_type = TAC_PLUS_AUTHEN_TYPE_MSCHAPV2
minor_version = 0x1 minor_version = 0x1
The entire exchange MUST consist of a single START packet and a The entire exchange MUST consist of a single START packet and a
skipping to change at page 21, line 25 skipping to change at page 21, line 5
The length of the challenge value can be determined from the length The length of the challenge value can be determined from the length
of the data field minus the length of the id (always 1 octet) and the of the data field minus the length of the id (always 1 octet) and the
length of the response field (always 49 octets). length of the response field (always 49 octets).
To perform the authentication, the server will use the algorithm To perform the authentication, the server will use the algorithm
specified RFC 2759 [RFC2759] on the user's secret and challenge and specified RFC 2759 [RFC2759] on the user's secret and challenge and
then compare the resulting value with the response. The REPLY from then compare the resulting value with the response. The REPLY from
the server MUST be a PASS or FAIL. the server MUST be a PASS or FAIL.
For best practices for MS-CHAP v2, please refer to RFC2759 [RFC2759] For best practices for MS-CHAP v2, please refer to RFC2759 [RFC2759].
. The TACACS+ server MUST reject authentications where the challenge The TACACS+ server MUST reject authentications where the challenge
deviates from 16 bytes as defined in the RFC. deviates from 16 bytes as defined in the RFC.
5.4.2.6. Enable Requests 5.4.2.6. Enable Requests
action = TAC_PLUS_AUTHEN_LOGIN action = TAC_PLUS_AUTHEN_LOGIN
priv_lvl = implementation dependent priv_lvl = implementation dependent
authen_type = not used authen_type = not used
service = TAC_PLUS_AUTHEN_SVC_ENABLE service = TAC_PLUS_AUTHEN_SVC_ENABLE
This is an ENABLE request, used to change the current running This is an ENABLE request, used to change the current running
privilege level of a user. The exchange MAY consist of multiple privilege level of a user. The exchange MAY consist of multiple
messages while the server collects the information it requires in messages while the server collects the information it requires in
order to allow changing the principal's privilege level. This order to allow changing the principal's privilege level. This
exchange is very similar to an ASCII login (Section 5.4.2.1) . exchange is very similar to an ASCII login (Section 5.4.2.1).
In order to readily distinguish enable requests from other types of In order to readily distinguish enable requests from other types of
request, the value of the authen_service field MUST be set to request, the value of the authen_service field MUST be set to
TAC_PLUS_AUTHEN_SVC_ENABLE when requesting an ENABLE. It MUST NOT be TAC_PLUS_AUTHEN_SVC_ENABLE when requesting an ENABLE. It MUST NOT be
set to this value when requesting any other operation. set to this value when requesting any other operation.
5.4.2.7. ASCII change password request 5.4.2.7. ASCII change password request
action = TAC_PLUS_AUTHEN_CHPASS action = TAC_PLUS_AUTHEN_CHPASS
authen_type = TAC_PLUS_AUTHEN_TYPE_ASCII authen_type = TAC_PLUS_AUTHEN_TYPE_ASCII
skipping to change at page 22, line 22 skipping to change at page 21, line 44
It is very similar to an ASCII login. The status value It is very similar to an ASCII login. The status value
TAC_PLUS_AUTHEN_STATUS_GETPASS MUST only be used when requesting the TAC_PLUS_AUTHEN_STATUS_GETPASS MUST only be used when requesting the
"new" password. It MAY be sent multiple times. When requesting the "new" password. It MAY be sent multiple times. When requesting the
"old" password, the status value MUST be set to "old" password, the status value MUST be set to
TAC_PLUS_AUTHEN_STATUS_GETDATA. TAC_PLUS_AUTHEN_STATUS_GETDATA.
5.4.3. Aborting an Authentication Session 5.4.3. Aborting an Authentication Session
The client may prematurely terminate a session by setting the The client may prematurely terminate a session by setting the
TAC_PLUS_CONTINUE_FLAG_ABORT flag in the CONTINUE message. If this TAC_PLUS_CONTINUE_FLAG_ABORT flag in the CONTINUE message. If this
flag is set, the data portion of the message may contain an message flag is set, the data portion of the message may contain a message
explaining the reason for the abort. For details of text encoding, explaining the reason for the abort. For details of text encoding,
see (Section 3.7) . This information will be handled by the server see (Section 3.7). This information will be handled by the server
according to the requirements of the deployment. The session is according to the requirements of the deployment. The session is
terminated, for more details about session termination, refer to terminated, for more details about session termination, refer to
section (Section 4.4) . section (Section 4.4).
In cases of PASS, FAIL or ERROR, the server can insert a message into In cases of PASS, FAIL or ERROR, the server can insert a message into
server_msg to be displayed to the user. server_msg to be displayed to the user.
The Draft `The Draft' [TheDraft] defined a mechanism to direct The Draft `The Draft' [TheDraft] defined a mechanism to direct
authentication requests to an alternative server. This mechanism is authentication requests to an alternative server. This mechanism is
regarded as insecure, is deprecated, and not covered here. The regarded as insecure, is deprecated, and not covered here. The
client should treat TAC_PLUS_AUTHEN_STATUS_FOLLOW as client should treat TAC_PLUS_AUTHEN_STATUS_FOLLOW as
TAC_PLUS_AUTHEN_STATUS_FAIL TAC_PLUS_AUTHEN_STATUS_FAIL
skipping to change at page 23, line 25 skipping to change at page 22, line 47
authorization request may indicate that the user is not authenticated authorization request may indicate that the user is not authenticated
(we don't know who they are). In this case it is up to the server to (we don't know who they are). In this case it is up to the server to
determine, according to its configuration, if an unauthenticated user determine, according to its configuration, if an unauthenticated user
is allowed the services in question. is allowed the services in question.
