idnits 2.17.1 draft-grant-tacacs-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Cannot find the required boilerplate sections (Copyright, IPR, etc.) in this document. Expected boilerplate is as follows today (2024-04-25) according to https://trustee.ietf.org/license-info : IETF Trust Legal Provisions of 28-dec-2009, Section 6.a: This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 2: Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 3: This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents. ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity -- however, there's a paragraph with a matching beginning. Boilerplate error? ** The document seems to lack a 1id_guidelines paragraph about the list of current Internet-Drafts. ** The document seems to lack a 1id_guidelines paragraph about the list of Shadow Directories. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an Introduction section. (A line matching the expected section header was found, but with an unexpected indentation: ' 1. Introduction' ) ** The document seems to lack a Security Considerations section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack an Authors' Addresses Section. ** There are 86 instances of too long lines in the document, the longest one being 5 characters in excess of 72. ** The abstract seems to contain references ([2], [3], [4], [5], [6], [1]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 204: '...lude this option MUST be prepared to i...' RFC 2119 keyword, line 265: '...ket in a session MUST have the sequenc...' RFC 2119 keyword, line 333: '...ds which are unused MUST have a length...' RFC 2119 keyword, line 336: '...ed length fields SHOULD have values of...' RFC 2119 keyword, line 338: '...s in a TACACS+ packet MUST NOT be null...' (44 more instances...) Miscellaneous warnings: ---------------------------------------------------------------------------- == Line 209 has weird spacing: '...2 byte heade...' == Line 210 has weird spacing: '... The header...' == Line 526 has weird spacing: '...hat the user ...' == Line 528 has weird spacing: '... of the next ...' == Line 556 has weird spacing: '...ce that is r...' == (5 more instances...) == Unrecognized Status in 'Category: DRAFT', assuming Proposed Standard (Expected one of 'Standards Track', 'Full Standard', 'Draft Standard', 'Proposed Standard', 'Best Current Practice', 'Informational', 'Experimental', 'Informational', 'Historic'.) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- Couldn't find a document date in the document -- date freshness check skipped. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Missing reference section? '2' on line 1681 looks like a reference -- Missing reference section? '6' on line 1694 looks like a reference -- Missing reference section? '3' on line 1684 looks like a reference -- Missing reference section? '4' on line 1687 looks like a reference -- Missing reference section? '5' on line 1690 looks like a reference -- Missing reference section? '1' on line 1679 looks like a reference Summary: 13 errors (**), 0 flaws (~~), 7 warnings (==), 8 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group D. Carrel, Lol Grant 3 INTERNET-DRAFT Cisco Systems, 4 draft-grant-tacacs-00.txt October, 1996 6 Category: DRAFT 8 The TACACS+ Protocol 9 Version 1.75 11 Status of This Memo 13 This memo provides information for the Internet community. This memo 14 does not specify an Internet standard of any kind. Distribution of 15 this memo is unlimited. 17 This document is an Internet-Draft. Internet-Drafts are working 18 documents of the Internet Engineering Task Force (IETF), its areas, 19 and its working groups. Note that other groups may also distribute 20 working documents as Internet-Drafts. 22 Internet-Drafts are draft documents valid for a maximum of six months 23 and may be updated, replaced, or obsoleted by other documents at any 24 time. It is inappropriate to use Internet- Drafts as reference 25 material or to cite them other than as ``work in progress.'' 27 To learn the current status of any Internet-Draft, please check the 28 ``1id-abstracts.txt'' listing contained in the Internet- Drafts 29 Shadow Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe), 30 munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or 31 ftp.isi.edu (US West Coast). 33 Abstract 35 TACACS+ provides access control for routers, network access servers 36 and other networked computing devices via one or more centralized 37 servers. TACACS+ provides separate authentication, authorization and 38 accounting services. This document describes the protocol that is 39 used by TACACS+. 41 1. Introduction 43 The TACACS+ protocol is the latest generation of TACACS. TACACS is a 44 simple UDP based access control protocol originally developed by BBN 45 for the MILNET. Cisco has enhanced (extended) TACACS several times, 46 and Cisco's implementation, based on the original TACACS, is referred 48 DRAFT expires April 1997 October 1996 50 to as XTACACS. The TACACS protocol is described in [2]. 52 TACACS+ improves on TACACS and XTACACS by separating the functions of 53 Authentication, Authorization and Accounting and by encrypting all 54 traffic between the NAS and the daemon. It allows for arbitrary 55 length and content authentication exchanges which will allow any 56 authentication mechanism to be utilized with TACACS+ clients. It is 57 extensible to provide for site customization and future development 58 features, and it uses TCP to ensure reliable delivery. The protocol 59 allows the TACACS+ client to request very fine grained access control 60 and allows the daemon to respond to each component of that request. 62 The separation of authentication, authorization and accounting is a 63 fundamental component of the design of TACACS+. The distinction 64 between them is very important so this document will address each one 65 separately. It is important to note that TACACS+ provides for all 66 three, but an implementation or configuration is not required to 67 employ all three. Each one serves a unique purpose that alone is use- 68 ful, and together can be quite powerful. A very important benefit to 69 separating authentication from authorization is that authorization 70 (and per-user profiles) can be a dynamic process. Instead of a one- 71 shot user profile, TACACS+ can be integrated with other negotiations, 72 such as a PPP negotiation, for far greater flexibility. The account- 73 ing portion can serve to provide security auditing or accounting/ 74 billing services. 76 TACACS+ uses TCP for its transport. The daemon should listen at port 77 49 which is the "LOGIN" port assigned for the TACACS protocol. This 78 port is reserved in the assigned numbers RFC for both UDP and TCP. 79 Current TACACS and extended TACACS implementations use port 49. 81 2. Technical Definitions 83 This section provides a few basic definitions that are applicable to 84 this document. 86 Authentication 88 Authentication is the action of determining who a user (or entity) 89 is. Authentication can take many forms. Traditional authentication 90 utilizes a name and a fixed password. Most computers work this way, 91 and TACACS+ can also work this way. However, fixed passwords have 92 limitations, mainly in the area of security. Many modern authentica- 93 tion mechanisms utilize "one-time" passwords or a challenge-response 94 query. TACACS+ is designed to support all of these, and should be 95 powerful enough to handle any future mechanisms. Authentication gen- 96 erally takes place when the user first logs in to a machine or 97 requests a service of it. 99 DRAFT expires April 1997 October 1996 101 Authentication is not mandatory, it is a site configured option. Some 102 sites do not require it. Others require it only for certain services 103 (see authorization below). Authentication may also take place when a 104 user attempts to gain extra privileges, and must identify themselves 105 as someone who possesses the required information (passwords, etc., 107 Authorization 109 It is important to distinguish Authorization from Authentication. 110 Authorization is the action of determining what a user is allowed to 111 do. Generally authentication precedes authorization, but again, this 112 is not required. An authorization request may indicate that the user 113 is not authenticated (we don't know who they are). In this case it is 114 up to the authorization agent to determine if an unauthenticated user 115 is allowed the services in question. 