draft-ietf-opsawg-tacacs-17.txt | draft-ietf-opsawg-tacacs-18.txt | |||
---|---|---|---|---|
Operations T. Dahm | Operations T. Dahm | |||
Internet-Draft A. Ota | Internet-Draft A. Ota | |||
Intended status: Informational Google Inc | Intended status: Informational Google Inc | |||
Expires: July 30, 2020 D. Medway Gash | Expires: September 21, 2020 D. Medway Gash | |||
Cisco Systems, Inc. | Cisco Systems, Inc. | |||
D. Carrel | D. Carrel | |||
vIPtela, Inc. | vIPtela, Inc. | |||
L. Grant | L. Grant | |||
January 27, 2020 | March 20, 2020 | |||
The TACACS+ Protocol | The TACACS+ Protocol | |||
draft-ietf-opsawg-tacacs-17 | draft-ietf-opsawg-tacacs-18 | |||
Abstract | Abstract | |||
This document describes the Terminal Access Controller Access-Control | This document describes the Terminal Access Controller Access-Control | |||
System Plus (TACACS+) protocol which is widely deployed today to | System Plus (TACACS+) protocol which is widely deployed today to | |||
provide Device Administration for routers, network access servers and | provide Device Administration for routers, network access servers and | |||
other networked computing devices via one or more centralized | other networked computing devices via one or more centralized | |||
servers. | servers. | |||
Status of This Memo | Status of This Memo | |||
skipping to change at page 1, line 39 ¶ | skipping to change at page 1, line 39 ¶ | |||
Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
This Internet-Draft will expire on July 30, 2020. | This Internet-Draft will expire on September 21, 2020. | |||
Copyright Notice | Copyright Notice | |||
Copyright (c) 2020 IETF Trust and the persons identified as the | Copyright (c) 2020 IETF Trust and the persons identified as the | |||
document authors. All rights reserved. | document authors. All rights reserved. | |||
This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
(https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
publication of this document. Please review these documents | publication of this document. Please review these documents | |||
skipping to change at page 2, line 51 ¶ | skipping to change at page 2, line 51 ¶ | |||
5.1. The Authentication START Packet Body . . . . . . . . . . 13 | 5.1. The Authentication START Packet Body . . . . . . . . . . 13 | |||
5.2. The Authentication REPLY Packet Body . . . . . . . . . . 15 | 5.2. The Authentication REPLY Packet Body . . . . . . . . . . 15 | |||
5.3. The Authentication CONTINUE Packet Body . . . . . . . . . 17 | 5.3. The Authentication CONTINUE Packet Body . . . . . . . . . 17 | |||
5.4. Description of Authentication Process . . . . . . . . . . 17 | 5.4. Description of Authentication Process . . . . . . . . . . 17 | |||
5.4.1. Version Behavior . . . . . . . . . . . . . . . . . . 18 | 5.4.1. Version Behavior . . . . . . . . . . . . . . . . . . 18 | |||
5.4.2. Common Authentication Flows . . . . . . . . . . . . . 19 | 5.4.2. Common Authentication Flows . . . . . . . . . . . . . 19 | |||
5.4.3. Aborting an Authentication Session . . . . . . . . . 22 | 5.4.3. Aborting an Authentication Session . . . . . . . . . 22 | |||
6. Authorization . . . . . . . . . . . . . . . . . . . . . . . . 23 | 6. Authorization . . . . . . . . . . . . . . . . . . . . . . . . 23 | |||
6.1. The Authorization REQUEST Packet Body . . . . . . . . . . 23 | 6.1. The Authorization REQUEST Packet Body . . . . . . . . . . 23 | |||
6.2. The Authorization REPLY Packet Body . . . . . . . . . . . 27 | 6.2. The Authorization REPLY Packet Body . . . . . . . . . . . 27 | |||
7. Accounting . . . . . . . . . . . . . . . . . . . . . . . . . 28 | 7. Accounting . . . . . . . . . . . . . . . . . . . . . . . . . 29 | |||
7.1. The Account REQUEST Packet Body . . . . . . . . . . . . . 29 | 7.1. The Account REQUEST Packet Body . . . . . . . . . . . . . 29 | |||
7.2. The Accounting REPLY Packet Body . . . . . . . . . . . . 30 | 7.2. The Accounting REPLY Packet Body . . . . . . . . . . . . 30 | |||
8. Argument-Value Pairs . . . . . . . . . . . . . . . . . . . . 31 | 8. Argument-Value Pairs . . . . . . . . . . . . . . . . . . . . 32 | |||
8.1. Value Encoding . . . . . . . . . . . . . . . . . . . . . 32 | 8.1. Value Encoding . . . . . . . . . . . . . . . . . . . . . 32 | |||
8.2. Authorization Arguments . . . . . . . . . . . . . . . . . 33 | 8.2. Authorization Arguments . . . . . . . . . . . . . . . . . 33 | |||
8.3. Accounting Arguments . . . . . . . . . . . . . . . . . . 35 | 8.3. Accounting Arguments . . . . . . . . . . . . . . . . . . 35 | |||
9. Privilege Levels . . . . . . . . . . . . . . . . . . . . . . 36 | 9. Privilege Levels . . . . . . . . . . . . . . . . . . . . . . 36 | |||
10. Security Considerations . . . . . . . . . . . . . . . . . . . 37 | 10. Security Considerations . . . . . . . . . . . . . . . . . . . 37 | |||
10.1. General Security of the Protocol . . . . . . . . . . . . 37 | 10.1. General Security of the Protocol . . . . . . . . . . . . 38 | |||
10.2. Security of Authentication Sessions . . . . . . . . . . 38 | 10.2. Security of Authentication Sessions . . . . . . . . . . 39 | |||
10.3. Security of Authorization Sessions . . . . . . . . . . . 39 | 10.3. Security of Authorization Sessions . . . . . . . . . . . 39 | |||
10.4. Security of Accounting Sessions . . . . . . . . . . . . 39 | 10.4. Security of Accounting Sessions . . . . . . . . . . . . 40 | |||
10.5. TACACS+ Best Practices . . . . . . . . . . . . . . . . . 40 | 10.5. TACACS+ Best Practices . . . . . . . . . . . . . . . . . 40 | |||
10.5.1. Shared Secrets . . . . . . . . . . . . . . . . . . . 40 | 10.5.1. Shared Secrets . . . . . . . . . . . . . . . . . . . 40 | |||
10.5.2. Connections and Obfuscation . . . . . . . . . . . . 41 | 10.5.2. Connections and Obfuscation . . . . . . . . . . . . 41 | |||
10.5.3. Authentication . . . . . . . . . . . . . . . . . . . 42 | 10.5.3. Authentication . . . . . . . . . . . . . . . . . . . 42 | |||
10.5.4. Authorization . . . . . . . . . . . . . . . . . . . 42 | 10.5.4. Authorization . . . . . . . . . . . . . . . . . . . 43 | |||
10.5.5. Redirection Mechanism . . . . . . . . . . . . . . . 43 | 10.5.5. Redirection Mechanism . . . . . . . . . . . . . . . 43 | |||
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 43 | 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 43 | |||
12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 43 | 12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 43 | |||
13. References . . . . . . . . . . . . . . . . . . . . . . . . . 43 | 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 44 | |||
13.1. Normative References . . . . . . . . . . . . . . . . . . 43 | 13.1. Normative References . . . . . . . . . . . . . . . . . . 44 | |||
13.2. Informative References . . . . . . . . . . . . . . . . . 44 | 13.2. Informative References . . . . . . . . . . . . . . . . . 45 | |||
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 45 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 45 | |||
1. Introduction | 1. Introduction | |||
This document describes the Terminal Access Controller Access-Control | This document describes the Terminal Access Controller Access-Control | |||
System Plus (TACACS+) protocol. It was conceived initially as a | System Plus (TACACS+) protocol. It was conceived initially as a | |||
general Authentication, Authorization and Accounting (AAA) protocol. | general Authentication, Authorization and Accounting (AAA) protocol. | |||
It is widely deployed today but is mainly confined for a specific | It is widely deployed today but is mainly confined for a specific | |||