Authorization does not merely provide yes or no answers, but it may Authorization does not merely provide yes or no answers, but it may
also customize the service for the particular user. A common use of also customize the service for the particular user. A common use of
authorization is to provision a shell session when a user first logs authorization is to provision a shell session when a user first logs
into a device to administer it. The TACACS+ server might respond to into a device to administer it. The TACACS+ server might respond to
the request by allowing the service, but placing a time restriction the request by allowing the service, but placing a time restriction
on the login shell. For a list of common attributes used in on the login shell. For a list of common arguments used in
authorization, see the Authorization Attributes section (Section 8.2) authorization, see the Authorization Arguments section (Section 8.2).
.
In the TACACS+ protocol an authorization is always a single pair of In the TACACS+ protocol an authorization is always a single pair of
messages: a REQUEST from the client followed by a REPLY from the messages: a REQUEST from the client followed by a REPLY from the
server. server.
The authorization REQUEST message contains a fixed set of fields that The authorization REQUEST message contains a fixed set of fields that
indicate how the user was authenticated and a variable set of indicate how the user was authenticated and a variable set of
arguments that describe the services and options for which arguments that describe the services and options for which
authorization is requested. authorization is requested.
The REPLY contains a variable set of response arguments (attribute- The REPLY contains a variable set of response arguments (argument-
value pairs) that can restrict or modify the client's actions. value pairs) that can restrict or modify the client's actions.
6.1. The Authorization REQUEST Packet Body 6.1. The Authorization REQUEST Packet Body
1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| authen_method | priv_lvl | authen_type | authen_service | | authen_method | priv_lvl | authen_type | authen_service |
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| user_len | port_len | rem_addr_len | arg_cnt | | user_len | port_len | rem_addr_len | arg_cnt |
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| arg_1_len | arg_2_len | ... | arg_N_len | | arg_1_len | arg_2_len | ... | arg_N_len |
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| user ... | user ...
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
skipping to change at page 26, line 22 skipping to change at page 25, line 31
arg_1 ... arg_N, arg_1_len .... arg_N_len arg_1 ... arg_N, arg_1_len .... arg_N_len
The arguments are the primary elements of the authorization The arguments are the primary elements of the authorization
interaction. In the request packet, they describe the specifics of interaction. In the request packet, they describe the specifics of
the authorization that is being requested. Each argument is encoded the authorization that is being requested. Each argument is encoded
in the packet as a single arg field (arg_1... arg_N) with a in the packet as a single arg field (arg_1... arg_N) with a
corresponding length fields (which indicates the length of each corresponding length fields (which indicates the length of each
argument in bytes). argument in bytes).
The authorization arguments in both the REQUEST and the REPLY are The authorization arguments in both the REQUEST and the REPLY are
attribute-value pairs. The attribute and the value are in a single argument-value pairs. The argument and the value are in a single
string and are separated by either a "=" (0X3D) or a "*" (0X2A). The string and are separated by either a "=" (0X3D) or a "*" (0X2A). The
equals sign indicates a mandatory argument. The asterisk indicates equals sign indicates a mandatory argument. The asterisk indicates
an optional one. For details of text encoding, see (Section 3.7) . an optional one. For details of text encoding, see (Section 3.7).
An attribute name MUST NOT contain either of the separators. An An argument name MUST NOT contain either of the separators. An
attribute value MAY contain the separators. This means that the argument value MAY contain the separators. This means that the
arguments must be parsed until the first separator is encountered, arguments must be parsed until the first separator is encountered,
all characters in the argument, after this separator, are interpreted all characters in the argument, after this separator, are interpreted
as the argument value. as the argument value.
Optional arguments are ones that may be disregarded by either client Optional arguments are ones that may be disregarded by either client
or server. Mandatory arguments require that the receiving side can or server. Mandatory arguments require that the receiving side can
handle the attribute, that is: its implementation and configuration handle the argument, that is: its implementation and configuration
includes the details of how to act on it. If the client receives a includes the details of how to act on it. If the client receives a
mandatory argument that it cannot handle, it MUST consider the mandatory argument that it cannot handle, it MUST consider the
authorization to have failed. The value part of an attribute-value authorization to have failed. The value part of an argument-value
pair may be empty, that is: the length of the value may be zero. pair may be empty, that is: the length of the value may be zero.
Attribute-value strings are not NULL terminated, rather their length Argument-value strings are not NULL terminated, rather their length
value indicates their end. The maximum length of an attribute-value value indicates their end. The maximum length of an argument-value
string is 255 characters. The minimum is two characters (one name- string is 255 characters. The minimum is two characters (one name-
value character and the separator) value character and the separator)
Though the attributes allow extensibility, a common core set of Though the arguments allow extensibility, a common core set of
authorization attributes SHOULD be supported by clients and servers, authorization arguments SHOULD be supported by clients and servers,
these are listed in the Authorization Attributes (Section 8.2) these are listed in the Authorization Arguments (Section 8.2) section
section below. below.