117 In TACACS+, authorization does not merely provide yes or no answers, 118 but it may also customize the service for the particular user. Exam- 119 ples of when authorization would be performed are: When a user first 120 logs in and wants to start a shell, or when a user starts PPP and 121 wants to use IP over PPP with a particular IP address. The TACACS+ 122 daemon might respond to these requests by allowing the service, but 123 placing a time restriction on the login shell, or by requiring IP 124 access lists on the PPP connection. For a list of authorization 125 attributes, see the authorization section below. 127 Accounting 129 Accounting is typically the third action after authentication and 130 authorization. But again, neither authentication or authorization are 131 required. Accounting is the action of recording what a user is doing, 132 and/or has done. Accounting in TACACS+ can serve two purposes: It may 133 be used to account for services used, such as in a billing environ- 134 ment. It may also be used as an auditing tool for security services. 135 To this end, TACACS+ supports three types of accounting records. 136 Start records indicate that a service is about to begin. Stop records 137 indicate that a service has just terminated, and Update records are 138 intermediate notices that indicate that a service is still being per- 139 formed. TACACS+ accounting records contain all the information used 140 in the authorization records, and also contain accounting specific 141 information such as start and stop times (when appropriate) and 142 resource usage information. A list of accounting attributes is 143 defined in the accounting section. 145 Session 147 The concept of a session is used throughout this document. A TACACS+ 148 session is a single authentication sequence, a single authorization 150 DRAFT expires April 1997 October 1996 152 exchange, or a stream of consecutive accounting messages. 154 The session concept is important because a session identifier is used 155 as a part of the encryption, and it is used by both ends to distin- 156 guish between packets belonging to multiple sessions. 158 Multiple sessions may be supported simultaneously and/or consecu- 159 tively on a single TCP connection if both the daemon and client sup- 160 port this. If multiple sessions are not being multiplexed over a 161 single tcp connection, a new connection should be opened for each 162 TACACS+ session and closed at the end of that session. For accounting 163 and authorization, this implies just a single pair of packets 164 exchanged over the connection (the request and its reply). For 165 authentication, a single session may involve an arbitrary number of 166 packets being exchanged. 168 The session is an operational concept that is maintained between the 169 TACACS+ client and daemon. It does not necessarily correspond to a 170 given user or user action. 172 NAS 174 A NAS is a Network Access Server. This is any device that provides 175 access services. Nowadays, a NAS is typically more than just a termi- 176 nal server. Terminal servers usually provide a character mode front 177 end and then allow the user to telnet or rlogin to another host. A 178 NAS may also support protocol based access services and may support 179 PPP, ARAP, LAT, XREMOTE, and others. 181 MUST 183 This word means that the definition is an absolute requirement of the 184 specification. 186 MUST NOT 188 This phrase means that the definition is an absolute prohibition of 189 the specification. 191 SHOULD 193 This word, or the adjective "recommended", means that there may exist 194 valid reasons in particular circumstances to ignore this item, but 195 the full implications should be understood and carefully weighed 196 before choosing a different course. 198 DRAFT expires April 1997 October 1996 200 MAY 202 This word, or the adjective "optional", means that this item is one 203 of an allowed set of alternatives. An implementation which does not 204 include this option MUST be prepared to interoperate with another 205 implementation which does include the option. 207 3. The TACACS+ packet header 209 All TACACS+ packets always begin with the following 12 byte header. 210 The header is always cleartext and describes the remainder of the 211 packet: 213 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 215 +----------------+----------------+----------------+----------------+ 216 |major | minor | | | | 217 |version| version| type | seq_no | flags | 218 +----------------+----------------+----------------+----------------+ 219 | | 220 | session_id | 221 +----------------+----------------+----------------+----------------+ 222 | | 223 | length | 224 +----------------+----------------+----------------+----------------+ 226 major_version 228 This is the major TACACS+ version number. 230 TAC_PLUS_MAJOR_VER := 0xc 232 minor_version 234 The minor TACACS+ version number. This is intended to allow revisions 235 to the TACACS+ protocol while maintaining backwards compatibility. 237 Minor version 1 is currently defined for some commands. It may only 238 be used for commands that explicitly call for it in this document. 239 All other requests must use the default value. 241 TAC_PLUS_MINOR_VER_DEFAULT := 0x0 243 TAC_PLUS_MINOR_VER_ONE := 0x1 245 See the compatibility section at the end of the document. 247 DRAFT expires April 1997 October 1996 249 When a daemon receives a packet with a minor_version that it does not 250 support, it should return an ERROR status with the minor_version set 251 to the closest supported value. 253 type 254 This is the packet type. Legal values are: 256 TAC_PLUS_AUTHEN := 0x01 (Authentication) 258 TAC_PLUS_AUTHOR := 0x02 (Authorization) 260 TAC_PLUS_ACCT := 0x03 (Accounting) 262 seq_no 264 This is the sequence number of the current packet for the current 265 session. The first TACACS+ packet in a session MUST have the sequence 266 number 1 and each subsequent packet will increment the sequence 267 number by one. Thus clients only send packets containing odd sequence 268 numbers, and TACACS+ daemons only send packets containing even 269 sequence numbers. 271 The sequence number must never wrap i.e. if the sequence number 2^8-1 272 is ever reached, that session must terminate and be restarted with a 273 sequence number of 1. 275 flags 277 This field contains various bitmapped flags. 279 The encryption flag bit says whether encryption is being used on the 280 body of the TACACS+ packet (the entire portion after the header). 282 TAC_PLUS_ENCRYPTED_FLAG := 0x01 284 If this flag is set, the packet is not encrypted. If this flag is 285 cleared, the packet is encrypted. 287 Unencrypted packets are intended for testing, and are not recommended 288 for normal use. 290 The single-connection flag: 292 TAC_PLUS_SINGLE_CONNECT_FLAG := 0x04 294 If a NAS sets this flag, this indicates that it supports multiplexing 296 DRAFT expires April 1997 October 1996 298 TACACS+ sessions over a single tcp connection. The flag need only be 299 examined on the first two packets for any given connection since the 300 single-connect status of a connection, once established, should not 301 be changed. The connection must instead be closed and a new connec- 302 tion opened, if required. 304 If the daemon sets this flag in the first reply packet in response to 305 the first packet from a NAS, this indicates its willingness to sup- 306 port single-connection over the current connection. The daemon may 307 set this flag even if the NAS does not set it, but the NAS is under 308 no obligation to honor it. 310 session_id 312 The Id for this TACACS+ session. The session id should be randomly 313 chosen. This field does not change for the duration of the TACACS+ 314 session. (If this value is not random, it will compromise the 315 protocol's security. [6]) 317 length 319 The total length of the TACACS+ packet body (not including the 320 header). This value is in network byte order. Packets are never pad- 321 ded beyond this length. 323 4. The TACACS+ packet body 325 The TACACS+ body types are defined in the packet header. The 326 remainder of this document will address the contents of the different 327 TACACS+ bodies. The following general rules apply to all TACACS+ body 328 types: 330 - The entire body is protected by the encryption mechanism indicated 331 in the header. 333 - Any variable length data fields which are unused MUST have a length 334 value equal to zero. 336 - Unused fixed length fields SHOULD have values of zero. 338 - All data and message fields in a TACACS+ packet MUST NOT be null 339 terminated. 