GENWiki

Premier IT Outsourcing and Support Services within the UK

User Tools

Site Tools


rfc:rfc1492

Network Working Group C. Finseth Request for Comments: 1492 University of Minnesota

                                                             July 1993
        An Access Control Protocol, Sometimes Called TACACS

Status of this Memo

 This memo provides information for the Internet community.  It does
 not specify an Internet standard.  Distribution of this memo is
 unlimited.

Background

 There used to be a network called ARPANET.  This network consisted of
 end nodes (hosts), routing nodes (IMPs) and links.  There were (at
 least) two types of IMPs: those that connected dedicated lines only
 and those that could accept dial up lines.  The latter were called
 "TIPs."
 People being what they were, there was a desire to control who could
 use the dial up lines.  Someone invented a protocol, called "TACACS"
 (Terminal Access Controller Access Control System?), which allowed a
 TIP to accept a username and password and send a query to a TACACS
 authentication server, sometimes called a TACACS daemon or simply
 TACACSD.  This server was normally a program running on a host. The
 host would determine whether to accept or deny the request and sent a
 response back.  The TIP would then allow access or not, based upon
 the response.
 While TIPs are -- shall we say? -- no longer a major presence on the
 Internet, terminal servers are.  Cisco Systems terminal servers
 implement an extended version of this TACACS protocol.  Thus, the
 access control decision is delegated to a host.  In this way, the
 process of making the decision is "opened up" and the algorithms and
 data used to make the decision are under the complete control of
 whoever is running the TACACS daemon.  For example, "anyone with a
 first name of Joe can only login after 10:00 PM Mon-Fri, unless his
 last name is Smith or there is a Susan already logged in."
 The extensions to the protocol provide for more types of
 authentication requests and more types of response codes than were in
 the original specification.
 The original TACACS protocol specification does exist.  However, due
 to copyright issues, I was not able to obtain a copy of this document

Finseth [Page 1] RFC 1492 TACACS July 1993

 and this lack of access is the main reason for the writing of this
 document.  This version of the specification was developed with the
 assistance of Cisco Systems, who has an implementation of the TACACS
 protocol that is believed to be compatible with the original
 specification.  To be precise, the Cisco Systems implementation
 supports both the simple (non-extended) and extended versions.  It is
 the simple version that would be compatible with the original.
 Please keep in mind that this is an informational RFC and does not
 specify a standard, and that more information may be uncovered in the
 future (i.e., the original specification may become available) that
 could cause parts of this document to be known to be incorrect.
 This RFC documents the extended TACACS protocol use by the Cisco
 Systems terminal servers.  This same protocol is used by the
 University of Minnesota's distributed authentication system.

1. Protocol Semantics

 This section will describe the requests and responses.  The following
 two sections will describe two different ways of encoding the
 protocol.
 A request/response pair is the basic unit of interaction.  In this
 pair, the client sends a request and the server replies with a
 response.  All requests must be acknowledged with a response.  This
 requirement implies that all requests can be denied, although it is
 probably futile to attempt to deny a "logout" request.

1.1 Connections

 In some cases, a string of request/response pairs forms a larger
 unit, called a "connection."
 There are three types of connections:
 1) Authenticate only, no connection:
         client:  sends an AUTH packet
         server:  responds with a REPLY

Finseth [Page 2] RFC 1492 TACACS July 1993

 2) Login connection:
         client:  sends a LOGIN packet
         server:  responds with a REPLY
         repeat zero or more times:
                 client:  sends a CONNECT packet
                 server:  responds with a REPLY
         client:  sends a LOGOUT packet
         server:  responds with a REPLY
 3) SLIP connection:
         client:  sends a LOGIN packet
         server:  responds with a REPLY
         repeat zero or more times:
                 client:  sends a CONNECT packet
                 server:  responds with a REPLY
         client:  sends a SLIPADDR packet
         server:  responds with a REPLY
         repeat zero or more times:
                 client:  sends a CONNECT packet
                 server:  responds with a REPLY
         client:  sends a SLIPON packet
         server:  responds with a REPLY
         client:  sends a LOGOUT packet (immediate)
         server:  responds with a REPLY
         client:  sends a SLIPOFF packet
         server:  responds with a REPLY

1.2 Requests

 This section lists the requests supported by the protocol.  The
 responses are described in the later encodings sections.
 AUTH(username, password, line, style)
    This request asks for an authentication.  The parameters are:

