draft-ietf-opsawg-tacacs-17.txt   draft-ietf-opsawg-tacacs-18.txt 
Operations T. Dahm Operations T. Dahm
Internet-Draft A. Ota Internet-Draft A. Ota
Intended status: Informational Google Inc Intended status: Informational Google Inc
Expires: July 30, 2020 D. Medway Gash Expires: September 21, 2020 D. Medway Gash
Cisco Systems, Inc. Cisco Systems, Inc.
D. Carrel D. Carrel
vIPtela, Inc. vIPtela, Inc.
L. Grant L. Grant
January 27, 2020 March 20, 2020
The TACACS+ Protocol The TACACS+ Protocol
draft-ietf-opsawg-tacacs-17 draft-ietf-opsawg-tacacs-18
Abstract Abstract
This document describes the Terminal Access Controller Access-Control This document describes the Terminal Access Controller Access-Control
System Plus (TACACS+) protocol which is widely deployed today to System Plus (TACACS+) protocol which is widely deployed today to
provide Device Administration for routers, network access servers and provide Device Administration for routers, network access servers and
other networked computing devices via one or more centralized other networked computing devices via one or more centralized
servers. servers.
Status of This Memo Status of This Memo
skipping to change at page 1, line 39 skipping to change at page 1, line 39
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 30, 2020. This Internet-Draft will expire on September 21, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 51 skipping to change at page 2, line 51
5.1. The Authentication START Packet Body . . . . . . . . . . 13 5.1. The Authentication START Packet Body . . . . . . . . . . 13
5.2. The Authentication REPLY Packet Body . . . . . . . . . . 15 5.2. The Authentication REPLY Packet Body . . . . . . . . . . 15
5.3. The Authentication CONTINUE Packet Body . . . . . . . . . 17 5.3. The Authentication CONTINUE Packet Body . . . . . . . . . 17
5.4. Description of Authentication Process . . . . . . . . . . 17 5.4. Description of Authentication Process . . . . . . . . . . 17
5.4.1. Version Behavior . . . . . . . . . . . . . . . . . . 18 5.4.1. Version Behavior . . . . . . . . . . . . . . . . . . 18
5.4.2. Common Authentication Flows . . . . . . . . . . . . . 19 5.4.2. Common Authentication Flows . . . . . . . . . . . . . 19
5.4.3. Aborting an Authentication Session . . . . . . . . . 22 5.4.3. Aborting an Authentication Session . . . . . . . . . 22
6. Authorization . . . . . . . . . . . . . . . . . . . . . . . . 23 6. Authorization . . . . . . . . . . . . . . . . . . . . . . . . 23
6.1. The Authorization REQUEST Packet Body . . . . . . . . . . 23 6.1. The Authorization REQUEST Packet Body . . . . . . . . . . 23
6.2. The Authorization REPLY Packet Body . . . . . . . . . . . 27 6.2. The Authorization REPLY Packet Body . . . . . . . . . . . 27
7. Accounting . . . . . . . . . . . . . . . . . . . . . . . . . 28 7. Accounting . . . . . . . . . . . . . . . . . . . . . . . . . 29
7.1. The Account REQUEST Packet Body . . . . . . . . . . . . . 29 7.1. The Account REQUEST Packet Body . . . . . . . . . . . . . 29
7.2. The Accounting REPLY Packet Body . . . . . . . . . . . . 30 7.2. The Accounting REPLY Packet Body . . . . . . . . . . . . 30
8. Argument-Value Pairs . . . . . . . . . . . . . . . . . . . . 31 8. Argument-Value Pairs . . . . . . . . . . . . . . . . . . . . 32
8.1. Value Encoding . . . . . . . . . . . . . . . . . . . . . 32 8.1. Value Encoding . . . . . . . . . . . . . . . . . . . . . 32
8.2. Authorization Arguments . . . . . . . . . . . . . . . . . 33 8.2. Authorization Arguments . . . . . . . . . . . . . . . . . 33
8.3. Accounting Arguments . . . . . . . . . . . . . . . . . . 35 8.3. Accounting Arguments . . . . . . . . . . . . . . . . . . 35
9. Privilege Levels . . . . . . . . . . . . . . . . . . . . . . 36 9. Privilege Levels . . . . . . . . . . . . . . . . . . . . . . 36
10. Security Considerations . . . . . . . . . . . . . . . . . . . 37 10. Security Considerations . . . . . . . . . . . . . . . . . . . 37
10.1. General Security of the Protocol . . . . . . . . . . . . 37 10.1. General Security of the Protocol . . . . . . . . . . . . 38
10.2. Security of Authentication Sessions . . . . . . . . . . 38 10.2. Security of Authentication Sessions . . . . . . . . . . 39
10.3. Security of Authorization Sessions . . . . . . . . . . . 39 10.3. Security of Authorization Sessions . . . . . . . . . . . 39
10.4. Security of Accounting Sessions . . . . . . . . . . . . 39 10.4. Security of Accounting Sessions . . . . . . . . . . . . 40
10.5. TACACS+ Best Practices . . . . . . . . . . . . . . . . . 40 10.5. TACACS+ Best Practices . . . . . . . . . . . . . . . . . 40