341 - All length values are unsigned and in network byte order. 343 - There should be no padding in any of the fields or at the end of a 344 packet. 346 DRAFT expires April 1997 October 1996 348 5. Body Encryption 350 The body of TACACS+ packets may be encrypted. The following sections 351 describe the encryption mechanisms that are supported. Only one 352 encryption mechanism SHOULD be used within a single session. 354 When the encryption mechanism relies on a secret key, it is referring 355 to a shared secret value that is known to both the client and the 356 daemon. This document does not discuss the management and storage of 357 those keys. It is an implementation detail of the daemon and client, 358 as to whether they will maintain only one key, or a different key for 359 each client or daemon with which they communicate. For security rea- 360 sons, the latter options should be available, but it is a site depen- 361 dent decision as to whether the use of separate keys is appropriate. 363 The encrypted flag field may be set as follows: 365 TAC_PLUS_ENCRYPTED_FLAG == 0x1 367 In this case, the packet body is encrypted by XOR-ing it byte-wise 368 with a pseudo random pad. 370 ENCRYPTED {data} == data ^ pseudo_pad 372 The pad is generated by concatenating a series of MD5 hashes (each 16 373 bytes long) and truncating it to the length of the input data. 375 Whenever used in this document, MD5 refers to the "RSA Data Security, 376 Inc. MD5 Message-Digest Algorithm" as specified in [3]. 378 pseudo_pad = {MD5_1 [,MD5_2 [ ... ,MD5_n]]} truncated to len(data) 380 The first MD5 hash is generated by concatenating the session_id, the 381 secret key, the version number and the sequence number and then run- 382 ning MD5 over that stream. All of those input values are available in 383 the packet header, except for the secret key which is a shared secret 384 between the TACACS+ client and daemon. 386 The version number is the one byte combination of the major and minor 387 version numbers. 389 The session id is used in the byte order in which it appears in the 390 TACACS+ header. (i.e. in network byte order, not host byte order). 392 DRAFT expires April 1997 October 1996 394 Subsequent hashes are generated by using the same input stream, but 395 concatenating the previous hash value at the end of the input stream. 397 MD5_1 = MD5{session_id, key, version, seq_no} 399 MD5_2 = MD5{session_id, key, version, seq_no, MD5_1} 401 .... 403 MD5_n = MD5{session_id, key, version, seq_no, MD5_n-1} 405 TAC_PLUS_ENCRYPTED_FLAG == 0x0 407 In this case, the entire packet body is in cleartext. Encryption and 408 decryption are null operations. This method should only be used for 409 debugging. It does not provide data protection or authentication and 410 is highly susceptible to packet spoofing. Implementing this encryp- 411 tion method is optional. 413 NOTE: implementations should take care not to skip decryption simply 414 because an incoming packet indicates that it is not encrypted. 416 After a packet body is decrypted, the lengths of the component values 417 in the packet should be summed and checked against the cleartext 418 datalength value from the header. Any packets which fail this check 419 should be discarded and an error signalled. Commonly such failures 420 may be expected to be seen when there are mismatched keys between the 421 NAS and the TACACS+ server. 423 If an error must be declared but the type of the incoming packet can- 424 not be determined, a packet with the identical cleartext header but 425 with a sequence number incremented by one and the length set to zero 426 may be returned to indicate an error. 428 6. Body types 430 All further discussions of TACACS+ packet bodies assumes that any 431 encryption/decryption has already been performed. From here on, we 432 are only concerned with the cleartext data. 434 There are several constant fields in many of the following bodies. A 435 few merit mention here as they apply to most packet bodies. 437 The user is the username or user id that is authenticated or being 438 authenticated. 440 DRAFT expires April 1997 October 1996 442 The port is an ascii description of the port on which the user is 443 connected. 445 The rem_addr is a "best effort" description of the remote location 446 from which the user has connected to the client. In many cases, the 447 remote address will not be available or will be unreliable at best, 448 but it may be useful when included. 450 The user_msg is always the ASCII input from the user. 452 The server_msg is always used to hold a message that is intended to 453 be presented to the user. In some contexts it may be optional as to 454 whether to actually present it. 456 The data field has several uses but is not used in all packets. 458 6.1. Authentication 460 TACACS+ authentication has three packet types: START, CONTINUE and 461 REPLY. START and CONTINUE are always sent by the client and REPLY is 462 always sent by the daemon. 464 Authentication begins with the client sending a START message to the 465 daemon. The START message describes the type of authentication to be 466 performed, and may contain the username and some authentication data. 467 The START packet is only ever sent as the first message in a TACACS+ 468 authentication session, or as the packet immediately following a res- 469 tart. (A restart may be requested by the daemon in a REPLY packet). A 470 START packet always has seq_no equal to 1. 472 In response to a START packet, the daemon sends a REPLY. The REPLY 473 message indicates whether the authentication is finished, or whether 474 it should continue. If the REPLY indicates that authentication should 475 continue, then it will also indicate what new information is 476 requested. The client will get that information and return it in a 477 CONTINUE message. 479 The daemon MUST always send a REPLY to both the START and the CON- 480 TINUE messages, the only exception being if the client indicates an 481 abort in the CONTINUE, in which case the session is immediately 482 aborted. 484 Thus, there are zero or more pairs of packets where the client sends 485 a CONTINUE and the daemon sends a REPLY. 487 DRAFT expires April 1997 October 1996 489 The authentication START packet body 491 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 493 +----------------+----------------+----------------+----------------+ 494 | action | priv_lvl | authen_type | service | 495 +----------------+----------------+----------------+----------------+ 496 | user len | port len | rem_addr len | data len | 497 +----------------+----------------+----------------+----------------+ 498 | user ... 499 +----------------+----------------+----------------+----------------+ 500 | port ... 501 +----------------+----------------+----------------+----------------+ 502 | rem_addr ... 503 +----------------+----------------+----------------+----------------+ 504 | data... 505 +----------------+----------------+----------------+----------------+ 507 Packet fields are as follows: 509 action 511 This describes the authentication action to be performed. Legal 512 values are: 514 TAC_PLUS_AUTHEN_LOGIN := 0x01 516 TAC_PLUS_AUTHEN_CHPASS := 0x02 518 TAC_PLUS_AUTHEN_SENDPASS := 0x03 (deprecated) 520 TAC_PLUS_AUTHEN_SENDAUTH := 0x04 522 DRAFT expires April 1997 October 1996 524 priv_lvl 526 This indicates the privilege level that the user is authenticating 527 as. Privilege levels are ordered values from 0 to 15 with each level 528 representing a privilege level that is a superset of the next lower 529 value. If a NAS client uses a different privilege level scheme, then 530 mapping must be provided. Pre-defined values are: 532 TAC_PLUS_PRIV_LVL_MAX := 0x0f 534 TAC_PLUS_PRIV_LVL_ROOT := 0x0f 536 TAC_PLUS_PRIV_LVL_USER := 0x01 538 TAC_PLUS_PRIV_LVL_MIN := 0x00 540 authen_type 542 The type of authentication that is being performed. Legal values are: 544 TAC_PLUS_AUTHEN_TYPE_ASCII := 0x01 546 TAC_PLUS_AUTHEN_TYPE_PAP := 0x02 548 TAC_PLUS_AUTHEN_TYPE_CHAP := 0x03 550 TAC_PLUS_AUTHEN_TYPE_ARAP := 0x04 552 DRAFT expires April 1997 October 1996 554 service 556 This is the service that is requesting the authentication. Legal 557 values are: 559 TAC_PLUS_AUTHEN_SVC_NONE := 0x00 561 TAC_PLUS_AUTHEN_SVC_LOGIN := 0x01 563 TAC_PLUS_AUTHEN_SVC_ENABLE := 0x02 565 TAC_PLUS_AUTHEN_SVC_PPP := 0x03 567 TAC_PLUS_AUTHEN_SVC_ARAP := 0x04 569 TAC_PLUS_AUTHEN_SVC_RCMD := 0x06 571 TAC_PLUS_AUTHEN_SVC_X25 := 0x07 573 TAC_PLUS_AUTHEN_SVC_NASI := 0x08 575 TAC_PLUS_AUTHEN_SVC_FWPROXY := 0x09 577 The ENABLE service refers to a service requesting authentication in order 578 to grant the user different privileges. This is comparable to the Unix 579 "su(1)" command. A service value of NONE should only be used when none of 580 the other service values are appropriate. 