tacacs/draft-1

Last-modified: 2010-11-04 (木) 12:35:35 
                         The TACACS+ Protocol
                             Version 1.78

Status of This Memo

  This memo provides information for the Internet community.  This memo
  does not specify an Internet standard of any kind.  Distribution of
  this memo is unlimited.
  This document is an Internet-Draft.  Internet-Drafts are working
  documents of the Internet Engineering Task Force (IETF), its areas,
  and its working groups.  Note that other groups may also distribute
  working documents as Internet-Drafts.
  Internet-Drafts are draft documents valid for a maximum of six months
  and may be updated, replaced, or obsoleted by other documents at any
  time.  It is inappropriate to use Internet- Drafts as reference
  material or to cite them other than as ``work in progress.''
  To learn the current status of any Internet-Draft, please check the
  ``1id-abstracts.txt'' listing contained in the Internet- Drafts
  Shadow Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe),
  munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or
  ftp.isi.edu (US West Coast).

Abstract

  TACACS+ provides access control for routers, network access servers
  and other networked computing devices via one or more centralized
  servers.  TACACS+ provides separate authentication, authorization and
  accounting services.  This document describes the protocol that is
  used by TACACS+.
  1.  Introduction
  The TACACS+ protocol is the latest generation of TACACS. TACACS is a
  simple UDP based access control protocol originally developed by BBN
  for the MILNET. Cisco has enhanced (extended) TACACS several times,
  and Cisco's implementation, based on the original TACACS, is referred
  to as XTACACS. The TACACS protocol is described in [].
  TACACS+ improves on TACACS and XTACACS by separating the functions of
  Authentication, Authorization and Accounting and by encrypting all
  traffic between the NAS and the daemon.  It allows for arbitrary
  length and content authentication exchanges which will allow any
  authentication mechanism to be utilized with TACACS+ clients.  It is
  extensible to provide for site customization and future development
  features, and it uses TCP to ensure reliable delivery. The protocol
  allows the TACACS+ client to request very fine grained access control
  and allows the daemon to respond to each component of that request.
  The separation of authentication, authorization and accounting is a
  fundamental component of the design of TACACS+. The distinction
  between them is very important so this document will address each one
  separately. It is important to note that TACACS+ provides for all
  three, but an implementation or configuration is not required to
  employ all three. Each one serves a unique purpose that alone is use-
  ful, and together can be quite powerful. A very important benefit to
  separating authentication from authorization is that authorization
  (and per-user profiles) can be a dynamic process. Instead of a one-
  shot user profile, TACACS+ can be integrated with other negotiations,
  such as a PPP negotiation, for far greater flexibility. The account-
  ing portion can serve to provide security auditing or accounting/
  billing services.
  TACACS+ uses TCP for its transport. The daemon should listen at port
  49 which is the "LOGIN" port assigned for the TACACS protocol. This
  port is reserved in the assigned numbers RFC for both UDP and TCP.
  Current TACACS and extended TACACS implementations use port 49.
  2.  Technical Definitions
  This section provides a few basic definitions that are applicable to
  this document.

Authentication

  Authentication is the action of determining who a user (or entity)
  is. Authentication can take many forms. Traditional authentication
  utilizes a name and a fixed password. Most computers work this way,
  and TACACS+ can also work this way. However, fixed passwords have
  limitations, mainly in the area of security. Many modern authentica-
  tion mechanisms utilize "one-time" passwords or a challenge-response
  query. TACACS+ is designed to support all of these, and should be
  powerful enough to handle any future mechanisms. Authentication gen-
  erally takes place when the user first logs in to a machine or
  requests a service of it.
  Authentication is not mandatory, it is a site configured option. Some
  sites do not require it. Others require it only for certain services
  (see authorization below). Authentication may also take place when a
  user attempts to gain extra privileges, and must identify themselves
  as someone who possesses the required information (passwords, etc.)
  for those privileges.

Authorization

  It is important to distinguish Authorization from Authentication.
  Authorization is the action of determining what a user is allowed to
  do. Generally authentication precedes authorization, but again, this
  is not required. An authorization request may indicate that the user
  is not authenticated (we don't know who they are). In this case it is
  up to the authorization agent to determine if an unauthenticated user
  is allowed the services in question.
  In TACACS+, authorization does not merely provide yes or no answers,
  but it may also customize the service for the particular user. Exam-
  ples of when authorization would be performed are: When a user first
  logs in and wants to start a shell, or when a user starts PPP and
  wants to use IP over PPP with a particular IP address. The TACACS+
  daemon might respond to these requests by allowing the service, but
  placing a time restriction on the login shell, or by requiring IP
  access lists on the PPP connection. For a list of authorization
  attributes, see the authorization section below.

Accounting

  Accounting is typically the third action after authentication and
  authorization. But again, neither authentication nor authorization
  are required. Accounting is the action of recording what a user is
  doing, and/or has done. Accounting in TACACS+ can serve two purposes:
  It may be used to account for services used, such as in a billing
  environment. It may also be used as an auditing tool for security
  services. To this end, TACACS+ supports three types of accounting
  records. Start records indicate that a service is about to begin.
  Stop records indicate that a service has just terminated, and Update
  records are intermediate notices that indicate that a service is
  still being performed. TACACS+ accounting records contain all the
  information used in the authorization records, and also contain
  accounting specific information such as start and stop times (when
  appropriate) and resource usage information. A list of accounting
  attributes is defined in the accounting section.

Session

  The concept of a session is used throughout this document. A TACACS+
  session is a single authentication sequence, a single authorization
  exchange, or a single accounting exchange.
  The session concept is important because a session identifier is used
  as a part of the encryption, and it is used by both ends to distin-
  guish between packets belonging to multiple sessions.
  Multiple sessions may be supported simultaneously and/or consecu-
  tively on a single TCP connection if both the daemon and client sup-
  port this.  If multiple sessions are not being multiplexed over a
  single tcp connection, a new connection should be opened for each
  TACACS+ session and closed at the end of that session. For accounting
  and authorization, this implies just a single pair of packets
  exchanged over the connection (the request and its reply). For
  authentication, a single session may involve an arbitrary number of
  packets being exchanged.
  The session is an operational concept that is maintained between the
  TACACS+ client and daemon. It does not necessarily correspond to a
  given user or user action.

NAS

  A NAS is a Network Access Server. This is any device that provides
  access services. Nowadays, a NAS is typically more than just a termi-
  nal server. Terminal servers usually provide a character mode front
  end and then allow the user to telnet or rlogin to another host. A
  NAS may also support protocol based access services and may support
  PPP, ARAP, LAT, XREMOTE, and others.

MUST

  This word means that the definition is an absolute requirement of the
  specification.

MUST NOT

  This phrase means that the definition is an absolute prohibition of
  the specification.

SHOULD

  This word, or the adjective "recommended", means that there may exist
  valid reasons in particular circumstances to ignore this item, but
  the full implications should be understood and carefully weighed
  before choosing a different course.

MAY

  This word, or the adjective "optional", means that this item is one
  of an allowed set of alternatives. An implementation which does not
  include this option MUST be prepared to interoperate with another
  implementation which does include the option.