6.2. The Authorization REPLY Packet Body 6.2. The Authorization REPLY Packet Body
1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| status | arg_cnt | server_msg len | | status | arg_cnt | server_msg len |
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
+ data_len | arg_1_len | arg_2_len | + data_len | arg_1_len | arg_2_len |
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| ... | arg_N_len | server_msg ... | ... | arg_N_len | server_msg ...
skipping to change at page 27, line 42 skipping to change at page 26, line 49
TAC_PLUS_AUTHOR_STATUS_FAIL := 0x10 TAC_PLUS_AUTHOR_STATUS_FAIL := 0x10
TAC_PLUS_AUTHOR_STATUS_ERROR := 0x11 TAC_PLUS_AUTHOR_STATUS_ERROR := 0x11
TAC_PLUS_AUTHOR_STATUS_FOLLOW := 0x21 TAC_PLUS_AUTHOR_STATUS_FOLLOW := 0x21
server_msg, server_msg_len server_msg, server_msg_len
This is a string that may be presented to the user. The This is a string that may be presented to the user. The
server_msg_len indicates the length of the server_msg field, in server_msg_len indicates the length of the server_msg field, in
bytes. For details of text encoding, see (Section 3.7) . bytes. For details of text encoding, see (Section 3.7).
data, data_len data, data_len
This is a string that may be presented on an administrative display, This is a string that may be presented on an administrative display,
console or log. The decision to present this message is client console or log. The decision to present this message is client
specific. The data_len indicates the length of the data field, in specific. The data_len indicates the length of the data field, in
bytes. For details of text encoding, see (Section 3.7) . bytes. For details of text encoding, see (Section 3.7).
arg_cnt arg_cnt
The number of authorization arguments to follow. The number of authorization arguments to follow.
arg_1 ... arg_N, arg_1_len .... arg_N_len arg_1 ... arg_N, arg_1_len .... arg_N_len
The arguments describe the specifics of the authorization that is The arguments describe the specifics of the authorization that is
being requested. For details of the content of the args, refer to: being requested. For details of the content of the args, refer to:
Authorization Attributes (Section 8.2) section below. Each argument Authorization Arguments (Section 8.2) section below. Each argument
is encoded in the packet as a single arg field (arg_1... arg_N) with is encoded in the packet as a single arg field (arg_1... arg_N) with
a corresponding length fields (which indicates the length of each a corresponding length fields (which indicates the length of each
argument in bytes). argument in bytes).
If the status equals TAC_PLUS_AUTHOR_STATUS_FAIL, then the requested If the status equals TAC_PLUS_AUTHOR_STATUS_FAIL, then the requested
authorization MUST be denied. authorization MUST be denied.
If the status equals TAC_PLUS_AUTHOR_STATUS_PASS_ADD, then the If the status equals TAC_PLUS_AUTHOR_STATUS_PASS_ADD, then the
arguments specified in the request are authorized and the arguments arguments specified in the request are authorized and the arguments
in the response MUST be applied according to the rules described in the response MUST be applied according to the rules described
above. above.
If the status equals TAC_PLUS_AUTHOR_STATUS_PASS_REPL then the client If the status equals TAC_PLUS_AUTHOR_STATUS_PASS_REPL then the client
MUST use the authorization attribute-value pairs (if any) in the MUST use the authorization argument-value pairs (if any) in the
response, instead of the authorization attribute-value pairs from the response, instead of the authorization argument-value pairs from the
request. request.
To approve the authorization with no modifications, the server sets To approve the authorization with no modifications, the server sets
the status to TAC_PLUS_AUTHOR_STATUS_PASS_ADD and the arg_cnt to 0. the status to TAC_PLUS_AUTHOR_STATUS_PASS_ADD and the arg_cnt to 0.
A status of TAC_PLUS_AUTHOR_STATUS_ERROR indicates an error occurred A status of TAC_PLUS_AUTHOR_STATUS_ERROR indicates an error occurred
on the server. For the differences between ERROR and FAIL, refer to on the server. For the differences between ERROR and FAIL, refer to
section Session Completion (Section 4.4) . None of the arg values section Session Completion (Section 4.4). None of the arg values
have any relevance if an ERROR is set, and must be ignored. have any relevance if an ERROR is set, and must be ignored.
When the status equals TAC_PLUS_AUTHOR_STATUS_FOLLOW, then the When the status equals TAC_PLUS_AUTHOR_STATUS_FOLLOW, then the
arg_cnt MUST be 0. In that case, the actions to be taken and the arg_cnt MUST be 0. In that case, the actions to be taken and the
contents of the data field are identical to the contents of the data field are identical to the
TAC_PLUS_AUTHEN_STATUS_FOLLOW status for Authentication. TAC_PLUS_AUTHEN_STATUS_FOLLOW status for Authentication.
7. Accounting 7. Accounting
Accounting is typically the third action after authentication and Accounting is typically the third action after authentication and
skipping to change at page 29, line 9 skipping to change at page 28, line 21
purposes: It may be used as an auditing tool for security services. purposes: It may be used as an auditing tool for security services.