582 user 584 The username. It is optional in this packet. 586 port 588 The ASCII name of the client port on which the authentication is tak- 589 ing place. The value of this field is client specific. (For example, 590 Cisco uses "tty10" to denote the tenth tty line and "Async10" to 591 denote the tenth async interface). 593 rem_addr 595 An ASCII string that describes the user's remote location. This field 596 is optional (since the information may not be available). It is 597 intended to hold a network address if the user is connected via a 598 network, a caller ID is the user is connected via ISDN or a POTS, or 599 any other remote location information that is available. This field 601 DRAFT expires April 1997 October 1996 603 value is client specified. 605 data 607 This field is used to send data appropriate for the action and 608 authen_type. It is described in more detail below. 610 7. The authentication REPLY packet body 612 The TACACS+ daemon sends only one type of authentication packet (a 613 REPLY packet) to the client. The REPLY packet body looks as follows: 615 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 617 +----------------+----------------+----------------+----------------+ 618 | status | flags | server_msg len | 619 +----------------+----------------+----------------+----------------+ 620 | data len | server_msg ... 621 +----------------+----------------+----------------+----------------+ 622 | data ... 623 +----------------+----------------+ 625 status 627 The current status of the authentication. Legal values are: 629 TAC_PLUS_AUTHEN_STATUS_PASS := 0x01 631 TAC_PLUS_AUTHEN_STATUS_FAIL := 0x02 633 TAC_PLUS_AUTHEN_STATUS_GETDATA := 0x03 635 TAC_PLUS_AUTHEN_STATUS_GETUSER := 0x04 637 TAC_PLUS_AUTHEN_STATUS_GETPASS := 0x05 639 TAC_PLUS_AUTHEN_STATUS_RESTART := 0x06 641 TAC_PLUS_AUTHEN_STATUS_ERROR := 0x07 643 TAC_PLUS_AUTHEN_STATUS_FOLLOW := 0x21 645 flags 647 Bitmapped flags that modify the action to be taken. The following 648 values are defined: 650 DRAFT expires April 1997 October 1996 652 TAC_PLUS_REPLY_FLAG_NOECHO := 0x01 654 server_msg 656 A message to be displayed to the user. This field is optional. If it 657 exists, it is intended to be presented to the user. 659 data 661 This field holds data that is a part of the authentication exchange 662 and is intended for the NAS, not the user. Valid uses of this field 663 are described below. 665 8. The authentication CONTINUE packet body 667 This packet is sent from the NAS to the daemon following the receipt 668 of a REPLY packet. 670 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 672 +----------------+----------------+----------------+----------------+ 673 | user_msg len | data len | 674 +----------------+----------------+----------------+----------------+ 675 | flags | user_msg ... 676 +----------------+----------------+----------------+----------------+ 677 | data ... 678 +----------------+ 680 user_msg 682 This field is the string that the user entered, or the NAS provided 683 on behalf of the user, in response to the server_msg from a REPLY 684 packet. 686 data 688 This field carries information that is specific to the action and the 689 authen_type for this session. Valid uses of this field are described 690 below. 692 DRAFT expires April 1997 October 1996 694 flags 696 This holds the bitmapped flags that modify the action to be taken. 697 The following values are defined: 699 TAC_PLUS_CONTINUE_FLAG_ABORT := 0x01 701 9. The authentication process 703 The flavor of the authentication is determined by the action and the 704 authen_type fields in the START packet. First we should discuss some 705 general fields that apply to all flavors of authentication exchanges. 706 The user and data fields in the START packet are defined below for 707 each flavor. 709 The priv_lvl, service, port and rem_addr in the START packet are all 710 provided to help identify the conditions on the NAS. In the CONTINUE 711 packet, the user_msg and data fields are defined below for each fla- 712 vor. For all REPLY packets, the server_msg may contain a message to 713 be displayed to the user, but the data field usage varies and is 714 described below. 716 The descriptions below first describe "normal" authentication where, 717 in response to a START packet, the daemon either sends a request for 718 more information (GETDATA, GETUSER or GETPASS) or a termination (PASS 719 or FAIL). The actions and meanings when the daemon sends a RESTART, 720 ERROR or FOLLOW are common and are described further below. 722 When the REPLY status equals TAC_PLUS_AUTHEN_STATUS_GETDATA, 723 TAC_PLUS_AUTHEN_STATUS_GETUSER or TAC_PLUS_AUTHEN_STATUS_GETPASS, 724 then authentication continues and the server_msg may be used by the 725 client to prompt the user for more information. The client MUST then 726 return a CONTINUE packet containing the requested information in the 727 user_msg field. 729 TAC_PLUS_AUTHEN_STATUS_GETDATA is the generic request for more infor- 730 mation. All three cause the same action to be performed, but in the 731 case of TAC_PLUS_AUTHEN_STATUS_GETUSER, the client can know that the 732 information that the user responds with is a username, and for 733 TAC_PLUS_AUTHEN_STATUS_GETPASS, that the user response represents a 734 password. 736 If the TAC_PLUS_REPLY_FLAG_NOECHO flag is set in the REPLY, then the 737 user response should not be echoed as it is entered. The data field 738 is only used in the REPLY where explicitly defined below. 740 DRAFT expires April 1997 October 1996 742 9.0.1. Enable Requests 744 action = TAC_PLUS_AUTHEN_LOGIN 746 priv_lvl = implementation dependent 748 authen_type = not used 750 service = TAC_PLUS_AUTHEN_SVC_ENABLE 752 This is an ENABLE request, used to change the current running 753 privilege level of a principal. The exchange MAY consist of multiple 754 messages while the daemon collects the information it requires in 755 order to allow changing the principal's privilege level. This 756 exchange is very similar to an ASCII login (which see). 758 In order to readily distinguish enable requests from other types of 759 request, the value of the service field MUST be set to 760 TAC_PLUS_AUTHEN_SVC_ENABLE when requesting an ENABLE. It MUST NOT be 761 set to this value when requesting any other operation. 763 9.0.2. Inbound ASCII Login 765 action = TAC_PLUS_AUTHEN_LOGIN 767 authen_type = TAC_PLUS_AUTHEN_TYPE_ASCII 769 This is a standard ASCII authentication. The START packet may contain 770 the username, but need not do so. The data fields in both the START 771 and CONTINUE packets are not used for ASCII logins. There is a single 772 START followed by zero or more pairs of REPLYs and CONTINUEs, fol- 773 lowed by a terminating REPLY (PASS or FAIL). 775 9.0.3. Inbound PAP Login 777 action = TAC_PLUS_AUTHEN_LOGIN 779 authen_type = TAC_PLUS_AUTHEN_TYPE_PAP 781 minor_version = 0x1 783 The entire exchange MUST consist of a single START packet and a 785 DRAFT expires April 1997 October 1996 787 single REPLY. The START packet MUST contain a username and the data 788 field MUST contain the PAP ASCII password. A PAP authentication only 789 consists of a username and password [4]. The REPLY from the daemon 790 MUST be either a PASS or FAIL. 792 9.0.4. Inbound CHAP login 794 action = TAC_PLUS_AUTHEN_LOGIN 796 authen_type = TAC_PLUS_AUTHEN_TYPE_CHAP 798 minor_version = 0x1 800 The entire exchange MUST consist of a single START packet and a sin- 801 gle REPLY. The START packet MUST contain the username in the user 802 field and the data field will be a concatenation of the PPP id, the 803 challenge and the response. 805 The length of the challenge value can be determined from the length 806 of the data field minus the length of the id (always 1 octet) and the 807 length of the response field (always 16 octets). 