Finseth [Page 3] RFC 1492 TACACS July 1993

  1. the username
  2. the password
  3. an indication of which line the request is for, and
  4. a style of authentication
    The username is a string that identifies the user.  In principle,
    it can be of any length and contain any characters.  In practice,
    it should be no longer than 128 characters and should contain only
    the ASCII characters "!" (33 decimal) through "~" (126 decimal),
    inclusive.
    The password is a string that is used to authenticate the user
    identified by the username.  In principle, it can be of any length
    and contain any characters.  In practice, it should be no longer
    than 128 characters and should contain only the ASCII characters
    "!" (33 decimal) through "~" (126 decimal), inclusive.
    The line is a non-negative decimal integer.  If the client
    supports multiple physical access channels, this value identifies
    the particular channel.  By convention, lines are numbered
    starting from one, although this should be taken with a grain of
    salt.  For example, Cisco Systems' implementation uses zero to
    designate the console port, then continues with one for the "main"
    serial lines. Clients that support only one channel should use
    line zero.
    The authentication style is a possibly empty string.  It
    identifies the particular style of authentication to be performed.
    Its syntax and semantics are local.
    Example:
            AUTH("fin@unet.umn.edu", "fake-password", 0, "staff")
    This specifies a username of "fin@unet.umn.edu" (which happens to
    be my e-mail address), a password, an indication that no line is
    associated with this request, and a style of "staff".  The
    semantics for this style might be that I am required to be a staff
    member (in addition, of course, to supplying a valid username and
    password).  The server would presumably consult an external
    database to verify the staff status.
    As a local option, the implementation may choose to encode the
    style information by using alternate port numbers.  E.g. port 4001
    would mean style 1, 4002 would be style 2, etc.
    Note that the AUTH request type cannot be sent using the UDP
    encoding.

Finseth [Page 4] RFC 1492 TACACS July 1993

 LOGIN(username, password, line) returns (result1, result2, result3)
    This request asks for an authentication and signals that -- if the
    authentication succeeds -- a login connection is starting.  The
    parameters are:
  1. the username
  2. the password
  3. an indication of which line the request is for
    The meanings of the input fields are the same as the AUTH request.
    If the request is successful, this request returns three result
    values in addition to the success status.  The result values are
    non-negative integers.  Their interpretation is local.  For
    example, Cisco Systems terminal servers interpret result3 to be
    the identifier of a local access list to use for additional
    validation.
 CONNECT(username, password, line, destinationIP, destinationPort)
 returns (result1, result2, result3)
    This request can only be issued when the username and line specify
    an already-existing connection.  As such, no authentication is
    required and the password will in general be the empty string. It
    asks, in the context of that connection, whether a TCP connection
    can be opened to the specified destination IP address and port.
    The return values are as for LOGIN.
 SUPERUSER(username, password, line)
    This request can only be issued when the username and line specify
    an already-existing connection.  As such, no authentication is
    required and the password will in general be the empty string.  It
    asks, in the context of that connection, whether the user can go
    into "super-user" or "enable" mode on the terminal server.
    As an example of the flexibility inherint in this whole scheme,
    the TACACSD supplied by Cisco Systems ignores the username part
    and instead checks wether the password matches that of the special
    user "$enable$".
 LOGOUT(username, password, line, reason)
    This request can only be issued when the username and line specify
    an already-existing connection.  As such, no authentication is
    required and the password will in general be the empty string.  It
    indicates that the connection should be terminated (but see

Finseth [Page 5] RFC 1492 TACACS July 1993

    SLIPON).  It must be acknowledged, but the success/fail status of
    the acknowledgment is irrelevant.  The reason value indicates why
    the connection is terminating.  A null reason value is supplied
    when the connection is going into SLIP mode.
 SLIPON(username, password, line, SLIPaddress) returns (result1,
 result2, result3)
    This request can only be issued when the username and line specify
    an already-existing connection.  As such, no authentication is
    required and the password will in general be the empty string.  It
    asks, in the context of that connection, whether the specified
    SLIPaddress can be used for the remote end of the connection.
    If the server replies with a success, the client can proceed to a
    SLIPON request.  (It need not do so right away, however.)
    Note that semantics of "username" can get hairy.  For example, the
    Cisco Systems implementation encodes information in this way:
  1. If the user just requested the default address be assigned, this

field holds the username in lower case.