10.5.1. Shared Secrets . . . . . . . . . . . . . . . . . . . 40 10.5.1. Shared Secrets . . . . . . . . . . . . . . . . . . . 40
10.5.2. Connections and Obfuscation . . . . . . . . . . . . 41 10.5.2. Connections and Obfuscation . . . . . . . . . . . . 41
10.5.3. Authentication . . . . . . . . . . . . . . . . . . . 42 10.5.3. Authentication . . . . . . . . . . . . . . . . . . . 42
10.5.4. Authorization . . . . . . . . . . . . . . . . . . . 42 10.5.4. Authorization . . . . . . . . . . . . . . . . . . . 43
10.5.5. Redirection Mechanism . . . . . . . . . . . . . . . 43 10.5.5. Redirection Mechanism . . . . . . . . . . . . . . . 43
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 43 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 43
12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 43 12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 43
13. References . . . . . . . . . . . . . . . . . . . . . . . . . 43 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 44
13.1. Normative References . . . . . . . . . . . . . . . . . . 43 13.1. Normative References . . . . . . . . . . . . . . . . . . 44
13.2. Informative References . . . . . . . . . . . . . . . . . 44 13.2. Informative References . . . . . . . . . . . . . . . . . 45
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 45 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 45
1. Introduction 1. Introduction
This document describes the Terminal Access Controller Access-Control This document describes the Terminal Access Controller Access-Control
System Plus (TACACS+) protocol. It was conceived initially as a System Plus (TACACS+) protocol. It was conceived initially as a
general Authentication, Authorization and Accounting (AAA) protocol. general Authentication, Authorization and Accounting (AAA) protocol.
It is widely deployed today but is mainly confined for a specific It is widely deployed today but is mainly confined for a specific
subset of AAA: Device Administration, that is: authenticating access subset of AAA: Device Administration, that is: authenticating access
to network devices, providing central authorization of operations, to network devices, providing central authorization of operations,
skipping to change at page 24, line 29 skipping to change at page 24, line 29
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| arg_2 ... | arg_2 ...
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| ... | ...
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
| arg_N ... | arg_N ...
+----------------+----------------+----------------+----------------+ +----------------+----------------+----------------+----------------+
authen_method authen_method
This indicates the authentication method used by the client to This filed allows the client to indicate the authentication method
acquire the user information. As this information is not always used by the acquire the user information.
subject to verification, it is recommended that this field is
ignored.
TAC_PLUS_AUTHEN_METH_NOT_SET := 0x00 TAC_PLUS_AUTHEN_METH_NOT_SET := 0x00
TAC_PLUS_AUTHEN_METH_NONE := 0x01 TAC_PLUS_AUTHEN_METH_NONE := 0x01
TAC_PLUS_AUTHEN_METH_KRB5 := 0x02 TAC_PLUS_AUTHEN_METH_KRB5 := 0x02
TAC_PLUS_AUTHEN_METH_LINE := 0x03 TAC_PLUS_AUTHEN_METH_LINE := 0x03
TAC_PLUS_AUTHEN_METH_ENABLE := 0x04 TAC_PLUS_AUTHEN_METH_ENABLE := 0x04
TAC_PLUS_AUTHEN_METH_LOCAL := 0x05 TAC_PLUS_AUTHEN_METH_LOCAL := 0x05
TAC_PLUS_AUTHEN_METH_TACACSPLUS := 0x06 TAC_PLUS_AUTHEN_METH_TACACSPLUS := 0x06
TAC_PLUS_AUTHEN_METH_GUEST := 0x08 TAC_PLUS_AUTHEN_METH_GUEST := 0x08
TAC_PLUS_AUTHEN_METH_RADIUS := 0x10 TAC_PLUS_AUTHEN_METH_RADIUS := 0x10
TAC_PLUS_AUTHEN_METH_KRB4 := 0x11
TAC_PLUS_AUTHEN_METH_KRB4 := 0x11
TAC_PLUS_AUTHEN_METH_RCMD := 0x20 TAC_PLUS_AUTHEN_METH_RCMD := 0x20
KRB5 and KRB4 are Kerberos version 5 and 4. This document does not As this information is not always subject to verification, it is
cover how the client performed the authentication, so normative recommended that this field is in policy evaluastion. LINE refers to
references will not be given . LINE refers to a fixed password a fixed password associated with the terminal line used to gain
associated with the terminal line used to gain access. LOCAL is a access. LOCAL is a client local user database. ENABLE is a command
client local user database. ENABLE is a command that authenticates that authenticates in order to grant new privileges. TACACSPLUS is,
in order to grant new privileges. TACACSPLUS is, of course, TACACS+. of course, TACACS+. GUEST is an unqualified guest authentication.
GUEST is an unqualified guest authentication. RADIUS is the Radius RADIUS is the Radius authentication protocol. RCMD refers to
authentication protocol. RCMD refers to authentication provided via authentication provided via the R-command protocols from Berkeley
the R-command protocols from Berkeley Unix. Unix. KRB5 and KRB4 are Kerberos version 5 and 4.
As mentioned above, this field is used by the client to indicate how
it performed the authentication. One of the options
(TAC_PLUS_AUTHEN_METH_TACACSPLUS := 0x06) is TACACS+ itself, and so
the detail of how the client performed this option is given in
Authentication Section (Section 5). For all other options, such as
KRB and RADIUS, then TACACS+ protocol did not play any part in the
authentication phase; as those interactions were not conducted using
the TACACS+ protocol they will not be documented here. For
implementers of clients who need details of the other protocols,
please refer to the respective Kerberos [RFC4120] and RADIUS
[RFC3579] RFCs.
priv_lvl priv_lvl
This field is used in the same way as the priv_lvl field in This field is used in the same way as the priv_lvl field in
authentication request and is described in the Privilege Level authentication request and is described in the Privilege Level
section (Section 9) below. It indicates the users current privilege section (Section 9) below. It indicates the users current privilege
level. level.
authen_type authen_type
skipping to change at page 44, line 22 skipping to change at page 44, line 36
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC2433] Zorn, G. and S. Cobb, "Microsoft PPP CHAP Extensions", [RFC2433] Zorn, G. and S. Cobb, "Microsoft PPP CHAP Extensions",
RFC 2433, DOI 10.17487/RFC2433, October 1998, RFC 2433, DOI 10.17487/RFC2433, October 1998,
<http://www.rfc-editor.org/info/rfc2433>. <http://www.rfc-editor.org/info/rfc2433>.
[RFC2759] Zorn, G., "Microsoft PPP CHAP Extensions, Version 2", [RFC2759] Zorn, G., "Microsoft PPP CHAP Extensions, Version 2",
RFC 2759, DOI 10.17487/RFC2759, January 2000, RFC 2759, DOI 10.17487/RFC2759, January 2000,
<http://www.rfc-editor.org/info/rfc2759>. <http://www.rfc-editor.org/info/rfc2759>.
[RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication
Dial In User Service) Support For Extensible
Authentication Protocol (EAP)", RFC 3579,
DOI 10.17487/RFC3579, September 2003,
<https://www.rfc-editor.org/info/rfc3579>.
[RFC4086] Eastlake 3rd, D., Crocker, S., and J. Schiller, [RFC4086] Eastlake 3rd, D., Crocker, S., and J. Schiller,
"Randomness Requirements for Security", RFC 4086, "Randomness Requirements for Security", RFC 4086,
DOI 10.17487/RFC4086, June 2005, DOI 10.17487/RFC4086, June 2005,
<http://www.rfc-editor.org/info/rfc4086>. <http://www.rfc-editor.org/info/rfc4086>.
[RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The
Kerberos Network Authentication Service (V5)", RFC 4120,
DOI 10.17487/RFC4120, July 2005,
<https://www.rfc-editor.org/info/rfc4120>.
[RFC5952] Kawamura, S. and M. Kawashima, "A Recommendation for IPv6 [RFC5952] Kawamura, S. and M. Kawashima, "A Recommendation for IPv6
Address Text Representation", RFC 5952, Address Text Representation", RFC 5952,
DOI 10.17487/RFC5952, August 2010, DOI 10.17487/RFC5952, August 2010,
<https://www.rfc-editor.org/info/rfc5952>. <https://www.rfc-editor.org/info/rfc5952>.
[RFC8265] Saint-Andre, P. and A. Melnikov, "Preparation, [RFC8265] Saint-Andre, P. and A. Melnikov, "Preparation,
Enforcement, and Comparison of Internationalized Strings Enforcement, and Comparison of Internationalized Strings
Representing Usernames and Passwords", RFC 8265, Representing Usernames and Passwords", RFC 8265,
DOI 10.17487/RFC8265, October 2017, DOI 10.17487/RFC8265, October 2017,
<https://www.rfc-editor.org/info/rfc8265>. <https://www.rfc-editor.org/info/rfc8265>.
 End of changes. 16 change blocks. 
27 lines changed or deleted 48 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/