809 To perform the authentication, the daemon will run MD5 over the id, 810 the user's secret and the challenge, as defined in the PPP Authenti- 811 cation RFC [4] and then compare that value with the response. The 812 REPLY from the daemon MUST be a PASS or FAIL. 814 9.0.5. Inbound ARAP login 816 action = TAC_PLUS_AUTHEN_LOGIN 818 authen_type = TAC_PLUS_AUTHEN_TYPE_ARAP 820 minor_version = 0x1 822 The entire exchange MUST consist of a single START packet and a sin- 823 gle REPLY. The START packet MUST contain the username in the user 824 field and the data field will be a concatenation of the NAS's chal- 825 lenge to the remote peer (8 octets) the remote peer's challenge to 826 the NAS (8 octets) and the remote peer's response to the NAS's chal- 827 lenge (8 octets). 829 The daemon must run DES encryption over both the challenges using the 831 DRAFT expires April 1997 October 1996 833 user's secret as the DES key, as described in the ARAP specification 834 [5]. For a successful authentication, the encrypted NAS challenge 835 MUST be identical to the peer's response. The REPLY from the daemon 836 MUST be a PASS or FAIL. The encrypted peer challenge (8 octets) is 837 returned in the data field of a REPLY packet if the status is set to 838 PASS. 840 9.0.6. Outbound PAP request 842 action = TAC_PLUS_AUTHEN_SENDAUTH 844 authen_type = TAC_PLUS_AUTHEN_TYPE_PAP 846 minor_version = 0x1 848 This is used when the NAS needs to provide PAP authentication creden- 849 tials to the remote PPP peer. The entire exchange MUST consist of a 850 single START packet and a single REPLY. The START packet contains a 851 username in the user field. A REPLY with status set to PASS MUST con- 852 tain a cleartext password in the data field. Caution is urged when 853 using this. By sending a cleartext password to the NAS, that password 854 will then be passed to the remote PPP peer. It should be ensured that 855 the provided password can never be used to authenticate back to the 856 NAS. Use of this is discouraged, but supported for complete intero- 857 perability with the PPP protocol. 859 9.0.7. Outbound CHAP request 861 action = TAC_PLUS_AUTHEN_SENDAUTH 863 authen_type = TAC_PLUS_AUTHEN_TYPE_CHAP 865 minor_version = 0x1 867 This is used when the NAS needs to provide CHAP authentication 868 credentials to the remote PPP peer. The entire exchange MUST consist 869 of a single START packet and a single REPLY. The START packet MUST 870 contain the username in the user field and the data field will be a 871 concatenation of the PPP id and the challenge. 873 The length of the challenge value can be determined from the length 874 of the data field minus the length of the id (always 1 octet). The 875 daemon will run MD5 over the id, the user's secret and the challenge, 877 DRAFT expires April 1997 October 1996 879 as defined in the PPP Authentication RFC [4]. 881 The REPLY from the daemon MUST be a PASS or FAIL. If the status is 882 PASS, then the data field MUST contain the 16 octet MD5 output 884 9.0.8. Outbound ASCII and ARAP request 886 action = TAC_PLUS_AUTHEN_SENDAUTH 888 authen_type = TAC_PLUS_AUTHEN_TYPE_ASCII 890 authen_type = TAC_PLUS_AUTHEN_TYPE_ARAP 892 This is an error. This action is not supported for ASCII logins and 893 in not needed for ARAP since ARAP authentication is already a two way 894 protocol. 896 9.0.9. ASCII change password request 898 action = TAC_PLUS_AUTHEN_CHPASS 900 authen_type = TAC_PLUS_AUTHEN_TYPE_ASCII 902 This exchange consists of multiple messages while the daemon collects 903 the information it requires in order to change the user's password. 904 It is very similar to an ASCII login. The status value 905 TAC_PLUS_AUTHEN_STATUS_GETPASS MUST only be used when requesting the 906 "new" password. It MAY be sent multiple times. When requesting the 907 "old" password, the status value MUST be set to 908 TAC_PLUS_AUTHEN_STATUS_GETDATA. 910 9.0.10. PPP change password request 912 action = TAC_PLUS_AUTHEN_CHPASS 914 authen_type = TAC_PLUS_AUTHEN_TYPE_PAP 916 authen_type = TAC_PLUS_AUTHEN_TYPE_CHAP 918 This is never valid. The PPP protocol does not support password 920 DRAFT expires April 1997 October 1996 922 changing. 924 9.0.11. ARAP change password request 926 action = TAC_PLUS_AUTHEN_CHPASS 928 authen_type = TAC_PLUS_AUTHEN_TYPE_ARAP 930 This exchange consists of a single START packet and a single REPLY. 931 The START packet MUST contain the username and the data field con- 932 tains both the old and the new passwords encrypted (**FORMAT NOT 933 KNOWN AT THIS TIME **). The reply is a PASS or FAIL and the data 934 field is unused. 936 10. Aborting a session 938 The client may prematurely terminate a session by setting the 939 TAC_PLUS_CONTINUE_FLAG_ABORT flag in the CONTINUE message. If this 940 flag is set, the data portion of the message may contain an ASCII 941 message explaining the reason for the abort. The session is ter- 942 minated and no REPLY message is sent. 944 There are three other possible return status values that can be used 945 in a REPLY packet. These can be sent regardless of the action or 946 authen_type. Each of these indicates that the TACACS+ authentication 947 session should be terminated. In each case, the server_msg may con- 948 tain a message to be displayed to the user. 950 When the status equals TAC_PLUS_AUTHEN_STATUS_FOLLOW the packet indi- 951 cates that the TACACS+ daemon requests that authentication should be 952 performed with an alternate daemon. The data field MUST contain ASCII 953 text describing one or more daemons. A daemon description appears 954 like this: 956 [@@][@] 958 The protocol and key are optional. The protocol can describe an 959 alternate way of performing the authentication, other than TACACS+. 960 If the protocol is not present, then TACACS+ is assumed. 962 Protocols are ASCII numbers corresponding to the methods listed in 963 the authen_method field of authorization packets (defined below). The 964 host is specified as either a fully qualified domain name, or an 965 ASCII numeric IP address specified as octets separated by dots (`.'). 967 DRAFT expires April 1997 October 1996 969 If a key is supplied, the client MAY use the key in order to authen- 970 ticate to that host. If more than one host is specified, they MUST be 971 separated by an ASCII (0x0D). 973 Use of the hosts in a TAC_PLUS_AUTHEN_STATUS_FOLLOW packet is at the 974 discretion of the TACACS+ client. It may choose to use any one, all 975 or none of these hosts. If it chooses to use none, then it MUST treat 976 the authentication as if the return status was 977 TAC_PLUS_AUTHEN_STATUS_FAIL. 979 While the order of hosts in this packet indicates a preference, but 980 the client is not obliged to use that ordering. 982 If the status equals TAC_PLUS_AUTHEN_STATUS_ERROR, then the host is 983 indicating that it is experiencing an unrecoverable error and the 984 authentication should proceed as if that host could not be contacted. 985 The data field may contain a message to be printed on an administra- 986 tive console or log. 988 If the status equals TAC_PLUS_AUTHEN_STATUS_RESTART, then the authen- 989 tication sequence should be restarted with a new START packet from 990 the client. This REPLY packet indicates that the current authen_type 991 value (as specified in the START packet) is not acceptable for this 992 session, but that others may be. 994 The TAC_PLUS_AUTHEN_STATUS_RESTART REPLY packet may contain a list of 995 valid authen_type values in the data portion of the packet. The 996 authen_type values are a single byte in length so the data_len value 997 indicates the number of authen_type values included. This packet is 998 only currently intended for PPP authentication when multiple authen- 999 tication mechanisms are available and can be negotiated between the 1000 client and the remote peer. This also requires future PPP authentica- 1001 tion extensions which have not yet been passed through the IETF. If a 1002 client chooses not to accept the TAC_PLUS_AUTHEN_STATUS_RESTART 1003 packet, then it should be TREATED as if the status was 1004 TAC_PLUS_AUTHEN_STATUS_FAIL. 1006 11. Authorization 1008 TACACS+ authorization is an extensible way of providing remote 1009 authorization services. An authorization session is defined as a 1010 single pair of messages, a REQUEST followed by a RESPONSE. 1012 The authorization REQUEST message contains a fixed set of fields that 1013 describe the authenticity of the user or process, and a variable set 1014 of arguments that describes the services and options for which 1015 authorization is requested. 1017 DRAFT expires April 1997 October 1996 1019 The RESPONSE contains a variable set of response arguments 1020 (attribute-value pairs) which can restrict or modify the clients 1021 actions. 