  1. If the user requested a specific IP address or host name for the

SLIP connection, this field contains the requested host name in

    UPPER case.
    If the server replies with a success, the client will immediately
    send a LOGOUT request.  However, the connection will remain
    established until a SLIPOFF request is sent.  No other
    authentication requests will be sent for that connection.
    SLIPaddress specifies the IP address used by the remote host.  If
    a SLIPADDR request has been made, it will be that address.
    Otherwise, it will be the default address assigned by the client
    (e.g., Cisco terminal server).
    The return values are as for LOGIN.
 SLIPOFF(username, password, line, reason)
    This request can only be issued when the username and line specify
    an already-existing connection that is in "SLIP" mode.  As such,
    no authentication is required and the password will in general be
    the empty string.  It indicates that the connection should be
    terminated.  It must be acknowledged, but the success/fail status
    of the acknowledgment is irrelevant.  The reason value indicates
    why the connection is terminating.

Finseth [Page 6] RFC 1492 TACACS July 1993

2.0 UDP Encoding: TACACS

 This section describes the UDP encoding of the requests that have
 just been described.  It also describes the responses.  This UDP
 encoding forms the basis of the historical TACACS protocol.
 This protocol uses port 49.  This assignment continues to be
 confirmed by the IANA in the Assigned Numbers RFCs.  (I can't say
 that it was assigned by the IANA as the assignment preceded the
 organization.)
 The basic packet format is shown here.  All multi-bytes values are in
 network byte order.  Unless otherwise specified, all values given are
 in decimal.  Unused fields should be set to zero, but the recipient
 should not depend on that setting.
 As was mentioned earlier, there are both simple and extended forms,
 of which the simple form is a proper subset of the extended form.  A
 server should support both.  I will describe both forms in parallel.
 Simple Form
 The fields are:
    offset       length  field
    0    1       version
    1    1       type
    2    2       nonce value
    4    1       username length (to server) / response (to client)
    5    1       password length (to server) / reason (to client)
 in the usual packet layout format:
  0                   1                   2                   3
  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 :    Version    :     Type      :             Nonce             :
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 : User len/Resp : PW len/Reason :            data...            :
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Finseth [Page 7] RFC 1492 TACACS July 1993

 Extended Form
 The fields are:
         offset  length  field
         0       1       version
         1       1       type
         2       2       nonce value
         4       1       username length
         5       1       password length
         6       1       response
         7       1       reason
         8       4       result1
         12      4       destination host, IP address
         16      2       destination port
         18      2       line
         20      4       result2
         24      2       result3
         26      varies  data: username + password
 in the usual packet layout format:
  0                   1                   2                   3
  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 :    Version    :     Type      :             Nonce             :
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 :   User len    : Password len  :   Response    :    Reason     :
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 :                           Result 1                            :
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 :                      Destination Address                      :
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 :           Dest Port           :             Line              :
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 :                           Result 2                            :
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 :           Result 3            :            data...            :
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

2.1 Fields

 The VERSION field specifies the version number.  It must be zero for
 simple or 128 (80 hexadecimal) for extended.

Finseth [Page 8] RFC 1492 TACACS July 1993

 The TYPE field encodes the request type.  Values are:
         LOGIN           1
         RESPONSE        2       (server to client only)
         CHANGE          3
         FOLLOW          4
         CONNECT         5
         SUPERUSER       6
         LOGOUT          7
         RELOAD          8
         SLIPON          9
         SLIPOFF         10
         SLIPADDR        11
 Other values below 128 are reserved for future use.  Values from 128
 to 255 are reserved for local use.
 Note that the semantics of the CHANGE, FOLLOW, RELOAD requests have
 not been determined.
 The NONCE field is set by the client to an arbitrary value.  Its
 purpose is to allow clients that may have multiple outstanding
 requests to determine which request a response is for. The server
 must copy this value to the reply unaltered.
 The USERNAME LENGTH field is set by the client to the length of the
 username in characters.  Legal values are 0 to 255, inclusive. The
 server must copy this value to the reply unaltered.
 The PASSWORD LENGTH is set by the client to the length of the
 password in characters. Legal values are 0 to 255, inclusive. The
 server must copy this value to the reply unaltered.
 The RESPONSE field should be set by the client to zero.  The server
 sets the value to one of:
         value   meaning
         1       accepted
         2       rejected
 Other values below 128 are reserved for future use.  Values from 128
 to 255 are reserved for local use.

Finseth [Page 9] RFC 1492 TACACS July 1993

 The REASON field should be set by the client to zero, except for
 LOGOUT and SLIPOFF requests, which may use values of 4, 5, or 6.  The
 server sets the value to one of:
         value   meaning         notes
         0       none            used for ACCEPTED or if the server
                                 is ornery
         1       expiring
         2       password
         3       denied
         4       quit            user quit normally
         5       idle            idle timeout
         6       drop            carrier dropped
         7       bad             too many bad passwords
 The values from 4 to 6 will only be used for reasons for LOGOUT or
 SLIPOFF requests: they will not be returned by the server.  Other
 values below 128 are reserved for future use.  Values from 128 to 255
 are reserved for local use.
 The RESULT1 field should be set by the client to zero.  For LOGIN or
 CONNECT requests, it is set by the server as specified in the request
 description.  For all other requests, it should be set by the server
 to zero.
 The DESTINATION HOST field is set by the client.  On CONNECT, SLIPON,
 and SLIPOFF requests it specifies an IP address.  It should be set to
 zero on all other requests.  For SLIPON and SLIPOFF request, this
 value should be the IP address assigned to the line.  For CONNECT
 requests, this value is the IP address of the host that the user is
 attempting to connect to.  The server copies this value to the reply.
 The DESTINATION PORT field is set by the client.  On CONNECT requests
 it specifies the port number that the user is attempting to connect
 to.  It should be set to zero on all other requests. The server
 copies this value to the reply.
 The LINE field is set by the client to the line number that the
 request is for.  The server copies this value to the reply.
 The RESULT2 field should be set by the client to zero.  For LOGIN or
 CONNECT requests, it is set by the server as specified in the request
 description.  For all other requests, it should be set by the server
 to zero.
 The RESULT3 field should be set by the client to zero.  For LOGIN or
 CONNECT requests, it is set by the server as specified in the request

Finseth [Page 10] RFC 1492 TACACS July 1993

 description.  For all other requests, it should be set by the server
 to zero.
 The DATA field contains just the text of the username and password,
 with no separator characters (you use username length and password
 length to sort them out).  The server does not copy the values to the
 reply. (However, the server does copy the username length and
 password length fields to the reply.) The username data may be in
 upper case: comparisons should be case-insensitive.

2.2 What a Client Does

 The client must format and send a UDP request to port 49.  It
 constructs the request by following these steps:
  1. set the version to 128
  2. set the type to that of the request
  3. set the nonce to a unique value that is different from all

outstanding requests

  1. set the username length
  2. set the password length
  3. set the response to zero
  4. set the reason to zero (except for LOGOUT and SLIPOFF)
  5. set the result1 to zero
  6. if CONNECT, SLIPON, or SLIPOFF, set the destination address

to the IP address, otherwise set it to zero

  1. if CONNECT, set the destination port to the port, otherwise

set it to zero

  1. set the line
  2. set the result2 to zero
  3. set the result3 to zero
  4. copy the username to the location just after result3
  5. copy the password to the location just after the end of the

username

 Send the request.  Wait for a reasonable (and hopefully configurable)
 period of time.  If no response has been received, retry a reasonable
 (and hopefully configurable) number of times.  Reasonable default
 wait times are 5 seconds and retries are 2.
 If a response has been received, use the nonce value (and as many
 other fields as you like) to match it to an outstanding request.  If
 there is no matching outstanding request, take appropriate (and
 hopefully configurable) action such as discarding and/or logging the
 packet.
 If the response matches an outstanding request, examine the response
 and reason codes and take whatever action you deem correct.  For

Finseth [Page 11] RFC 1492 TACACS July 1993

 responses to LOGIN and CONNECT requests, also incorporate the
 result1, result2, and result3 values as you deem correct.

2.3 What a Server Does

 Upon receipt of a UDP format request, the server examines the data in
 the request packet and determines its response.  It constructs the
 reply by following these steps:
  1. set the version to 128
  2. set the type to RESPONSE (2)
  3. copy the nonce value
  4. copy the username length value
  5. copy the password length value
  6. set the response value to the desired response
  7. set the reason value to the desired reason
  8. if LOGIN or CONNECT, set the result1 else zero the result1
  9. copy the destination host value
  10. copy the destination port value
  11. copy the line value
  12. if LOGIN or CONNECT, set the result2 else zero the result2
  13. if LOGIN or CONNECT, set the result3 else zero the result3
  14. do NOT copy the username or password data
 (As always, be liberal in what you expect and conservative in what
 you send.) Send the response.  Do not attempt to retry, as you have
 no basis for determining whether a retry is required.  Any retries
 are up to the client.  This, of course, implies that requests are
 idempotent.  They aren't, of course, so the retries must be
 considered when trying to assemble requests into connections.