It may also be used to account for services used, such as in a It may also be used to account for services used, such as in a
billing environment. To this end, TACACS+ supports three types of billing environment. To this end, TACACS+ supports three types of
accounting records. Start records indicate that a service is about accounting records. Start records indicate that a service is about
to begin. Stop records indicate that a service has just terminated, to begin. Stop records indicate that a service has just terminated,
and Update records are intermediate notices that indicate that a and Update records are intermediate notices that indicate that a
service is still being performed. TACACS+ accounting records contain service is still being performed. TACACS+ accounting records contain
all the information used in the authorization records, and also all the information used in the authorization records, and also
contain accounting specific information such as start and stop times contain accounting specific information such as start and stop times
(when appropriate) and resource usage information. A list of (when appropriate) and resource usage information. A list of
accounting attributes is defined in the accounting section accounting arguments is defined in the accounting section
(Section 7) . (Section 7).
7.1. The Account REQUEST Packet Body 7.1. The Account REQUEST Packet Body
1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| flags | authen_method | priv_lvl | authen_type | | flags | authen_method | priv_lvl | authen_type |
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| authen_service | user_len | port_len | rem_addr_len | | authen_service | user_len | port_len | rem_addr_len |
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| arg_cnt | arg_1_len | arg_2_len | ... | | arg_cnt | arg_1_len | arg_2_len | ... |
skipping to change at page 30, line 5 skipping to change at page 29, line 16
TAC_PLUS_ACCT_FLAG_STOP := 0x04 TAC_PLUS_ACCT_FLAG_STOP := 0x04
TAC_PLUS_ACCT_FLAG_WATCHDOG := 0x08 TAC_PLUS_ACCT_FLAG_WATCHDOG := 0x08
All other fields are defined in the authorization and authentication All other fields are defined in the authorization and authentication
sections above and have the same semantics. They provide details for sections above and have the same semantics. They provide details for
the conditions on the client, and authentication context, so that the conditions on the client, and authentication context, so that
these details may be logged for accounting purposes. these details may be logged for accounting purposes.
See section 12 Accounting Attribute-value Pairs for the dictionary of See the Accounting Arguments section (Section 8.3) for the dictionary
attributes relevant to accounting. of arguments relevant to accounting.
7.2. The Accounting REPLY Packet Body 7.2. The Accounting REPLY Packet Body
The purpose of accounting is to record the action that has occurred The purpose of accounting is to record the action that has occurred
on the client. The server MUST reply with success only when the on the client. The server MUST reply with success only when the
accounting request has been recorded. If the server did not record accounting request has been recorded. If the server did not record
the accounting request then it MUST reply with ERROR. the accounting request then it MUST reply with ERROR.
1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
skipping to change at page 30, line 38 skipping to change at page 29, line 49
TAC_PLUS_ACCT_STATUS_SUCCESS := 0x01 TAC_PLUS_ACCT_STATUS_SUCCESS := 0x01
TAC_PLUS_ACCT_STATUS_ERROR := 0x02 TAC_PLUS_ACCT_STATUS_ERROR := 0x02
TAC_PLUS_ACCT_STATUS_FOLLOW := 0x21 TAC_PLUS_ACCT_STATUS_FOLLOW := 0x21
server_msg, server_msg_len server_msg, server_msg_len
This is a string that may be presented to the user. The This is a string that may be presented to the user. The
server_msg_len indicates the length of the server_msg field, in server_msg_len indicates the length of the server_msg field, in
bytes. For details of text encoding, see (Section 3.7) . bytes. For details of text encoding, see (Section 3.7).
data, data_len data, data_len
This is a string that may be presented on an administrative display, This is a string that may be presented on an administrative display,
console or log. The decision to present this message is client console or log. The decision to present this message is client
specific. The data_len indicates the length of the data field, in specific. The data_len indicates the length of the data field, in
bytes. For details of text encoding, see (Section 3.7) . bytes. For details of text encoding, see (Section 3.7).
When the status equals TAC_PLUS_ACCT_STATUS_FOLLOW, then the actions When the status equals TAC_PLUS_ACCT_STATUS_FOLLOW, then the actions
to be taken and the contents of the data field are identical to the to be taken and the contents of the data field are identical to the
TAC_PLUS_AUTHEN_STATUS_FOLLOW status for Authentication. TAC_PLUS_AUTHEN_STATUS_FOLLOW status for Authentication.
TACACS+ accounting is intended to record various types of events on TACACS+ accounting is intended to record various types of events on
clients, for example: login sessions, command entry, and others as clients, for example: login sessions, command entry, and others as
required by the client implementation. These events are collectively required by the client implementation. These events are collectively
referred to in `The Draft' [TheDraft] as "tasks". referred to in `The Draft' [TheDraft] as "tasks".
skipping to change at page 31, line 45 skipping to change at page 31, line 8
set along with the START flag, it indicates that the update record set along with the START flag, it indicates that the update record
provides additional or updated arguments from the original START provides additional or updated arguments from the original START
record. If the START flag is not set, then this indicates only that record. If the START flag is not set, then this indicates only that
task is still running, and no new information is provided (servers task is still running, and no new information is provided (servers
MUST ignore any arguments). The STOP flag MUST NOT be set in MUST ignore any arguments). The STOP flag MUST NOT be set in
conjunction with the WATCHDOG flag. conjunction with the WATCHDOG flag.
The Server MUST respond with TAC_PLUS_ACCT_STATUS_ERROR if the client The Server MUST respond with TAC_PLUS_ACCT_STATUS_ERROR if the client
requests an INVALID option. requests an INVALID option.
8. Attribute-Value Pairs 8. Argument-Value Pairs
TACACS+ is intended to be an extensible protocol. The attributes TACACS+ is intended to be an extensible protocol. The arguments used
used in Authorization and Accounting are not limited by this in Authorization and Accounting are not limited by this document.
document. Some attributes are defined below for common use cases, Some arguments are defined below for common use cases, clients MUST
clients MUST use these attributes when supporting the corresponding use these arguments when supporting the corresponding use cases.
use cases.
8.1. Value Encoding 8.1. Value Encoding
All attribute values are encoded as strings. For details of text All argument values are encoded as strings. For details of text
encoding, see (Section 3.7) . The following type representations encoding, see (Section 3.7). The following type representations
SHOULD be followed SHOULD be followed
Numeric Numeric
All numeric values in an attribute-value string are provided as All numeric values in an argument-value string are provided as
decimal numbers, unless otherwise stated. decimal numbers, unless otherwise stated. All arguments include a
length field, and TACACS+ implementations MUST verify that they can
accommodate the lengths of numeric arguments before attempting to
process them. If the length cannot be accommodated then the argument
MUST be regarded as not handled and the logic in authorization
section (Section 6.1) regarding the processing of arguments MUST be
applied.
Boolean Boolean
All Boolean attributes are encoded with values "true" or "false". All Boolean arguments are encoded with values "true" or "false".
IP-Address IP-Address
It is recommended that hosts be specified as a IP address so as to It is recommended that hosts be specified as a IP address so as to
avoid any ambiguities. For details of text encoding, see avoid any ambiguities. For details of text encoding, see
(Section 3.7) . IPv4 address are specified as octet numerics (Section 3.7). IPv4 address are specified as octet numerics
separated by dots ('.'), IPv6 address text representation defined in separated by dots ('.'), IPv6 address text representation defined in
RFC 5952 [RFC5952] . RFC 5952 [RFC5952].
Date Time Date Time
Absolute date/times are specified in seconds since the epoch, 12:00am Absolute date/times are specified in seconds since the epoch, 12:00am
Jan 1 1970. The timezone MUST be UTC unless a timezone attribute is Jan 1 1970. The timezone MUST be UTC unless a timezone argument is
specified. specified.
String String
Many values have no specific type representation and so are Many values have no specific type representation and so are
interpreted as plain strings. interpreted as plain strings.
Empty Values Empty Values
Attributes may be submitted with no value, in which case they consist Arguments may be submitted with no value, in which case they consist
of the name and the mandatory or optional separator. For example, of the name and the mandatory or optional separator. For example,
the attribute "cmd" which has no value is transmitted as a string of the argument "cmd" which has no value is transmitted as a string of
four characters "cmd=" four characters "cmd="
8.2. Authorization Attributes 8.2. Authorization Arguments
service (String) service (String)
The primary service. Specifying a service attribute indicates that The primary service. Specifying a service argument indicates that
this is a request for authorization or accounting of that service. this is a request for authorization or accounting of that service.
For example: "shell", "tty-server", "connection", "system" and For example: "shell", "tty-server", "connection", "system" and
"firewall", others may be chosen for the required application. This "firewall", others may be chosen for the required application. This
attribute MUST always be included. argument MUST always be included.
protocol (String) protocol (String)
the protocol field may be used to indicate a subset of a service. the protocol field may be used to indicate a subset of a service.
cmd (String) cmd (String)
a shell (exec) command. This indicates the command name of the a shell (exec) command. This indicates the command name of the
command that is to be run. The "cmd" attribute MUST be specified if command that is to be run. The "cmd" argument MUST be specified if
service equals "shell". service equals "shell".
Authorization of shell commands is a common use-case for the TACACS+ Authorization of shell commands is a common use-case for the TACACS+
protocol. Command Authorization generally takes one of two forms: protocol. Command Authorization generally takes one of two forms:
session-based and command-based. session-based and command-based.
For session-based shell authorization, the "cmd" argument will have For session-based shell authorization, the "cmd" argument will have
an empty value. The client determines which commands are allowed in an empty value. The client determines which commands are allowed in
a session according to the arguments present in the authorization. a session according to the arguments present in the authorization.
In command-based authorization, the client requests that the server In command-based authorization, the client requests that the server
determine whether a command is allowed by making an authorization determine whether a command is allowed by making an authorization
request for each command. The "cmd" argument will have the command request for each command. The "cmd" argument will have the command
name as its value. name as its value.
cmd-arg (String) cmd-arg (String)
an argument to a shell (exec) command. This indicates an argument an argument to a shell (exec) command. This indicates an argument
for the shell command that is to be run. Multiple cmd-arg attributes for the shell command that is to be run. Multiple cmd-arg arguments
may be specified, and they are order dependent. may be specified, and they are order dependent.
acl (Numeric) acl (Numeric)
a number representing a connection access list. Applicable only to a number representing a connection access list. Applicable only to
session-based shell authorization. For details of text encoding, see session-based shell authorization. For details of text encoding, see
(Section 3.7) . (Section 3.7).
inacl (String) inacl (String)
identifier (name) of an interface input access list. For details of identifier (name) of an interface input access list. For details of
text encoding, see (Section 3.7) . text encoding, see (Section 3.7).
outacl (String) outacl (String)
identifier (name) of an interface output access list. For details of identifier (name) of an interface output access list. For details of
text encoding, see (Section 3.7) . text encoding, see (Section 3.7).