1023 The arguments in both a REQUEST and a RESPONSE can be specified as 1024 either mandatory or optional. An optional argument is one that may or 1025 may not be used, modified or even understood by the recipient. 1027 A mandatory argument MUST be both understood and used. This allows 1028 for extending the attribute list while providing secure backwards 1029 compatibility. 1031 11.1. The authorization REQUEST packet body 1033 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1035 +----------------+----------------+----------------+----------------+ 1036 | authen_method | priv_lvl | authen_type | authen_service | 1037 +----------------+----------------+----------------+----------------+ 1038 | user len | port len | rem_addr len | arg_cnt | 1039 +----------------+----------------+----------------+----------------+ 1040 | arg 1 len | arg 2 len | ... | arg N len | 1041 +----------------+----------------+----------------+----------------+ 1042 | user ... 1043 +----------------+----------------+----------------+----------------+ 1044 | port ... 1045 +----------------+----------------+----------------+----------------+ 1046 | rem_addr ... 1047 +----------------+----------------+----------------+----------------+ 1048 | arg 1 ... 1049 +----------------+----------------+----------------+----------------+ 1050 | arg 2 ... 1051 +----------------+----------------+----------------+----------------+ 1052 | ... 1053 +----------------+----------------+----------------+----------------+ 1054 | arg N ... 1055 +----------------+----------------+----------------+----------------+ 1057 authen_method 1059 This indicates the authentication method used by the client to 1060 acquire the user information. 1062 TAC_PLUS_AUTHEN_METH_NOT_SET := 0x00 1064 DRAFT expires April 1997 October 1996 1066 TAC_PLUS_AUTHEN_METH_NONE := 0x01 1068 TAC_PLUS_AUTHEN_METH_KRB5 := 0x02 1070 TAC_PLUS_AUTHEN_METH_LINE := 0x03 1072 TAC_PLUS_AUTHEN_METH_ENABLE := 0x04 1074 TAC_PLUS_AUTHEN_METH_LOCAL := 0x05 1076 TAC_PLUS_AUTHEN_METH_TACACSPLUS := 0x06 1078 TAC_PLUS_AUTHEN_METH_GUEST := 0x08 1080 TAC_PLUS_AUTHEN_METH_RADIUS := 0x10 1082 TAC_PLUS_AUTHEN_METH_KRB4 := 0x11 1084 TAC_PLUS_AUTHEN_METH_RCMD := 0x20 1086 KRB5 and KRB4 are kerberos version 5 and 4. LINE refers to a fixed 1087 password associated with the line used to gain access. LOCAL is a NAS 1088 local user database. ENABLE is a command that authenticates in order 1089 to grant new privileges. TACACSPLUS is, of course, TACACS+. GUEST is 1090 an unqualified guest authentication, such as an ARAP guest login. 1091 RADIUS is the Radius authentication protocol. RCMD refers to authen- 1092 tication provided via the R-command protocols from Berkeley Unix. 1093 (One should be aware of the security limitations to R-command authen- 1094 tication.) 1096 priv_lvl 1098 This field matches the priv_lvl field in the authentication section 1099 above. It indicates the users current privilege level. 1101 authen_type 1103 This field matches the authen_type field in the authentication sec- 1104 tion above. It indicates the type of authentication that was per- 1105 formed. 1107 authen_service 1109 This field matches the service field in the authentication section 1110 above. It indicates the service through which the user authenticated. 1112 DRAFT expires April 1997 October 1996 1114 user 1116 This field contains the user's account name. 1118 port 1120 This field matches the port field in the authentication section 1121 above. 1123 rem_addr 1125 This field matches the rem_addr field in the authentication section 1126 above. 1128 arg_cnt 1130 The number of authorization arguments to follow 1132 arg 1134 An attribute-value pair that describes the command to be performed. 1135 (see below) 1137 The authorization arguments in both the REQUEST and the RESPONSE are 1138 attribute-value pairs. The attribute and the value are in a single 1139 ascii string and are separated by either a "=" (0X3D) or a "*" 1140 (0X2A). The equals sign indicates a mandatory argument. The asterisk 1141 indicates an optional one. 1143 Optional arguments are ones that may be disregarded by either client 1144 or daemon. Mandatory arguments require that the receiving side under- 1145 stands the attribute and will act on it. If the client receives a 1146 mandatory argument that it cannot oblige or does not understand, it 1147 MUST consider the authorization to have failed. It is legal to send 1148 an attribute-value pair with a NULL (zero length) value. 1150 Attribute-value strings are not NULL terminated, rather their length 1151 value indicates their end. The maximum length of an attribute-value 1152 string is 255 characters. The following attributes are defined: 1154 12. Table 1: Attribute-value Pairs 1156 DRAFT expires April 1997 October 1996 1158 service 1160 The primary service. Specifying a service attribute indicates that 1161 this is a request for authorization or accounting of that service. 1162 Current values are "slip", "ppp", "arap", "shell", "tty-daemon", 1163 "connection", "system" and "firewall". This attribute MUST always be 1164 included. 1166 protocol 1168 a protocol that is a subset of a service. An example would be any PPP 1169 NCP. Currently known values are "lcp", "ip", "ipx", "atalk", "vines", 1170 "lat", "xremote", "tn3270", "telnet", "rlogin", "pad", "vpdn", "ftp", 1171 "http", "deccp", "osicp" and "unknown". 1173 cmd 1175 a shell (exec) command. This indicates the command name for a shell 1176 command that is to be run. This attribute MUST be specified if ser- 1177 vice equals "shell". A NULL value indicates that the shell itself is 1178 being referred to. 1180 cmd-arg 1182 an argument to a shell (exec) command. This indicates an argument for 1183 the shell command that is to be run. Multiple cmd-arg attributes may 1184 be specified, and they are order dependent. 1186 acl 1188 ASCII number representing a connection access list. Used only when 1189 service=shell and cmd=NULL 1191 inacl 1193 ASCII identifier for an interface input access list. 1195 outacl 1197 ASCII identifier for an interface output access list. 1199 zonelist 1201 A numeric zonelist value. (Applicable to AppleTalk only). 1203 DRAFT expires April 1997 October 1996 1205 addr 1207 a network address 1209 addr-pool 1211 The identifier of an address pool from which the NAS should assign an 1212 address. 1214 routing 1216 A boolean. Specifies whether routing information is to be propagated 1217 to, and accepted from this interface. 1219 route 1221 Indicates a route that is to be applied to this interface. Values 1222 MUST be of the form " []". If a 1223 is not specified, the resulting route should be via 1224 the requesting peer. 1226 timeout 1228 an absolute timer for the connection (in minutes). A value of zero 1229 indicates no timeout. 1231 idletime 1233 an idle-timeout for the connection (in minutes). A value of zero 1234 indicates no timeout. 1236 autocmd 1238 an auto-command to run. Used only when service=shell and cmd=NULL 1240 noescape 1242 Boolean. Prevents user from using an escape character. Used only when 1243 service=shell and cmd=NULL 1245 nohangup 1247 Boolean. Do no disconnect after an automatic command. Used only when 1248 service=shell and cmd=NULL 1250 DRAFT expires April 1997 October 1996 1252 priv_lvl 1254 privilege level to be assigned. 1256 remote_user 1258 remote userid (authen_method must have the value 1259 TAC_PLUS_AUTHEN_METH_RCMD) 1261 remote_host 1263 remote host (authen_method must have the value 1264 TAC_PLUS_AUTHEN_METH_RCMD) 1266 callback-dialstring 1268 Indicates that callback should be done. Value is NULL, or a dial- 1269 string. A NULL value indicates that the service MAY choose to get the 1270 dialstring through other means. 1272 callback-line 1274 The line number to use for a callback. 1276 callback-rotary 1278 The rotary number to use for a callback. 1280 nocallback-verify 1282 Do not require authentication after callback. 1284 For all boolean attributes, valid values are "true" or "false". A 1286 value of NULL means an attribute with a zero length string for its value 1287 i.e. cmd=NULL is actually transmitted as the string of 4 characters 1288 "cmd=". 1290 If a host is specified in a cmd-arg or addr, it is recommended that it 1291 be specified as a numeric address so as to avoid any ambiguities. 