3.0 TCP Encoding

 This section describes the TCP encoding of the requests and
 responses.  This encoding is not compatible with the historical
 TACACS protocol.  However, it is somewhat more "modern" in that it
 has been updated to provide for current feature needs.
 This protocol does not use a reserved port.  Instead, it must be
 possible to configure the ports used by both the the client and
 server.
 The basic request format is shown here.  The request consists of four
 lines of ASCII text.  All numeric values are expressed in ASCII as
 decimal integers.

Finseth [Page 12] RFC 1492 TACACS July 1993

         <version> <type> <parameters>
         <username>
         <password>
         <line>
 Each line in the example corresponds to one line of text.  That is,
 the lines are separated with <CR>/<LF> (13/10 decimal) pairs.  In no
 event may "bare" <CR> or <LF> characters appear within a field.  In
 addition, <NUL> (0 decimal) characters may not be sent.
 The <version> and <type> fields are separated with one or more
 <SPACE> (32 decimal) or <TAB> (9 decimal) characters.
 The <parameters> field is optional.  If present, it is separated from
 the <type> field and internal parameters separated from each other by
 or more <SPACE> or <TAB> characters.  Any trailing <SPACE> or <TAB>
 characters present on this line should be ignored by the server: they
 should not be taken to imply a trailing empty field.
 In theory there are no line length limits.  In practice, lines should
 not exceed 255 characters (counting the <CR> and <LF>) and probably
 should be 80 characters or less.

3.1 Fields

 The VERSION field specifies the version number.  It must be 1.  Other
 values below 128 are reserved for future use.  Values from 128 to 255
 are reserved for local use.
 The TYPE field encodes the request type.  Values are:
         AUTH
         LOGIN
         CONNECT
         SUPERUSER
         LOGOUT
         SLIPON
         SLIPOFF
 I.e., the keyword simply encodes itself.  It must be in upper case.
 Keywords that begin with the letter "X" are reserved for local use.
 The USERNAME field contains the text of the username.  Leading and
 trailing <SPACE> or <TAB> characters are considered significant.  The
 username data may be in upper case: comparisons should be case-
 insensitive.
 The PASSWORD field contains the text of the password.  Leading and

Finseth [Page 13] RFC 1492 TACACS July 1993

 trailing <SPACE> or <TAB> characters are considered significant.
 The LINE field is set by the client to the line number that the
 request is for.

3.2 Responses

 Appendix E of STD 10, RFC 821 describes the general theory of reply
 codes.  The this protocol follows the format described in that
 document.  In a nutshell, replies are of the form:
         <number> <text>
 Where <number> is a three-digit decimal value and <text> is an
 arbitrary text string, presumably containing only printing text
 characters (<SP> (32 decimal) through "~" (126 decimal)).  At least
 one <SP> (32 decimal) character separates the number from the text.
 A <CR>/<LF> sequence follows the text.
 The three digit codes completely determine the response.  The text
 should be considered an explanatory comment for human understanding.
 However, even without knowing all values, the first digit can be used
 to determine the overall nature of the response.  The encodings are:
         1       Positive Preliminary: the request is acceptable,
                 but no action will be taken until an additional
                 request is made (not used in this version of the
                 protocol)
         2       Positive Completion
         3       Positive Intermediate: the request is acceptable
                 so far, but has not been completely transferred
                 (not used in this version of the protocol)
         4       Transient Negative: the request is not acceptable
                 for now.  It is acceptable to retry, as another
                 instance may have a different result.
         5       Permanent Negative: the request is not acceptable
 The text portion is optional (i.e., may be the empty string) and it
 describes the meaning of the message in human readable form.

Finseth [Page 14] RFC 1492 TACACS July 1993

 While different server implementations will result in different
 messages, the following are suggested:
         201 accepted: # # #
         202 accepted, password is expiring: # # #
         401 no response; retry
         501 invalid format
         502 access denied
 The ": # # #" in the first two messages is the suggested way of
 returning the three result codes for LOGIN and CONNECT requests.

3.3 What a Client Does

 The client opens a TCP connection to the locally-configured address
 and port.  It sends the request by sending:
  1. the character "1"
  2. one or more <SPACE> or <TAB> characters
  3. the request type as an ASCII string
  4. if an AUTH, send one or more <SPACE> or <TAB> characters

and the authentication style

  1. if a CONNECT, SLIPON, or SLIPOFF, send one or more <SPACE>

or <TAB> characters and the IP address in dotted decimal

           notation
         - if a CONNECT, send one or more <SPACE> or <TAB> characters
           and the port number in decimal
         - a <CR>/<LF>
         - the username (or hostname for SLIPADDR)
         - a <CR>/<LF>
         - the password
         - a <CR>/<LF>
         - the line
         - a <CR>/<LF>
 Then read one line from the connection and close the connection.
 This encoding lets TCP take care of waiting, retries, and matching up
 requests and responses.
 Examine the response line and take whatever action you deem correct.

3.4 What the Server Does

 The server waits on the locally-specified port for requests.  When
 one is made, it reads four lines of input.
 It examines the first line for a valid version number and request.
 It also records any optional parameters.

Finseth [Page 15] RFC 1492 TACACS July 1993

 It uses the username, password, and line number along with any other
 information it deems fit to determine its response.
 It then sends exactly one line of response, terminated by a
 <CR>/<LF>, and closes the connection.

4.0 Pros and Cons

 Advantages to using the UDP format:
  1. lower overhead
  2. compatible with historical standard
  3. some existing equipment supports it
 Advantages to using the TCP format:
  1. easier to implement, especially on machines with no or

poor UDP support

  1. simpler, cleaner syntax
  2. potentially wider range of error codes, and support for

temporary and negotiated authentication sequences

5.0 Security Notes

 While the protocol itself has been described, there are a number of
 other considerations worth mentioning.
 First, the protocol carries the username and password in clear text
 in either a single UDP packet or a TCP stream.  As such, if an
 attacker is capable of monitoring that data, the attacker could
 capture username/password pairs.  Implementations can take several
 steps to minimize this danger:
  1. Use point-to-point links where possible.
  1. Physically secure the transmission medium.
  1. If packets must traverse multiple network segments, use a secure

routing subsystem. This implies:

  1. Tight control over router configurations.
  2. Tight control over routing protocols.
  3. Avoid use of bridges, as they can be silently fooled into

duplicating packets.

 Second, this protocol potentially opens up a new way of probing
 usernames and passwords.  Thus, implementations may wish to have

Finseth [Page 16] RFC 1492 TACACS July 1993

 servers:
  1. limit responses to a controlled list of clients,
  2. throttle the rate of responding to requests,
  3. log all failures (and possibly successes, too).
 Third, this protocol essentially allows clients to offload
 accept/reject decisions to servers.  While an obvious implementation
 would simply use the server's native login mechanism to make the
 determination, there is no reason to limit implementations to that
 mechanism. Servers could:
  1. use alternate lists of accounts (e.g., password files),
  2. use alternate mechanisms for accessing the accounts (e.g.,

a database, NIS),

  1. use alternate algorithms (e.g., SecureID cards),
  2. translate the request to another protocol and use that

protocol to make the determination (e.g., Kerberos).

 Fourth, the use of a "fanout" server (described in the next section)
 allows for:
  1. centralized logging of usage for attack analysis
  2. centralized policy:
  1. ability to block selected specific users
  2. ability to block selected user names (e.g., don't

allow "root" or "guest")

  1. ability to block poor passwords (e.g., none or weak)

6.0 Case Study

 This section presents the basic steps used by the implementation at
 the University of Minnesota.  Two examples will be used.  The first
 is a basic terminal login.  The second is a database access
 verification.
 Usernames are in one of three forms:
         First.M.Last-#@umn.edu
         First.M.Last-#
         user@host
 A name in the first form is converted to one in the second.
 A name in the second form is looked up in the University-wide
 directory system.  If found, the associated electronic mail address
 is treated as if the third form was entered.

Finseth [Page 17] RFC 1492 TACACS July 1993

 The third form specifics the name of a computer whose manager has
 agreed to perform validations and the name of an account on that
 computer.
 The system that we use allows for many requesting clients (typically
 modem pools).  Further, each client can support multiple distinct
 pools of users.  For example, lines 1-20 could be general access, but
 lines 21-25 could be 800-numbers with a restricted set of valid
 users.  The system supports this distinction by specifying which
 validation computers are legal for each modem pool.