addr (IP-Address) addr (IP-Address)
a network address a network address
addr-pool (String) addr-pool (String)
The identifier of an address pool from which the client can assign an The identifier of an address pool from which the client can assign an
address. address.
skipping to change at page 34, line 35 skipping to change at page 34, line 4
an auto-command to run. Applicable only to session-based shell an auto-command to run. Applicable only to session-based shell
authorization. authorization.
noescape (Boolean) noescape (Boolean)
Prevents user from using an escape character. Applicable only to Prevents user from using an escape character. Applicable only to
session-based shell authorization. session-based shell authorization.
nohangup (Boolean) nohangup (Boolean)
Boolean. Do not disconnect after an automatic command. Applicable Boolean. Do not disconnect after an automatic command. Applicable
only to session-based shell authorization. only to session-based shell authorization.
priv-lvl (Numeric) priv-lvl (Numeric)
privilege level to be assigned. Please refer to the Privilege Level privilege level to be assigned. Please refer to the Privilege Level
section (Section 9) below. section (Section 9) below.
8.3. Accounting Attributes 8.3. Accounting Arguments
The following attributes are defined for TACACS+ accounting only. The following arguments are defined for TACACS+ accounting only.
They MUST precede any attribute-value pairs that are defined in the They MUST precede any argument-value pairs that are defined in the
authorization section (Section 6) above. authorization section (Section 6) above.
task_id (String) task_id (String)
Start and stop records for the same event MUST have matching task_id Start and stop records for the same event MUST have matching task_id
attribute values. The client MUST ensure that active task_ids are argument values. The client MUST ensure that active task_ids are not
not duplicated: a client MUST NOT reuse a task_id a start record duplicated: a client MUST NOT reuse a task_id a start record until it
until it has sent a stop record for that task_id. Servers MUST NOT has sent a stop record for that task_id. Servers MUST NOT make
make assumptions about the format of a task_id. assumptions about the format of a task_id.
start_time (Date Time) start_time (Date Time)
The time the action started (in seconds since the epoch.). The time the action started (in seconds since the epoch.).
stop_time (Date Time) stop_time (Date Time)
The time the action stopped (in seconds since the epoch.) The time the action stopped (in seconds since the epoch.)
elapsed_time (Numeric) elapsed_time (Numeric)
The elapsed time in seconds for the action. The elapsed time in seconds for the action.
timezone (String) timezone (String)
The timezone abbreviation for all timestamps included in this packet. The timezone abbreviation for all timestamps included in this packet.
A database of timezones is maintained here: TZDB [TZDB] . A database of timezones is maintained here: TZDB [TZDB].
event (String) event (String)
Used only when "service=system". Current values are "net_acct", Used only when "service=system". Current values are "net_acct",
"cmd_acct", "conn_acct", "shell_acct" "sys_acct" and "clock_change". "cmd_acct", "conn_acct", "shell_acct" "sys_acct" and "clock_change".
These indicate system-level changes. The flags field SHOULD indicate These indicate system-level changes. The flags field SHOULD indicate
whether the service started or stopped. whether the service started or stopped.
reason (String) reason (String)
Accompanies an event argument. It describes why the event occurred.
Accompanies an event attribute. It describes why the event occurred.
bytes (Numeric) bytes (Numeric)
The number of bytes transferred by this action The number of bytes transferred by this action
bytes_in (Numeric) bytes_in (Numeric)
The number of bytes transferred by this action from the endstation to The number of bytes transferred by this action from the endstation to
the client port the client port
skipping to change at page 36, line 21 skipping to change at page 35, line 37
endstation to the client port. endstation to the client port.
paks_out (Numeric) paks_out (Numeric)
The number of output packets transferred by this action from the The number of output packets transferred by this action from the
client port to the endstation. client port to the endstation.
err_msg (String) err_msg (String)
string describing the status of the action. For details of text string describing the status of the action. For details of text
encoding, see (Section 3.7) . encoding, see (Section 3.7).
9. Privilege Levels 9. Privilege Levels
The TACACS+ Protocol supports flexible authorization schemes through The TACACS+ Protocol supports flexible authorization schemes through
the extensible attributes. the extensible arguments.
One scheme is built into the protocol and has been extensively used One scheme is built into the protocol and has been extensively used
for Session-based shell authorization: Privilege Levels. Privilege for Session-based shell authorization: Privilege Levels. Privilege
Levels are ordered values from 0 to 15 with each level being a Levels are ordered values from 0 to 15 with each level being a
superset of the next lower value. Configuration and implementation superset of the next lower value. Configuration and implementation
of the client will map actions (such as the permission to execute of of the client will map actions (such as the permission to execute of
specific commands) to different privilege levels. The allocation of specific commands) to different privilege levels. The allocation of
commands to privilege levels is highly dependent upon the deployment. commands to privilege levels is highly dependent upon the deployment.
Common allocations are as follows: Common allocations are as follows:
skipping to change at page 38, line 41 skipping to change at page 38, line 12
transport is essential to managing the security risk of such an transport is essential to managing the security risk of such an
attack. attack.
The following parts of this section enumerate only the session- The following parts of this section enumerate only the session-
specific risks which are in addition to general risk associated with specific risks which are in addition to general risk associated with
bare obfuscation and lack of integrity checking. bare obfuscation and lack of integrity checking.