1293 In the case of rcmd authorizations, the authen_method will be set to 1294 TAC_PLUS_AUTHEN_METH_RCMD and the remote_user and remote_host attributes 1295 will provide the remote user and host information to enable rhost style 1296 authorization. The response may request that a privilege level be set 1297 for the user. 1299 DRAFT expires April 1997 October 1996 1301 The protocol attribute is intended for use with PPP. When service equals 1302 "ppp" and protocol equals "lcp", the message describes the PPP link 1303 layer service. For other values of protocol, this describes a PPP NCP 1304 (network layer service). A single PPP session can support multiple NCPs. 1306 The attributes addr, inacl, outacl, route and routing may be used for 1307 all network protocol types that are supported. Their format and meaning 1308 is determined by the values of the service or protocol attributes. Not 1309 all are necessarily implemented for any given network protocol. 1311 12.1. The authorization RESPONSE packet body 1313 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1315 +----------------+----------------+----------------+----------------+ 1316 | status | arg_cnt | server_msg len | 1317 +----------------+----------------+----------------+----------------+ 1318 + data len | arg 1 len | arg 2 len | 1319 +----------------+----------------+----------------+----------------+ 1320 | ... | arg N len | server_msg ... 1321 +----------------+----------------+----------------+----------------+ 1322 | data ... 1323 +----------------+----------------+----------------+----------------+ 1324 | arg 1 ... 1325 +----------------+----------------+----------------+----------------+ 1326 | arg 2 ... 1327 +----------------+----------------+----------------+----------------+ 1328 | ... 1329 +----------------+----------------+----------------+----------------+ 1330 | arg N ... 1331 +----------------+----------------+----------------+----------------+ 1333 status 1334 This field indicates the authorization status 1336 TAC_PLUS_AUTHOR_STATUS_PASS_ADD := 0x01 1338 TAC_PLUS_AUTHOR_STATUS_PASS_REPL := 0x02 1340 TAC_PLUS_AUTHOR_STATUS_FAIL := 0x10 1342 TAC_PLUS_AUTHOR_STATUS_ERROR := 0x11 1344 DRAFT expires April 1997 October 1996 1346 TAC_PLUS_AUTHOR_STATUS_FOLLOW := 0x21 1348 server_msg 1350 This is an ASCII string that may be presented to the user. The decision 1351 to present this message is client specific. 1353 data 1355 This is an ASCII string that may be presented on an administrative 1356 display, console or log. The decision to present this message is client 1357 specific. 1359 arg_cnt 1361 The number of authorization arguments to follow. 1363 arg 1365 An attribute-value pair that describes the command to be performed. (see 1366 below) 1368 If the status equals TAC_PLUS_AUTHOR_STATUS_FAIL, then the appropriate 1369 action is to deny the user action. 1371 If the status equals TAC_PLUS_AUTHOR_STATUS_PASS_ADD, then the 1372 arguments specified in the request are authorized and the arguments in 1373 the response are to be used IN ADDITION to those arguments. 1375 If the status equals TAC_PLUS_AUTHOR_STATUS_PASS_REPL then the 1376 arguments in the request are to be completely replaced by the 1377 arguments in the response. 1379 If the intended action is to approve the authorization with no 1380 modifications, then the status should be set to 1381 TAC_PLUS_AUTHOR_STATUS_PASS_ADD and the arg_cnt should be set to 1382 0. 1384 A status of TAC_PLUS_AUTHOR_STATUS_ERROR indicates an error occurred 1385 on the daemon. 1387 When the status equals TAC_PLUS_AUTHOR_STATUS_FOLLOW, then the arg_cnt 1388 MUST be 0. In that case, the actions to be taken and the contents of 1389 the data field are identical to the TAC_PLUS_AUTHEN_STATUS_FOLLOW 1390 status for Authentication. 1392 None of the arg values have any relevance if an ERROR is set. 1394 DRAFT expires April 1997 October 1996 1396 13. Accounting 1398 TACACS+ accounting is very similar to authorization. The packet for- 1399 mat is also similar. There is a fixed portion and an extensible por- 1400 tion. The extensible portion uses all the same attribute-value pairs 1401 that authorization uses, and adds several more. 1403 13.1. The account REQUEST packet body 1405 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1407 +----------------+----------------+----------------+----------------+ 1408 | flags | authen_method | priv_lvl | authen_type | 1409 +----------------+----------------+----------------+----------------+ 1410 | authen_service | user len | port len | rem_addr len | 1411 +----------------+----------------+----------------+----------------+ 1412 | arg_cnt | arg 1 len | arg 2 len | ... | 1413 +----------------+----------------+----------------+----------------+ 1414 | arg N len | user ... 1415 +----------------+----------------+----------------+----------------+ 1416 | port ... 1417 +----------------+----------------+----------------+----------------+ 1418 | rem_addr ... 1419 +----------------+----------------+----------------+----------------+ 1420 | arg 1 ... 1421 +----------------+----------------+----------------+----------------+ 1422 | arg 2 ... 1423 +----------------+----------------+----------------+----------------+ 1424 | ... 1425 +----------------+----------------+----------------+----------------+ 1426 | arg N ... 1427 +----------------+----------------+----------------+----------------+ 1429 flags 1431 This holds bitmapped flags. 1433 TAC_PLUS_ACCT_FLAG_MORE := 0x01 (deprecated) 1435 TAC_PLUS_ACCT_FLAG_START := 0x02 1437 TAC_PLUS_ACCT_FLAG_STOP := 0x04 1439 TAC_PLUS_ACCT_FLAG_WATCHDOG := 0x08 1441 All other fields are defined in the authorization and authentication 1443 DRAFT expires April 1997 October 1996 1445 sections above and have the same semantics. 1447 The following new attributes are defined for TACACS+ accounting only. 1448 When these attribute-value pairs are included in the argument list, 1449 they should precede any attribute-value pairs that are defined in the 1450 authorization section above. 1452 Table 2: Accounting Attribute-value Pairs 1454 task_id 1456 Start and stop records for the same event MUST have matching (unique) 1457 task_id's 1459 start_time 1461 The time the action started (in seconds since the epoch, 12:00am Jan 1462 1 1970). 1464 stop_time 1466 The time the action stopped (in seconds since the epoch.) 1468 elapsed_time 1470 The elapsed time in seconds for the action. Useful when the device 1471 does not keep real time. 1473 timezone 1475 The timezone abbreviation for all timestamps included in this packet. 1477 event 1479 Used only when "service=system". Current values are "net_acct", 1480 "cmd_acct", "conn_acct", "shell_acct" "sys_acct" and "clock_change". 1481 These indicate system level changes. The flags field SHOULD indicate 1482 whether the service started or stopped. 1484 reason 1486 Accompanies an event attribute. It describes why the event occurred. 1488 DRAFT expires April 1997 October 1996 1490 bytes 1492 The number of bytes transferred by this action 1494 bytes_in 1496 The number of input bytes transferred by this action 1498 bytes_out 1500 The number of output bytes transferred by this action 1502 paks 1504 The number of packets transferred by this action. 1506 paks_in 1508 The number of input packets transferred by this action. 1510 paks_out 1512 The number of output packets transferred by this action. 1514 status 1516 The numeric status value associated with the action. This is a signed 1517 four (4) byte word in network byte order. 0 is defined as success. 1518 Negative numbers indicate errors. Positive numbers indicate non-error 1519 failures. The exact status values may be defined by the client. 1521 err_msg 1523 An ascii string describing the status of the action. 1525 NOTE: All numeric values in an attribute-value string are provided as 1526 decimal ASCII numbers. 1528 DRAFT expires April 1997 October 1996 1530 13.2. The accounting REPLY packet body 1532 The response to an accounting message is used to indicate that the 1533 accounting function on the daemon has completed and securely commit- 1534 ted the record. This provides the client the best possible guarantee 1535 that the data is indeed logged. 1537 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1539 +----------------+----------------+----------------+----------------+ 1540 | server_msg len | data len | 1541 +----------------+----------------+----------------+----------------+ 1542 | status | server_msg ... 1543 +----------------+----------------+----------------+----------------+ 1544 | data ... 