6.1 Terminal Login

 On the Cisco Terminal Server:
  1. accept a connection
  2. request a username and password
  3. pack the request into a UDP TACACS packet and send to the central

fanout

 Central Fanout:
  1. accept a request
  2. if the request is not in a valid format, return "nope"
  3. log the request
  4. if the source IP address is not in a list of valid clients,

status = "nope"

  1. else if the username contains invalid characters, status = "nope"
  2. else

if the username is of the form First.M.Last-#@umn.edu,

                 convert to First.M.Last-#
         if the username is of the form First.M.Last-#,
                 look up the name in the directory
                 if the name is not found, status = "nope"
                 otherwise, use the e-mail address as the username
         if the user is on a special "blocked" list, status = "nope"
                 and send mail warning that access to a blocked
                 account was attempted
         split the username into user and host parts
         if the host is not on a list of known servers,
                 status = "nope"
         else if the host is not allowed to validate this type of
                 request for this pool, status = "nope"
         now format a request for validation of the user and send it
         to the specified host

Finseth [Page 18] RFC 1492 TACACS July 1993

         if no response, status = "nope"
         otherwise set the status to the returned status
  1. log what response is going to be returned
  2. return the response
 Validation Host:
 This machine can run a "stripped down" version of the central fanout.
 It need perform no special validation or logging, with one exception.
  1. accept a request
  2. if the request is not in a valid format, return "nope"
  3. if the request is not from the central fanout, return "nope"
  4. figure the return status
  5. return the response

6.2 Database Access Verification

 In this example, assume that a database is only to be accessed by
 faculty and staff.
 Mainframe:
  1. the user is on the mainframe and makes a request
  2. the program requests username and password
  3. the program packs the request into a UDP TACACS packet and send to

the central fanout

 Central Fanout:
  1. accept a request
  2. if the request is not in a valid format, return "nope"
  3. log the request
  4. if the source IP address is not in a list of valid clients,

status = "nope"

  1. else if the username contains invalid characters, status = "nope"
  2. else

if the username is of the form First.M.Last-#@umn.edu,

                 convert to First.M.Last-#
         if the username is of the form First.M.Last-#,
                 look up the name in the directory
                 if the name is not found, status = "nope"
                 otherwise, use the e-mail address as the username
                    and obtain the staff status from the directory
         if the user is on a special "blocked" list, status = "nope"
                 and send mail warning that access to a blocked
                 account was attempted

Finseth [Page 19] RFC 1492 TACACS July 1993

         split the username into user and host parts
         if the host is not on a list of known servers,
                 status = "nope"
         else if the host is not allowed to validate this type of
                 request for this pool, status = "nope"
         now format a request for validation of the user and send it
         to the specified host
         if no response or status is "nope", status = "nope"
         else if the user originally gave a user@host mail address,
                 do a directory lookup and obtain the staff status
         set the status to the staff status
 - log what response is going to be returned
 - return the response
 Note that the validation host is unchanged.

References

 [RFC821] Postel, J. "Simple Mail Transfer Protocol", STD 10, RFC 821,
 USC/Information Sciences Institute, August 1982.
 [RFC1340] Reynolds, J. and J. Postel, "Assigned Numbers," STD 2, RFC
 1340, USC/Information Sciences Institute, July 1992.
 Anderson, Brian; Ruth, Greg; Ditmars, Peter; Eisner, Sharon;
 Delsignore, John (1985) TAC Access Control System Protocols, Second
 Edition: August 16 1985. BBN Tech Memo CC-0045.
 Cisco Systems, Inc. (September 1992) Communications Server
 Configuration and Reference.  Menlo Park, California.

Finseth [Page 20] RFC 1492 TACACS July 1993

Security Considerations

 Security issues are the main topic of this memo.

Author's Address

 Craig A. Finseth
 Networking Services
 Computer and Information Services
 University of Minnesota
 130 Lind Hall
 207 Church St SE
 Minneapolis MN 55455-0134
 Phone: +1 612 624 3375
 Fax:   +1 612 626 1002
 EMail: Craig.A.Finseth-1@umn.edu, or
        fin@unet.umn.edu

Finseth [Page 21]

/data/webs/external/dokuwiki/data/pages/rfc/rfc1492.txt · Last modified: 1993/07/21 22:05 by 127.0.0.1

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki