--- 1/draft-ietf-opsawg-tacacs-17.txt 2020-03-20 05:13:19.741194176 -0700 +++ 2/draft-ietf-opsawg-tacacs-18.txt 2020-03-20 05:13:19.825196317 -0700 @@ -1,23 +1,23 @@ Operations T. Dahm Internet-Draft A. Ota Intended status: Informational Google Inc -Expires: July 30, 2020 D. Medway Gash +Expires: September 21, 2020 D. Medway Gash Cisco Systems, Inc. D. Carrel vIPtela, Inc. L. Grant - January 27, 2020 + March 20, 2020 The TACACS+ Protocol - draft-ietf-opsawg-tacacs-17 + draft-ietf-opsawg-tacacs-18 Abstract This document describes the Terminal Access Controller Access-Control System Plus (TACACS+) protocol which is widely deployed today to provide Device Administration for routers, network access servers and other networked computing devices via one or more centralized servers. Status of This Memo @@ -28,21 +28,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on July 30, 2020. + This Internet-Draft will expire on September 21, 2020. Copyright Notice Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -86,44 +86,44 @@ 5.1. The Authentication START Packet Body . . . . . . . . . . 13 5.2. The Authentication REPLY Packet Body . . . . . . . . . . 15 5.3. The Authentication CONTINUE Packet Body . . . . . . . . . 17 5.4. Description of Authentication Process . . . . . . . . . . 17 5.4.1. Version Behavior . . . . . . . . . . . . . . . . . . 18 5.4.2. Common Authentication Flows . . . . . . . . . . . . . 19 5.4.3. Aborting an Authentication Session . . . . . . . . . 22 6. Authorization . . . . . . . . . . . . . . . . . . . . . . . . 23 6.1. The Authorization REQUEST Packet Body . . . . . . . . . . 23 6.2. The Authorization REPLY Packet Body . . . . . . . . . . . 27 - 7. Accounting . . . . . . . . . . . . . . . . . . . . . . . . . 28 + 7. Accounting . . . . . . . . . . . . . . . . . . . . . . . . . 29 7.1. The Account REQUEST Packet Body . . . . . . . . . . . . . 29 7.2. The Accounting REPLY Packet Body . . . . . . . . . . . . 30 - 8. Argument-Value Pairs . . . . . . . . . . . . . . . . . . . . 31 + 8. Argument-Value Pairs . . . . . . . . . . . . . . . . . . . . 32 8.1. Value Encoding . . . . . . . . . . . . . . . . . . . . . 32 8.2. Authorization Arguments . . . . . . . . . . . . . . . . . 33 8.3. Accounting Arguments . . . . . . . . . . . . . . . . . . 35 9. Privilege Levels . . . . . . . . . . . . . . . . . . . . . . 36 10. Security Considerations . . . . . . . . . . . . . . . . . . . 37 - 10.1. General Security of the Protocol . . . . . . . . . . . . 37 - 10.2. Security of Authentication Sessions . . . . . . . . . . 38 + 10.1. General Security of the Protocol . . . . . . . . . . . . 38 + 10.2. Security of Authentication Sessions . . . . . . . . . . 39 10.3. Security of Authorization Sessions . . . . . . . . . . . 39 - 10.4. Security of Accounting Sessions . . . . . . . . . . . . 39 + 10.4. Security of Accounting Sessions . . . . . . . . . . . . 40 10.5. TACACS+ Best Practices . . . . . . . . . . . . . . . . . 40 10.5.1. Shared Secrets . . . . . . . . . . . . . . . . . . . 40 10.5.2. Connections and Obfuscation . . . . . . . . . . . . 41 10.5.3. Authentication . . . . . . . . . . . . . . . . . . . 42 - 10.5.4. Authorization . . . . . . . . . . . . . . . . . . . 42 + 10.5.4. Authorization . . . . . . . . . . . . . . . . . . . 43 10.5.5. Redirection Mechanism . . . . . . . . . . . . . . . 43 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 43 12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 43 - 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 43 - 13.1. Normative References . . . . . . . . . . . . . . . . . . 43 - 13.2. Informative References . . . . . . . . . . . . . . . . . 44 + 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 44 + 13.1. Normative References . . . . . . . . . . . . . . . . . . 44 + 13.2. Informative References . . . . . . . . . . . . . . . . . 45 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 45 1. Introduction This document describes the Terminal Access Controller Access-Control System Plus (TACACS+) protocol. It was conceived initially as a general Authentication, Authorization and Accounting (AAA) protocol. It is widely deployed today but is mainly confined for a specific subset of AAA: Device Administration, that is: authenticating access to network devices, providing central authorization of operations, @@ -1085,55 +1085,65 @@ +----------------+----------------+----------------+----------------+ | arg_2 ... +----------------+----------------+----------------+----------------+ | ... +----------------+----------------+----------------+----------------+ | arg_N ... +----------------+----------------+----------------+----------------+ authen_method - This indicates the authentication method used by the client to - acquire the user information. As this information is not always - subject to verification, it is recommended that this field is - ignored. + This filed allows the client to indicate the authentication method + used by the acquire the user information. TAC_PLUS_AUTHEN_METH_NOT_SET := 0x00 TAC_PLUS_AUTHEN_METH_NONE := 0x01 TAC_PLUS_AUTHEN_METH_KRB5 := 0x02 TAC_PLUS_AUTHEN_METH_LINE := 0x03 TAC_PLUS_AUTHEN_METH_ENABLE := 0x04 TAC_PLUS_AUTHEN_METH_LOCAL := 0x05 TAC_PLUS_AUTHEN_METH_TACACSPLUS := 0x06 TAC_PLUS_AUTHEN_METH_GUEST := 0x08 TAC_PLUS_AUTHEN_METH_RADIUS := 0x10 - TAC_PLUS_AUTHEN_METH_KRB4 := 0x11 + TAC_PLUS_AUTHEN_METH_KRB4 := 0x11 TAC_PLUS_AUTHEN_METH_RCMD := 0x20 - KRB5 and KRB4 are Kerberos version 5 and 4. This document does not - cover how the client performed the authentication, so normative - references will not be given . LINE refers to a fixed password - associated with the terminal line used to gain access. LOCAL is a - client local user database. ENABLE is a command that authenticates - in order to grant new privileges. TACACSPLUS is, of course, TACACS+. - GUEST is an unqualified guest authentication. RADIUS is the Radius - authentication protocol. RCMD refers to authentication provided via - the R-command protocols from Berkeley Unix. + As this information is not always subject to verification, it is + recommended that this field is in policy evaluastion. LINE refers to + a fixed password associated with the terminal line used to gain + access. LOCAL is a client local user database. ENABLE is a command + that authenticates in order to grant new privileges. TACACSPLUS is, + of course, TACACS+. GUEST is an unqualified guest authentication. + RADIUS is the Radius authentication protocol. RCMD refers to + authentication provided via the R-command protocols from Berkeley + Unix. KRB5 and KRB4 are Kerberos version 5 and 4. + + As mentioned above, this field is used by the client to indicate how + it performed the authentication. One of the options + (TAC_PLUS_AUTHEN_METH_TACACSPLUS := 0x06) is TACACS+ itself, and so + the detail of how the client performed this option is given in + Authentication Section (Section 5). For all other options, such as + KRB and RADIUS, then TACACS+ protocol did not play any part in the + authentication phase; as those interactions were not conducted using + the TACACS+ protocol they will not be documented here. For + implementers of clients who need details of the other protocols, + please refer to the respective Kerberos [RFC4120] and RADIUS + [RFC3579] RFCs. priv_lvl This field is used in the same way as the priv_lvl field in authentication request and is described in the Privilege Level section (Section 9) below. It indicates the users current privilege level. authen_type @@ -2027,25 +2037,36 @@ . [RFC2433] Zorn, G. and S. Cobb, "Microsoft PPP CHAP Extensions", RFC 2433, DOI 10.17487/RFC2433, October 1998, . [RFC2759] Zorn, G., "Microsoft PPP CHAP Extensions, Version 2", RFC 2759, DOI 10.17487/RFC2759, January 2000, . + [RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication + Dial In User Service) Support For Extensible + Authentication Protocol (EAP)", RFC 3579, + DOI 10.17487/RFC3579, September 2003, + . + [RFC4086] Eastlake 3rd, D., Crocker, S., and J. Schiller, "Randomness Requirements for Security", RFC 4086, DOI 10.17487/RFC4086, June 2005, . + [RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The + Kerberos Network Authentication Service (V5)", RFC 4120, + DOI 10.17487/RFC4120, July 2005, + . + [RFC5952] Kawamura, S. and M. Kawashima, "A Recommendation for IPv6 Address Text Representation", RFC 5952, DOI 10.17487/RFC5952, August 2010, . [RFC8265] Saint-Andre, P. and A. Melnikov, "Preparation, Enforcement, and Comparison of Internationalized Strings Representing Usernames and Passwords", RFC 8265, DOI 10.17487/RFC8265, October 2017, .