1545 +----------------+ 1547 status 1549 This is the return status. Values are: 1550 TAC_PLUS_ACCT_STATUS_SUCCESS := 0x01 1552 TAC_PLUS_ACCT_STATUS_ERROR := 0x02 1554 TAC_PLUS_ACCT_STATUS_FOLLOW := 0x21 1556 server_msg 1558 This is an ASCII string that may be presented to the user. The deci- 1559 sion to present this message is client specific. 1561 data 1563 This is an ASCII string that may be presented on an administrative 1564 display, console or log. The decision to present this message is 1565 client specific. 1567 When the status equals TAC_PLUS_ACCT_STATUS_FOLLOW, then the actions 1568 to be taken and the contents of the data field are identical to the 1570 DRAFT expires April 1997 October 1996 1572 TAC_PLUS_AUTHEN_STATUS_FOLLOW status for Authentication. 1574 The daemon MUST terminate the session after sending a REPLY. 1576 The TAC_PLUS_ACCT_FLAG_START flag indicates that this is a start 1577 accounting message. Start messages should only be sent once when a 1578 task is started. The TAC_PLUS_ACCT_FLAG_STOP indicates that this is a 1579 stop record and that the task has terminated. The 1580 TAC_PLUS_ACCT_FLAG_WATCHDOG flag means that this is an update record. 1581 Update records are sent at the client's discretion when the task is 1582 still running. 1584 The START and STOP flags are mutually exclusive. When the WATCHDOG 1585 flag is set along with the START flag, it indicates that the update 1586 record is a duplicate of the original START record. If the START flag 1587 is not set, then this indicates a minimal record indicating only that 1588 task is still running. The STOP flag MUST NOT be set in conjunction 1589 with the WATCHDOG flag. 1591 14. Compatibility between Minor Versions 0 and 1 1593 Whenever a TACACS+ daemon receives a packet with a minor_version that 1594 it does not support, it should return an ERROR status with the 1595 minor_version set to the supported value closest to the requested 1596 value. 1598 The changes between minor_version 0 and 1 all deal with the way that 1599 CHAP, ARAP and PAP authentications are handled. 1601 In minor_version 0, CHAP, ARAP and outbound PAP authentications were 1602 performed by the NAS sending a SENDPASS packet to the daemon. The 1603 SENDPASS requested a copy of the user's plaintext password so that 1604 the NAS could complete the authentication. The CHAP hashing and ARAP 1605 encryption were all performed on the NAS. Inbound PAP performed a 1606 normal LOGIN, sending the username in the START packet and then wait- 1607 ing for a GETPASS and sending the password in a CONTINUE packet. 1609 In minor_version 1, CHAP, ARAP and inbound PAP use LOGIN to perform 1610 inbound authentication and the exchanges use the data field so that 1611 the NAS only sends a single START packet and expects to receive a 1612 PASS or FAIL. SENDPASS has been deprecated and SENDAUTH introduced, 1613 so that the NAS can request authentication credentials for authenti- 1614 cating to a remote peer. SENDAUTH is only used for PPP when perform- 1615 ing outbound authentication. 1617 NOTE: Only those requests which have changed from their minor_version 1618 0 implementation (i.e. ARAP, CHAP and PAP) should use the new 1620 DRAFT expires April 1997 October 1996 1622 minor_version number of 1. All other requests (whose implementation 1623 has not changed) MUST continue to use the same minor_version number 1624 of 0 that they have always used. 1626 If a daemon or NAS implementation desires to provide support for 1627 minor_number 0 TACACS+ hosts, it MUST pay attention to the 1628 minor_version in the TACACS+ header (as it should anyway) and be 1629 prepared to support the SENDPASS operation. 1631 The removal of SENDPASS was prompted by security concerns, and imple- 1632 mentors should think very carefully about how they wish to provide 1633 this service. On a NAS, the minor_version 0 compatibility can be lay- 1634 ered such that higher layers only need to understand the 1635 minor_version 1 methodology, with the compatibility layer translating 1636 requests appropriately when contacting an older daemon. 1638 On a TACACS+ server, when detecting minor_number 0, the daemon should 1639 allow for PAP authentications that do not send the password in the 1640 data field, but instead expect to read the PAP password from a subse- 1641 quent CONTINUE packet. 1643 If the daemon supports SENDPASS, then it should be prepared to handle 1644 such requests for CHAP and ARAP and even PAP, when outbound authenti- 1645 cation takes place. 1647 15. Notes to Implementors 1649 For those interested in integrating one-time password support into 1650 TACACS+ daemons, there are some subtleties to consider. TACACS+ is 1651 designed to make this straightforward, but two cases require some 1652 extra care. 1654 One-time password support with ARAP and PPP's CHAP authentication 1655 protocols is NOT straightforward, but there are work arounds. The 1656 problem lies in the nature of ARAP and CHAP authentication. Both 1657 employ a challenge-response protocol that requires a copy of the 1658 cleartext password to be stored at both ends. Unfortunately, due to 1659 their cryptographic nature, one-time password systems can rarely pro- 1660 vide the cleartext version of the next password. 1662 A simple workaround is to have the user enter their username as a 1663 combination of the username and the one-time password, separated by a 1664 special character, and a fixed password can be used in the password 1665 field. The fixed password can be assigned on a per user basis or as a 1666 single site-wide password. 1668 For the separator character, Cisco Systems has been using the `*' 1670 DRAFT expires April 1997 October 1996 1672 (asterisk) character. After some deliberation, it was decided that it 1673 was the least likely character to be found in a username. 1675 DRAFT expires April 1997 October 1996 1677 16. References 1679 [1] D. Carrel, L. Grant, "The TACACS+ API Definition" 1681 [2] C. Finseth, RFC 1492, "An Access Control Protocol, Sometimes 1682 Called TACACS", July 1993. 1684 [3] R. Rivest, RFC 1321, "The MD5 Message-Digest Algorithm", April 1685 1992. 1687 [4] B. Lloyd, W. Simpson, RFC 1334, "PPP Authentication Protocols", 1688 October 1992. 1690 [5] Apple Computer Corp. AppleTalk Remote Access Protocol (ARAP) 1691 Version 2.0 External Reference Specification. Preliminary docu- 1692 ment (no date available). 1694 [6] D. Eastlake, S. Crocker, J. Schiller, RFC 1750, "Randomness 1695 Recommendations for Security", December 1994. 1697 DRAFT expires April 1997 October 1996 1699 Table of Contents 1701 Introduction ................................................... 1 1703 Technical Definitions .......................................... 2 1705 The TACACS+ packet header ...................................... 5 1707 The TACACS+ packet body ........................................ 7 1709 Body Encryption ................................................ 8 1711 Body types ..................................................... 9 1713 Authentication ................................................. 10 1715 Enable Requests ................................................ 17 1717 Inbound ASCII Login ............................................ 17 1719 Inbound PAP Login .............................................. 17 1721 Inbound CHAP login ............................................. 18 1723 Inbound ARAP login ............................................. 18 1725 Outbound PAP request ........................................... 19 1727 Outbound CHAP request .......................................... 19 1729 Outbound ASCII and ARAP request ................................ 20 1731 ASCII change password request .................................. 20 1733 PPP change password request .................................... 20 1735 ARAP change password request ................................... 21 1737 Authorization .................................................. 22 1739 The authorization REQUEST packet body .......................... 23 1741 DRAFT expires April 1997 October 1996 1743 Table 1: Attribute-value Pairs ................................. 25 1745 The authorization RESPONSE packet body ......................... 29 1747 Accounting ..................................................... 31 1749 The account REQUEST packet body ................................ 31 1751 The accounting REPLY packet body ............................... 33 1753 Compatibility between Minor Versions 0 and 1 ................... 35 1755 Notes to Implementors .......................................... 36 1757 References ..................................................... 38