subset of AAA: Device Administration, that is: authenticating access | subset of AAA: Device Administration, that is: authenticating access | |||
to network devices, providing central authorization of operations, | to network devices, providing central authorization of operations, | |||
skipping to change at page 24, line 29 ¶ | skipping to change at page 24, line 29 ¶ | |||
+----------------+----------------+----------------+----------------+ | +----------------+----------------+----------------+----------------+ | |||
| arg_2 ... | | arg_2 ... | |||
+----------------+----------------+----------------+----------------+ | +----------------+----------------+----------------+----------------+ | |||
| ... | | ... | |||
+----------------+----------------+----------------+----------------+ | +----------------+----------------+----------------+----------------+ | |||
| arg_N ... | | arg_N ... | |||
+----------------+----------------+----------------+----------------+ | +----------------+----------------+----------------+----------------+ | |||
authen_method | authen_method | |||
This indicates the authentication method used by the client to | This filed allows the client to indicate the authentication method | |||
acquire the user information. As this information is not always | used by the acquire the user information. | |||
subject to verification, it is recommended that this field is | ||||
ignored. | ||||
TAC_PLUS_AUTHEN_METH_NOT_SET := 0x00 | TAC_PLUS_AUTHEN_METH_NOT_SET := 0x00 | |||
TAC_PLUS_AUTHEN_METH_NONE := 0x01 | TAC_PLUS_AUTHEN_METH_NONE := 0x01 | |||
TAC_PLUS_AUTHEN_METH_KRB5 := 0x02 | TAC_PLUS_AUTHEN_METH_KRB5 := 0x02 | |||
TAC_PLUS_AUTHEN_METH_LINE := 0x03 | TAC_PLUS_AUTHEN_METH_LINE := 0x03 | |||
TAC_PLUS_AUTHEN_METH_ENABLE := 0x04 | TAC_PLUS_AUTHEN_METH_ENABLE := 0x04 | |||
TAC_PLUS_AUTHEN_METH_LOCAL := 0x05 | TAC_PLUS_AUTHEN_METH_LOCAL := 0x05 | |||
TAC_PLUS_AUTHEN_METH_TACACSPLUS := 0x06 | TAC_PLUS_AUTHEN_METH_TACACSPLUS := 0x06 | |||
TAC_PLUS_AUTHEN_METH_GUEST := 0x08 | TAC_PLUS_AUTHEN_METH_GUEST := 0x08 | |||
TAC_PLUS_AUTHEN_METH_RADIUS := 0x10 | TAC_PLUS_AUTHEN_METH_RADIUS := 0x10 | |||
TAC_PLUS_AUTHEN_METH_KRB4 := 0x11 | ||||
TAC_PLUS_AUTHEN_METH_KRB4 := 0x11 | ||||
TAC_PLUS_AUTHEN_METH_RCMD := 0x20 | TAC_PLUS_AUTHEN_METH_RCMD := 0x20 | |||
KRB5 and KRB4 are Kerberos version 5 and 4. This document does not | As this information is not always subject to verification, it is | |||
cover how the client performed the authentication, so normative | recommended that this field is in policy evaluastion. LINE refers to | |||
references will not be given . LINE refers to a fixed password | a fixed password associated with the terminal line used to gain | |||
associated with the terminal line used to gain access. LOCAL is a | access. LOCAL is a client local user database. ENABLE is a command | |||
client local user database. ENABLE is a command that authenticates | that authenticates in order to grant new privileges. TACACSPLUS is, | |||
in order to grant new privileges. TACACSPLUS is, of course, TACACS+. | of course, TACACS+. GUEST is an unqualified guest authentication. | |||
GUEST is an unqualified guest authentication. RADIUS is the Radius | RADIUS is the Radius authentication protocol. RCMD refers to | |||
authentication protocol. RCMD refers to authentication provided via | authentication provided via the R-command protocols from Berkeley | |||
the R-command protocols from Berkeley Unix. | Unix. KRB5 and KRB4 are Kerberos version 5 and 4. | |||
As mentioned above, this field is used by the client to indicate how | ||||
it performed the authentication. One of the options | ||||
(TAC_PLUS_AUTHEN_METH_TACACSPLUS := 0x06) is TACACS+ itself, and so | ||||
the detail of how the client performed this option is given in | ||||
Authentication Section (Section 5). For all other options, such as | ||||
KRB and RADIUS, then TACACS+ protocol did not play any part in the | ||||
authentication phase; as those interactions were not conducted using | ||||
the TACACS+ protocol they will not be documented here. For | ||||
implementers of clients who need details of the other protocols, | ||||
please refer to the respective Kerberos [RFC4120] and RADIUS | ||||
[RFC3579] RFCs. | ||||
priv_lvl | priv_lvl | |||
This field is used in the same way as the priv_lvl field in | This field is used in the same way as the priv_lvl field in | |||
authentication request and is described in the Privilege Level | authentication request and is described in the Privilege Level | |||
section (Section 9) below. It indicates the users current privilege | section (Section 9) below. It indicates the users current privilege | |||
level. | level. | |||
authen_type | authen_type | |||
skipping to change at page 44, line 22 ¶ | skipping to change at page 44, line 36 ¶ | |||
<https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
[RFC2433] Zorn, G. and S. Cobb, "Microsoft PPP CHAP Extensions", | [RFC2433] Zorn, G. and S. Cobb, "Microsoft PPP CHAP Extensions", | |||
RFC 2433, DOI 10.17487/RFC2433, October 1998, | RFC 2433, DOI 10.17487/RFC2433, October 1998, | |||
<http://www.rfc-editor.org/info/rfc2433>. | <http://www.rfc-editor.org/info/rfc2433>. | |||
[RFC2759] Zorn, G., "Microsoft PPP CHAP Extensions, Version 2", | [RFC2759] Zorn, G., "Microsoft PPP CHAP Extensions, Version 2", | |||
RFC 2759, DOI 10.17487/RFC2759, January 2000, | RFC 2759, DOI 10.17487/RFC2759, January 2000, | |||
<http://www.rfc-editor.org/info/rfc2759>. | <http://www.rfc-editor.org/info/rfc2759>. | |||
[RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication | ||||
Dial In User Service) Support For Extensible | ||||
Authentication Protocol (EAP)", RFC 3579, | ||||
DOI 10.17487/RFC3579, September 2003, | ||||
<https://www.rfc-editor.org/info/rfc3579>. | ||||
[RFC4086] Eastlake 3rd, D., Crocker, S., and J. Schiller, | [RFC4086] Eastlake 3rd, D., Crocker, S., and J. Schiller, | |||
"Randomness Requirements for Security", RFC 4086, | "Randomness Requirements for Security", RFC 4086, | |||
DOI 10.17487/RFC4086, June 2005, | DOI 10.17487/RFC4086, June 2005, | |||
<http://www.rfc-editor.org/info/rfc4086>. | <http://www.rfc-editor.org/info/rfc4086>. | |||
[RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The | ||||
Kerberos Network Authentication Service (V5)", RFC 4120, | ||||
DOI 10.17487/RFC4120, July 2005, | ||||
<https://www.rfc-editor.org/info/rfc4120>. | ||||
[RFC5952] Kawamura, S. and M. Kawashima, "A Recommendation for IPv6 | [RFC5952] Kawamura, S. and M. Kawashima, "A Recommendation for IPv6 | |||
Address Text Representation", RFC 5952, | Address Text Representation", RFC 5952, | |||
DOI 10.17487/RFC5952, August 2010, | DOI 10.17487/RFC5952, August 2010, | |||
<https://www.rfc-editor.org/info/rfc5952>. | <https://www.rfc-editor.org/info/rfc5952>. | |||
[RFC8265] Saint-Andre, P. and A. Melnikov, "Preparation, | [RFC8265] Saint-Andre, P. and A. Melnikov, "Preparation, | |||
Enforcement, and Comparison of Internationalized Strings | Enforcement, and Comparison of Internationalized Strings | |||
Representing Usernames and Passwords", RFC 8265, | Representing Usernames and Passwords", RFC 8265, | |||
DOI 10.17487/RFC8265, October 2017, | DOI 10.17487/RFC8265, October 2017, | |||
<https://www.rfc-editor.org/info/rfc8265>. | <https://www.rfc-editor.org/info/rfc8265>. | |||
End of changes. 16 change blocks. | ||||
27 lines changed or deleted | 48 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |