| draft-ietf-opsawg-tacacs-17.txt | draft-ietf-opsawg-tacacs-18.txt | |||
|---|---|---|---|---|
| Operations T. Dahm | Operations T. Dahm | |||
| Internet-Draft A. Ota | Internet-Draft A. Ota | |||
| Intended status: Informational Google Inc | Intended status: Informational Google Inc | |||
| Expires: July 30, 2020 D. Medway Gash | Expires: September 21, 2020 D. Medway Gash | |||
| Cisco Systems, Inc. | Cisco Systems, Inc. | |||
| D. Carrel | D. Carrel | |||
| vIPtela, Inc. | vIPtela, Inc. | |||
| L. Grant | L. Grant | |||
| January 27, 2020 | March 20, 2020 | |||
| The TACACS+ Protocol | The TACACS+ Protocol | |||
| draft-ietf-opsawg-tacacs-17 | draft-ietf-opsawg-tacacs-18 | |||
| Abstract | Abstract | |||
| This document describes the Terminal Access Controller Access-Control | This document describes the Terminal Access Controller Access-Control | |||
| System Plus (TACACS+) protocol which is widely deployed today to | System Plus (TACACS+) protocol which is widely deployed today to | |||
| provide Device Administration for routers, network access servers and | provide Device Administration for routers, network access servers and | |||
| other networked computing devices via one or more centralized | other networked computing devices via one or more centralized | |||
| servers. | servers. | |||
| Status of This Memo | Status of This Memo | |||
| skipping to change at page 1, line 39 ¶ | skipping to change at page 1, line 39 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on July 30, 2020. | This Internet-Draft will expire on September 21, 2020. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2020 IETF Trust and the persons identified as the | Copyright (c) 2020 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 51 ¶ | skipping to change at page 2, line 51 ¶ | |||
| 5.1. The Authentication START Packet Body . . . . . . . . . . 13 | 5.1. The Authentication START Packet Body . . . . . . . . . . 13 | |||
| 5.2. The Authentication REPLY Packet Body . . . . . . . . . . 15 | 5.2. The Authentication REPLY Packet Body . . . . . . . . . . 15 | |||
| 5.3. The Authentication CONTINUE Packet Body . . . . . . . . . 17 | 5.3. The Authentication CONTINUE Packet Body . . . . . . . . . 17 | |||
| 5.4. Description of Authentication Process . . . . . . . . . . 17 | 5.4. Description of Authentication Process . . . . . . . . . . 17 | |||
| 5.4.1. Version Behavior . . . . . . . . . . . . . . . . . . 18 | 5.4.1. Version Behavior . . . . . . . . . . . . . . . . . . 18 | |||
| 5.4.2. Common Authentication Flows . . . . . . . . . . . . . 19 | 5.4.2. Common Authentication Flows . . . . . . . . . . . . . 19 | |||
| 5.4.3. Aborting an Authentication Session . . . . . . . . . 22 | 5.4.3. Aborting an Authentication Session . . . . . . . . . 22 | |||
| 6. Authorization . . . . . . . . . . . . . . . . . . . . . . . . 23 | 6. Authorization . . . . . . . . . . . . . . . . . . . . . . . . 23 | |||
| 6.1. The Authorization REQUEST Packet Body . . . . . . . . . . 23 | 6.1. The Authorization REQUEST Packet Body . . . . . . . . . . 23 | |||
| 6.2. The Authorization REPLY Packet Body . . . . . . . . . . . 27 | 6.2. The Authorization REPLY Packet Body . . . . . . . . . . . 27 | |||
| 7. Accounting . . . . . . . . . . . . . . . . . . . . . . . . . 28 | 7. Accounting . . . . . . . . . . . . . . . . . . . . . . . . . 29 | |||
| 7.1. The Account REQUEST Packet Body . . . . . . . . . . . . . 29 | 7.1. The Account REQUEST Packet Body . . . . . . . . . . . . . 29 | |||
| 7.2. The Accounting REPLY Packet Body . . . . . . . . . . . . 30 | 7.2. The Accounting REPLY Packet Body . . . . . . . . . . . . 30 | |||
| 8. Argument-Value Pairs . . . . . . . . . . . . . . . . . . . . 31 | 8. Argument-Value Pairs . . . . . . . . . . . . . . . . . . . . 32 | |||
| 8.1. Value Encoding . . . . . . . . . . . . . . . . . . . . . 32 | 8.1. Value Encoding . . . . . . . . . . . . . . . . . . . . . 32 | |||
| 8.2. Authorization Arguments . . . . . . . . . . . . . . . . . 33 | 8.2. Authorization Arguments . . . . . . . . . . . . . . . . . 33 | |||
| 8.3. Accounting Arguments . . . . . . . . . . . . . . . . . . 35 | 8.3. Accounting Arguments . . . . . . . . . . . . . . . . . . 35 | |||
| 9. Privilege Levels . . . . . . . . . . . . . . . . . . . . . . 36 | 9. Privilege Levels . . . . . . . . . . . . . . . . . . . . . . 36 | |||
| 10. Security Considerations . . . . . . . . . . . . . . . . . . . 37 | 10. Security Considerations . . . . . . . . . . . . . . . . . . . 37 | |||
| 10.1. General Security of the Protocol . . . . . . . . . . . . 37 | 10.1. General Security of the Protocol . . . . . . . . . . . . 38 | |||
| 10.2. Security of Authentication Sessions . . . . . . . . . . 38 | 10.2. Security of Authentication Sessions . . . . . . . . . . 39 | |||
| 10.3. Security of Authorization Sessions . . . . . . . . . . . 39 | 10.3. Security of Authorization Sessions . . . . . . . . . . . 39 | |||
| 10.4. Security of Accounting Sessions . . . . . . . . . . . . 39 | 10.4. Security of Accounting Sessions . . . . . . . . . . . . 40 | |||
| 10.5. TACACS+ Best Practices . . . . . . . . . . . . . . . . . 40 | 10.5. TACACS+ Best Practices . . . . . . . . . . . . . . . . . 40 | |||
| 10.5.1. Shared Secrets . . . . . . . . . . . . . . . . . . . 40 | 10.5.1. Shared Secrets . . . . . . . . . . . . . . . . . . . 40 | |||
| 10.5.2. Connections and Obfuscation . . . . . . . . . . . . 41 | 10.5.2. Connections and Obfuscation . . . . . . . . . . . . 41 | |||
| 10.5.3. Authentication . . . . . . . . . . . . . . . . . . . 42 | 10.5.3. Authentication . . . . . . . . . . . . . . . . . . . 42 | |||
| 10.5.4. Authorization . . . . . . . . . . . . . . . . . . . 42 | 10.5.4. Authorization . . . . . . . . . . . . . . . . . . . 43 | |||
| 10.5.5. Redirection Mechanism . . . . . . . . . . . . . . . 43 | 10.5.5. Redirection Mechanism . . . . . . . . . . . . . . . 43 | |||
| 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 43 | 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 43 | |||
| 12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 43 | 12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 43 | |||
| 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 43 | 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 44 | |||
| 13.1. Normative References . . . . . . . . . . . . . . . . . . 43 | 13.1. Normative References . . . . . . . . . . . . . . . . . . 44 | |||
| 13.2. Informative References . . . . . . . . . . . . . . . . . 44 | 13.2. Informative References . . . . . . . . . . . . . . . . . 45 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 45 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 45 | |||
| 1. Introduction | 1. Introduction | |||
| This document describes the Terminal Access Controller Access-Control | This document describes the Terminal Access Controller Access-Control | |||
| System Plus (TACACS+) protocol. It was conceived initially as a | System Plus (TACACS+) protocol. It was conceived initially as a | |||
| general Authentication, Authorization and Accounting (AAA) protocol. | general Authentication, Authorization and Accounting (AAA) protocol. | |||
| It is widely deployed today but is mainly confined for a specific | It is widely deployed today but is mainly confined for a specific | |||
| subset of AAA: Device Administration, that is: authenticating access | subset of AAA: Device Administration, that is: authenticating access | |||