10.2. Security of Authentication Sessions 10.2. Security of Authentication Sessions
Authentication sessions SHOULD be used via a secure transport (see Authentication sessions SHOULD be used via a secure transport (see
Best Practices section (Section 10.5) ) as the man-in-the-middle Best Practices section (Section 10.5)) as the man-in-the-middle
attack may completely subvert them. Even CHAP, which may be attack may completely subvert them. Even CHAP, which may be
considered resistant to password interception, is unsafe as it does considered resistant to password interception, is unsafe as it does
not protect the username from a trivial man-in-the-middle attack. not protect the username from a trivial man-in-the-middle attack.
This document deprecates the redirection mechanism using the This document deprecates the redirection mechanism using the
TAC_PLUS_AUTHEN_STATUS_FOLLOW option which was included in the TAC_PLUS_AUTHEN_STATUS_FOLLOW option which was included in the
original draft. As part of this process, the secret key for a new original draft. As part of this process, the secret key for a new
server was sent to the client. This public exchange of secret keys server was sent to the client. This public exchange of secret keys
means that once one session is broken, it may be possible to leverage means that once one session is broken, it may be possible to leverage
that key to attacking connections to other servers. This mechanism that key to attacking connections to other servers. This mechanism
MUST NOT be used in modern deployments. It MUST NOT be used outside MUST NOT be used in modern deployments. It MUST NOT be used outside
a secured deployment. a secured deployment.
10.3. Security of Authorization Sessions 10.3. Security of Authorization Sessions
Authorization sessions SHOULD be used via a secure transport (see Authorization sessions SHOULD be used via a secure transport (see
Best Practices section (Section 10.5) ) as it's trivial to execute a Best Practices section (Section 10.5)) as it's trivial to execute a
successful man-in-the-middle attacks that changes well-known successful man-in-the-middle attacks that changes well-known
plaintext in either requests or responses. plaintext in either requests or responses.
As an example, take the field "authen_method". It's not unusual in As an example, take the field "authen_method". It's not unusual in
actual deployments to authorize all commands received via the device actual deployments to authorize all commands received via the device
local serial port (a console port) as that one is usually considered local serial port (a console port) as that one is usually considered
secure by virtue of the device located in a physically secure secure by virtue of the device located in a physically secure
location. If an administrator would configure the authorization location. If an administrator would configure the authorization
system to allow all commands entered by the user on a local console system to allow all commands entered by the user on a local console
to aid in troubleshooting, that would give all access to all commands to aid in troubleshooting, that would give all access to all commands
skipping to change at page 40, line 16 skipping to change at page 39, line 35
implementations pass different fidelity of accounting data. Some implementations pass different fidelity of accounting data. Some
vendors have been observed in the wild that pass sensitive data like vendors have been observed in the wild that pass sensitive data like
passwords, encryption keys and similar as part of the accounting log. passwords, encryption keys and similar as part of the accounting log.
Due to lack of strong encryption with perfect forward secrecy, this Due to lack of strong encryption with perfect forward secrecy, this
data may be revealed in future, leading to a security incident. data may be revealed in future, leading to a security incident.
10.5. TACACS+ Best Practices 10.5. TACACS+ Best Practices
With respect to the observations about the security issues described With respect to the observations about the security issues described
above, a network administrator MUST NOT rely on the obfuscation of above, a network administrator MUST NOT rely on the obfuscation of
the TACACS+ protocol and TACACS+ MUST be deployed over networks which the TACACS+ protocol. TACACS+ MUST be used within a secure
ensure privacy and integrity of the communication. TACACS+ MUST be deployment: TACACS+ MUST be deployed over networks which ensure
used within a secure deployment. Failure to do so will impact privacy and integrity of the communication, and MUST be deployed over
overall network security. a network which is separated from other traffic. Failure to do so
will impact overall network security.
TACACS+ SHOULD be deployed over a network which is separated from
other traffic.
The following recommendations impose restrictions on how the protocol The following recommendations impose restrictions on how the protocol
is applied. These restrictions were not imposed in the original is applied. These restrictions were not imposed in the original
draft. New implementations, and upgrades of current implementations, draft. New implementations, and upgrades of current implementations,
MUST implement these recommendations. Vendors SHOULD provide MUST implement these recommendations. Vendors SHOULD provide
mechanisms to assist the administrator to achieve these best mechanisms to assist the administrator to achieve these best
practices. practices.
10.5.1. Shared Secrets 10.5.1. Shared Secrets
TACACS+ servers and clients MUST treat shared secrets as sensitive TACACS+ servers and clients MUST treat shared secrets as sensitive
data to be managed securely, as would be expected for other sensitive data to be managed securely, as would be expected for other sensitive
data such as identity credential information. TACACS+ servers MUST data such as identity credential information. TACACS+ servers MUST
NOT leak sensitive data. For example, TACACS+ servers MUST NOT NOT leak sensitive data. For example, TACACS+ servers MUST NOT
expose shared secrets in logs. expose shared secrets in logs.
TACACS+ servers MUST allow a dedicated secret key to be defined for TACACS+ servers MUST allow a dedicated secret key to be defined for
each client. each client.
TACACS+ server management systems MUST provide a mechanism to track
secret key lifetimes and notify administrators to update them
periodically. TACACS+ server administrators SHOULD change secret
keys at regular intervals.
TACACS+ servers SHOULD warn administrators if secret keys are not TACACS+ servers SHOULD warn administrators if secret keys are not
unique per client. unique per client.
TACACS+ server administrators SHOULD always define a secret for each TACACS+ server administrators SHOULD always define a secret for each
client. client.
TACACS+ servers and clients MUST support shared keys that are at TACACS+ servers and clients MUST support shared keys that are at
least 32 characters long. least 32 characters long.
TACACS+ servers MUST support policy to define minimum complexity for TACACS+ servers MUST support policy to define minimum complexity for
shared keys. shared keys.
TACACS+ clients SHOULD NOT allow servers to be configured without TACACS+ clients SHOULD NOT allow servers to be configured without
shared secret key, or shared key that is less than 16 characters shared secret key, or shared key that is less than 16 characters
long. long.
TACACS+ server administrators SHOULD configure secret keys of minimum TACACS+ server administrators SHOULD configure secret keys of minimum
16 characters length. 16 characters length.
TACACS+ server administrators SHOULD change secret keys at regular
intervals.
10.5.2. Connections and Obfuscation 10.5.2. Connections and Obfuscation
TACACS+ servers MUST allow the definition of individual clients. The TACACS+ servers MUST allow the definition of individual clients. The
servers MUST only accept network connection attempts from these servers MUST only accept network connection attempts from these
defined, known clients. defined, known clients.
TACACS+ servers MUST reject connections with TACACS+ servers MUST reject connections with
TAC_PLUS_UNENCRYPTED_FLAG set, when there is a shared secret set on TAC_PLUS_UNENCRYPTED_FLAG set, when there is a shared secret set on
the server for the client requesting the connection. the server for the client requesting the connection.
skipping to change at page 42, line 38 skipping to change at page 42, line 10
security implications. TACACS+ servers SHOULD NOT implement them. security implications. TACACS+ servers SHOULD NOT implement them.
If they must be implemented, the servers MUST default to the options If they must be implemented, the servers MUST default to the options
being disabled and MUST warn the administrator that these options are being disabled and MUST warn the administrator that these options are
not secure. not secure.
10.5.4. Authorization 10.5.4. Authorization
The authorization and accounting features are intended to provide The authorization and accounting features are intended to provide
extensibility and flexibility. There is a base dictionary defined in extensibility and flexibility. There is a base dictionary defined in
this document, but it may be extended in deployments by using new this document, but it may be extended in deployments by using new
attribute names. The cost of the flexibility is that administrators argument names. The cost of the flexibility is that administrators
and implementors MUST ensure that the attribute and value pairs and implementors MUST ensure that the argument and value pairs shared
shared between the clients and servers have consistent between the clients and servers have consistent interpretation.
interpretation.
TACACS+ clients that receive an unrecognized mandatory attribute MUST TACACS+ clients that receive an unrecognized mandatory argument MUST
evaluate server response as if they received evaluate server response as if they received
TAC_PLUS_AUTHOR_STATUS_FAIL. TAC_PLUS_AUTHOR_STATUS_FAIL.
10.5.5. Redirection Mechanism 10.5.5. Redirection Mechanism
The original draft described a redirection mechanism The original draft described a redirection mechanism
(TAC_PLUS_AUTHEN_STATUS_FOLLOW). This feature is difficult to (TAC_PLUS_AUTHEN_STATUS_FOLLOW). This feature is difficult to
secure. The option to send secret keys in the server list is secure. The option to send secret keys in the server list is
particularly insecure, as it can reveal client shared secrets. particularly insecure, as it can reveal client shared secrets.
skipping to change at page 43, line 25 skipping to change at page 42, line 45
11. IANA Considerations 11. IANA Considerations
This informational document describes TACACS+ protocol and its common This informational document describes TACACS+ protocol and its common
deployments. There is no further consideration required from IANA. deployments. There is no further consideration required from IANA.
12. Acknowledgements 12. Acknowledgements
The authors would like to thank the following reviewers whose The authors would like to thank the following reviewers whose
comments and contributions made considerable improvements to the comments and contributions made considerable improvements to the
document: Alan DeKok, Alexander Clouter, Chris Janicki, Tom Petch, document: Alan DeKok, Alexander Clouter, Chris Janicki, Tom Petch,
Robert Drake, among many others. Robert Drake, John Heasley, among many others.
The authors would particularly like to thank Alan DeKok, who provided The authors would particularly like to thank Alan DeKok, who provided
significant insights and recommendations on all aspects of the significant insights and recommendations on all aspects of the
document and the protocol. Alan DeKok has dedicated considerable document and the protocol. Alan DeKok has dedicated considerable
time and effort to help improve the document, identifying weaknesses time and effort to help improve the document, identifying weaknesses
and providing remediation. and providing remediation.
The authors would also like to thank the support from the OPSAWG The authors would also like to thank the support from the OPSAWG
Chairs and advisors. Chairs and advisors, especially Joe Clarke.
13. References 13. References
13.1. Normative References 13.1. Normative References
[RFC0020] Cerf, V., "ASCII format for network interchange", STD 80, [RFC0020] Cerf, V., "ASCII format for network interchange", STD 80,
RFC 20, DOI 10.17487/RFC0020, October 1969, RFC 20, DOI 10.17487/RFC0020, October 1969,
<https://www.rfc-editor.org/info/rfc20>. <https://www.rfc-editor.org/info/rfc20>.
[RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, [RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321,
 End of changes. 108 change blocks. 
175 lines changed or deleted 163 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/