| to network devices, providing central authorization of operations, | to network devices, providing central authorization of operations, | |||
| skipping to change at page 24, line 29 ¶ | skipping to change at page 24, line 29 ¶ | |||
| +----------------+----------------+----------------+----------------+ | +----------------+----------------+----------------+----------------+ | |||
| | arg_2 ... | | arg_2 ... | |||
| +----------------+----------------+----------------+----------------+ | +----------------+----------------+----------------+----------------+ | |||
| | ... | | ... | |||
| +----------------+----------------+----------------+----------------+ | +----------------+----------------+----------------+----------------+ | |||
| | arg_N ... | | arg_N ... | |||
| +----------------+----------------+----------------+----------------+ | +----------------+----------------+----------------+----------------+ | |||
| authen_method | authen_method | |||
| This indicates the authentication method used by the client to | This filed allows the client to indicate the authentication method | |||
| acquire the user information. As this information is not always | used by the acquire the user information. | |||
| subject to verification, it is recommended that this field is | ||||
| ignored. | ||||
| TAC_PLUS_AUTHEN_METH_NOT_SET := 0x00 | TAC_PLUS_AUTHEN_METH_NOT_SET := 0x00 | |||
| TAC_PLUS_AUTHEN_METH_NONE := 0x01 | TAC_PLUS_AUTHEN_METH_NONE := 0x01 | |||
| TAC_PLUS_AUTHEN_METH_KRB5 := 0x02 | TAC_PLUS_AUTHEN_METH_KRB5 := 0x02 | |||
| TAC_PLUS_AUTHEN_METH_LINE := 0x03 | TAC_PLUS_AUTHEN_METH_LINE := 0x03 | |||
| TAC_PLUS_AUTHEN_METH_ENABLE := 0x04 | TAC_PLUS_AUTHEN_METH_ENABLE := 0x04 | |||
| TAC_PLUS_AUTHEN_METH_LOCAL := 0x05 | TAC_PLUS_AUTHEN_METH_LOCAL := 0x05 | |||
| TAC_PLUS_AUTHEN_METH_TACACSPLUS := 0x06 | TAC_PLUS_AUTHEN_METH_TACACSPLUS := 0x06 | |||
| TAC_PLUS_AUTHEN_METH_GUEST := 0x08 | TAC_PLUS_AUTHEN_METH_GUEST := 0x08 | |||
| TAC_PLUS_AUTHEN_METH_RADIUS := 0x10 | TAC_PLUS_AUTHEN_METH_RADIUS := 0x10 | |||
| TAC_PLUS_AUTHEN_METH_KRB4 := 0x11 | ||||
| TAC_PLUS_AUTHEN_METH_KRB4 := 0x11 | ||||
| TAC_PLUS_AUTHEN_METH_RCMD := 0x20 | TAC_PLUS_AUTHEN_METH_RCMD := 0x20 | |||
| KRB5 and KRB4 are Kerberos version 5 and 4. This document does not | As this information is not always subject to verification, it is | |||
| cover how the client performed the authentication, so normative | recommended that this field is in policy evaluastion. LINE refers to | |||
| references will not be given . LINE refers to a fixed password | a fixed password associated with the terminal line used to gain | |||
| associated with the terminal line used to gain access. LOCAL is a | access. LOCAL is a client local user database. ENABLE is a command | |||
| client local user database. ENABLE is a command that authenticates | that authenticates in order to grant new privileges. TACACSPLUS is, | |||
| in order to grant new privileges. TACACSPLUS is, of course, TACACS+. | of course, TACACS+. GUEST is an unqualified guest authentication. | |||
| GUEST is an unqualified guest authentication. RADIUS is the Radius | RADIUS is the Radius authentication protocol. RCMD refers to | |||
| authentication protocol. RCMD refers to authentication provided via | authentication provided via the R-command protocols from Berkeley | |||
| the R-command protocols from Berkeley Unix. | Unix. KRB5 and KRB4 are Kerberos version 5 and 4. | |||
| As mentioned above, this field is used by the client to indicate how | ||||
| it performed the authentication. One of the options | ||||
| (TAC_PLUS_AUTHEN_METH_TACACSPLUS := 0x06) is TACACS+ itself, and so | ||||
| the detail of how the client performed this option is given in | ||||
| Authentication Section (Section 5). For all other options, such as | ||||
| KRB and RADIUS, then TACACS+ protocol did not play any part in the | ||||
| authentication phase; as those interactions were not conducted using | ||||
| the TACACS+ protocol they will not be documented here. For | ||||
| implementers of clients who need details of the other protocols, | ||||
| please refer to the respective Kerberos [RFC4120] and RADIUS | ||||
| [RFC3579] RFCs. | ||||
| priv_lvl | priv_lvl | |||
| This field is used in the same way as the priv_lvl field in | This field is used in the same way as the priv_lvl field in | |||
| authentication request and is described in the Privilege Level | authentication request and is described in the Privilege Level | |||
| section (Section 9) below. It indicates the users current privilege | section (Section 9) below. It indicates the users current privilege | |||
| level. | level. | |||
| authen_type | authen_type | |||
| skipping to change at page 44, line 22 ¶ | skipping to change at page 44, line 36 ¶ | |||
| <https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC2433] Zorn, G. and S. Cobb, "Microsoft PPP CHAP Extensions", | [RFC2433] Zorn, G. and S. Cobb, "Microsoft PPP CHAP Extensions", | |||
| RFC 2433, DOI 10.17487/RFC2433, October 1998, | RFC 2433, DOI 10.17487/RFC2433, October 1998, | |||
| <http://www.rfc-editor.org/info/rfc2433>. | <http://www.rfc-editor.org/info/rfc2433>. | |||
| [RFC2759] Zorn, G., "Microsoft PPP CHAP Extensions, Version 2", | [RFC2759] Zorn, G., "Microsoft PPP CHAP Extensions, Version 2", | |||
| RFC 2759, DOI 10.17487/RFC2759, January 2000, | RFC 2759, DOI 10.17487/RFC2759, January 2000, | |||
| <http://www.rfc-editor.org/info/rfc2759>. | <http://www.rfc-editor.org/info/rfc2759>. | |||
| [RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication | ||||
| Dial In User Service) Support For Extensible | ||||
| Authentication Protocol (EAP)", RFC 3579, | ||||
| DOI 10.17487/RFC3579, September 2003, | ||||
| <https://www.rfc-editor.org/info/rfc3579>. | ||||
| [RFC4086] Eastlake 3rd, D., Crocker, S., and J. Schiller, | [RFC4086] Eastlake 3rd, D., Crocker, S., and J. Schiller, | |||
| "Randomness Requirements for Security", RFC 4086, | "Randomness Requirements for Security", RFC 4086, | |||
| DOI 10.17487/RFC4086, June 2005, | DOI 10.17487/RFC4086, June 2005, | |||
| <http://www.rfc-editor.org/info/rfc4086>. | <http://www.rfc-editor.org/info/rfc4086>. | |||
| [RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The | ||||
| Kerberos Network Authentication Service (V5)", RFC 4120, | ||||
| DOI 10.17487/RFC4120, July 2005, | ||||
| <https://www.rfc-editor.org/info/rfc4120>. | ||||
| [RFC5952] Kawamura, S. and M. Kawashima, "A Recommendation for IPv6 | [RFC5952] Kawamura, S. and M. Kawashima, "A Recommendation for IPv6 | |||
| Address Text Representation", RFC 5952, | Address Text Representation", RFC 5952, | |||
| DOI 10.17487/RFC5952, August 2010, | DOI 10.17487/RFC5952, August 2010, | |||
| <https://www.rfc-editor.org/info/rfc5952>. | <https://www.rfc-editor.org/info/rfc5952>. | |||
| [RFC8265] Saint-Andre, P. and A. Melnikov, "Preparation, | [RFC8265] Saint-Andre, P. and A. Melnikov, "Preparation, | |||
| Enforcement, and Comparison of Internationalized Strings | Enforcement, and Comparison of Internationalized Strings | |||
| Representing Usernames and Passwords", RFC 8265, | Representing Usernames and Passwords", RFC 8265, | |||
| DOI 10.17487/RFC8265, October 2017, | DOI 10.17487/RFC8265, October 2017, | |||
| <https://www.rfc-editor.org/info/rfc8265>. | <https://www.rfc-editor.org/info/rfc8265>. | |||
| End of changes. 16 change blocks. | ||||
| 27 lines changed or deleted | 48 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||