idnits 2.17.1 draft-ietf-opsawg-tacacs-16.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to contain a disclaimer for pre-RFC5378 work, but was first submitted on or after 10 November 2008. The disclaimer is usually necessary only for documents that revise or obsolete older RFCs, and that take significant amounts of text from those RFCs. If you can contact all authors of the source material and they are willing to grant the BCP78 rights to the IETF Trust, you can and should remove the disclaimer. Otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (November 17, 2019) is 1621 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Missing Reference: 'RFC8174' is mentioned on line 177, but not defined ** Obsolete normative reference: RFC 1334 (Obsoleted by RFC 1994) Summary: 1 error (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Operations T. Dahm 3 Internet-Draft A. Ota 4 Intended status: Informational Google Inc 5 Expires: May 20, 2020 D. Medway Gash 6 Cisco Systems, Inc. 7 D. Carrel 8 vIPtela, Inc. 9 L. Grant 10 November 17, 2019 12 The TACACS+ Protocol 13 draft-ietf-opsawg-tacacs-16 15 Abstract 17 Terminal Access Controller Access-Control System Plus (TACACS+) 18 provides Device Administration for routers, network access servers 19 and other networked computing devices via one or more centralized 20 servers. This document describes the protocol that is used by 21 TACACS+. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at https://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on May 20, 2020. 40 Copyright Notice 42 Copyright (c) 2019 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (https://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 This document may contain material from IETF Documents or IETF 56 Contributions published or made publicly available before November 57 10, 2008. The person(s) controlling the copyright in some of this 58 material may not have granted the IETF Trust the right to allow 59 modifications of such material outside the IETF Standards Process. 60 Without obtaining an adequate license from the person(s) controlling 61 the copyright in such materials, this document may not be modified 62 outside the IETF Standards Process, and derivative works of it may 63 not be created outside the IETF Standards Process, except to format 64 it for publication as an RFC or to translate it into languages other 65 than English. 67 Table of Contents 69 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 70 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 4 71 3. Technical Definitions . . . . . . . . . . . . . . . . . . . . 4 72 3.1. Client . . . . . . . . . . . . . . . . . . . . . . . . . 4 73 3.2. Server . . . . . . . . . . . . . . . . . . . . . . . . . 4 74 3.3. Packet . . . . . . . . . . . . . . . . . . . . . . . . . 5 75 3.4. Connection . . . . . . . . . . . . . . . . . . . . . . . 5 76 3.5. Session . . . . . . . . . . . . . . . . . . . . . . . . . 5 77 3.6. Treatment of Enumerated Protocol Values . . . . . . . . . 5 78 3.7. Treatment of Text Strings . . . . . . . . . . . . . . . . 5 79 4. TACACS+ Packets and Sessions . . . . . . . . . . . . . . . . 6 80 4.1. The TACACS+ Packet Header . . . . . . . . . . . . . . . . 6 81 4.2. The TACACS+ Packet Body . . . . . . . . . . . . . . . . . 8 82 4.3. Single Connection Mode . . . . . . . . . . . . . . . . . 8 83 4.4. Session Completion . . . . . . . . . . . . . . . . . . . 9 84 4.5. Data Obfuscation . . . . . . . . . . . . . . . . . . . . 10 85 5. Authentication . . . . . . . . . . . . . . . . . . . . . . . 12 86 5.1. The Authentication START Packet Body . . . . . . . . . . 12 87 5.2. The Authentication REPLY Packet Body . . . . . . . . . . 15 88 5.3. The Authentication CONTINUE Packet Body . . . . . . . . . 16 89 5.4. Description of Authentication Process . . . . . . . . . . 17 90 5.4.1. Version Behavior . . . . . . . . . . . . . . . . . . 17 91 5.4.2. Common Authentication Flows . . . . . . . . . . . . . 18 92 5.4.3. Aborting an Authentication Session . . . . . . . . . 21 93 6. Authorization . . . . . . . . . . . . . . . . . . . . . . . . 22 94 6.1. The Authorization REQUEST Packet Body . . . . . . . . . . 23 95 6.2. The Authorization REPLY Packet Body . . . . . . . . . . . 26 96 7. Accounting . . . . . . . . . . . . . . . . . . . . . . . . . 28 97 7.1. The Account REQUEST Packet Body . . . . . . . . . . . . . 28 98 7.2. The Accounting REPLY Packet Body . . . . . . . . . . . . 29 99 8. Argument-Value Pairs . . . . . . . . . . . . . . . . . . . . 31 100 8.1. Value Encoding . . . . . . . . . . . . . . . . . . . . . 31 101 8.2. Authorization Arguments . . . . . . . . . . . . . . . . . 32 102 8.3. Accounting Arguments . . . . . . . . . . . . . . . . . . 34 103 9. Privilege Levels . . . . . . . . . . . . . . . . . . . . . . 35 104 10. Security Considerations . . . . . . . . . . . . . . . . . . . 36 105 10.1. General Security of the Protocol . . . . . . . . . . . . 37 106 10.2. Security of Authentication Sessions . . . . . . . . . . 38 107 10.3. Security of Authorization Sessions . . . . . . . . . . . 38 108 10.4. Security of Accounting Sessions . . . . . . . . . . . . 39 109 10.5. TACACS+ Best Practices . . . . . . . . . . . . . . . . . 39 110 10.5.1. Shared Secrets . . . . . . . . . . . . . . . . . . . 39 111 10.5.2. Connections and Obfuscation . . . . . . . . . . . . 40 112 10.5.3. Authentication . . . . . . . . . . . . . . . . . . . 41 113 10.5.4. Authorization . . . . . . . . . . . . . . . . . . . 42 114 10.5.5. Redirection Mechanism . . . . . . . . . . . . . . . 42 115 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 42 116 12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 42 117 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 43 118 13.1. Normative References . . . . . . . . . . . . . . . . . . 43 119 13.2. Informative References . . . . . . . . . . . . . . . . . 44 120 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 44 122 1. Introduction 124 Terminal Access Controller Access-Control System Plus (TACACS+) was 125 conceived initially as a general Authentication, Authorization and 126 Accounting protocol. It's use today is mainly confined to Device 127 Administration: authenticating access to network devices, providing 128 central authorization of operations, and audit of those operations. 130 A wide range of TACACS+ clients and servers are already deployed in 131 the field. The TACACS+ protocol they are based on is defined in a 132 draft document that was originally intended for IETF publication, and 133 is known as `The Draft' [TheDraft]. This did not address all of the 134 key security concerns which are considered when designing modern 135 standards. Deployment must therefore be executed with care. These 136 concerns are addressed in the security section (Section 10). 138 This is intended to document the TACACS+ protocol as it is currently 139 deployed. It is intended that all implementations which conform to 140 this document will conform to `The Draft'. However, attention is 141 drawn to the following specific adjustments of the protocol 142 specification from 'The Draft': 144 This document officially removes SENDPASS for security reasons. 146 The normative description of Legacy features such as ARAP and 147 outbound authentication has been removed. 149 The Support for forwarding to an alternative daemon 150 (TAC_PLUS_AUTHEN_STATUS_FOLLOW) has been deprecated. 152 The TACACS+ protocol allows for arbitrary length and content 153 authentication exchanges, to support alternative authentication 154 mechanisms. It is extensible to provide for site customization and 155 future development features, and it uses TCP to ensure reliable 156 delivery. The protocol allows the TACACS+ client to request fine- 157 grained access control and allows the server to respond to each 158 component of that request. 160 The separation of authentication, authorization and accounting is a 161 key element of the design of TACACS+ protocol. Essentially it makes 162 TACACS+ a suite of three protocols. This document will address each 163 one in separate sections. Although TACACS+ defines all three, an 164 implementation or deployment is not required to employ all three. 165 Separating the elements is useful for Device Administration use case, 166 specifically, for authorization of individual commands in a session. 167 Note that there is no provision made at the protocol level for 168 association of an authentication to authorization requests. 170 2. Conventions 172 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 173 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 174 "OPTIONAL" in this document are to be interpreted as described in BCP 175 14 [RFC2119] [RFC8174] when, and only when, they appear in all 176 capitals, as shown here. 178 3. Technical Definitions 180 This section provides a few basic definitions that are applicable to 181 this document 183 3.1. Client 185 The client is any device which initiates TACACS+ protocol requests to 186 mediate access, mainly for the Device Administration use case. 188 3.2. Server 190 The server receives TACACS+ protocol requests, and replies according 191 to its business model, in accordance with the flows defined in this 192 document. 194 3.3. Packet 196 All uses of the word packet in this document refer to TACACS+ 197 protocol data units unless explicitly noted otherwise. The informal 198 term "Packet" has become an established part of the definition. 200 3.4. Connection 202 TACACS+ uses TCP for its transport. TCP Server port 49 is allocated 203 by IANA for TACACS+ traffic. 205 3.5. Session 207 The concept of a session is used throughout this document. A TACACS+ 208 session is a single authentication sequence, a single authorization 209 exchange, or a single accounting exchange. 211 An accounting and authorization session will consist of a single pair 212 of packets (the request and its reply). An authentication session 213 may involve an arbitrary number of packets being exchanged. The 214 session is an operational concept that is maintained between the 215 TACACS+ client and server. It does not necessarily correspond to a 216 given user or user action. 218 3.6. Treatment of Enumerated Protocol Values 220 This document describes various enumerated values in the packet 221 header and the headers for specific packet types. For example, in 222 the Authentication start packet type, this document defines the 223 action field with three values TAC_PLUS_AUTHEN_LOGIN, 224 TAC_PLUS_AUTHEN_CHPASS and TAC_PLUS_AUTHEN_SENDAUTH. 226 If the server does not implement one of the defined options in a 227 packet that it receives, or it encounters an option that is not 228 listed in this document for a header field, then it should respond 229 with an ERROR and terminate the session. This will allow the client 230 to try a different option. 232 If an error occurs but the type of the incoming packet cannot be 233 determined, a packet with the identical cleartext header but with a 234 sequence number incremented by one and the length set to zero MUST be 235 returned to indicate an error. 237 3.7. Treatment of Text Strings 239 The TACACS+ protocol makes extensive use of text strings. The 240 original draft intended that these strings would be treated as byte 241 arrays where each byte would represent a US-ASCII character. 243 More recently, server implementations have been extended to interwork 244 with external identity services, and so a more nuanced approach is 245 needed. Usernames MUST be encoded and handled using the 246 UsernameCasePreserved Profile specified in RFC 8265 [RFC8265]. The 247 security considerations in Section 8 of that RFC apply. 249 Where specifically mentioned, data fields contain arrays of arbitrary 250 bytes as required for protocol processing. These are not intended to 251 be made visible through user interface to users. 253 All other text fields in TACACS+ MUST be treated as printable byte 254 arrays of US-ASCII as defined by RFC 20 [RFC0020]. The term 255 "printable" used here means the fields MUST exclude the "Control 256 Characters" defined in section 5.2 of RFC 20 [RFC0020]. 258 4. TACACS+ Packets and Sessions 260 4.1. The TACACS+ Packet Header 262 All TACACS+ packets begin with the following 12-byte header. The 263 header describes the remainder of the packet: 265 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 266 +----------------+----------------+----------------+----------------+ 267 |major | minor | | | | 268 |version| version| type | seq_no | flags | 269 +----------------+----------------+----------------+----------------+ 270 | | 271 | session_id | 272 +----------------+----------------+----------------+----------------+ 273 | | 274 | length | 275 +----------------+----------------+----------------+----------------+ 277 The following general rules apply to all TACACS+ packet types: 279 - To signal that any variable length data fields are unused, their 280 length value is set to zero. Such fields MUST be ignored, and 281 treated as if not present. 283 - the lengths of data and message fields in a packet are specified 284 by their corresponding length fields, (and are not null 285 terminated.) 287 - All length values are unsigned and in network byte order. 289 major_version 290 This is the major TACACS+ version number. 292 TAC_PLUS_MAJOR_VER := 0xc 294 minor_version 296 The minor TACACS+ version number. 298 TAC_PLUS_MINOR_VER_DEFAULT := 0x0 300 TAC_PLUS_MINOR_VER_ONE := 0x1 302 type 304 This is the packet type. Options are: 306 TAC_PLUS_AUTHEN := 0x01 (Authentication) 308 TAC_PLUS_AUTHOR := 0x02 (Authorization) 310 TAC_PLUS_ACCT := 0x03 (Accounting) 312 seq_no 314 This is the sequence number of the current packet. The first packet 315 in a session MUST have the sequence number 1 and each subsequent 316 packet will increment the sequence number by one. TACACS+ Clients 317 only send packets containing odd sequence numbers, and TACACS+ 318 servers only send packets containing even sequence numbers. 320 The sequence number must never wrap i.e. if the sequence number 2^8-1 321 is ever reached, that session must terminate and be restarted with a 322 sequence number of 1. 324 flags 326 This field contains various bitmapped flags. 328 The flag bit: 330 TAC_PLUS_UNENCRYPTED_FLAG := 0x01 332 This flag indicates that the sender did not obfuscate the body of the 333 packet. The application of this flag will be covered in the security 334 section (Section 10). 336 This flag SHOULD be clear in all deployments. Modern network traffic 337 tools support encrypted traffic when configured with the shared 338 secret (see section below), so obfuscated mode can and SHOULD be used 339 even during test. 341 The single-connection flag: 343 TAC_PLUS_SINGLE_CONNECT_FLAG := 0x04 345 This flag is used to allow a client and server to negotiate Single 346 Connection Mode (Section 4.3). 348 All other bits MUST be ignored when reading, and SHOULD be set to 349 zero when writing. 351 session_id 353 The Id for this TACACS+ session. This field does not change for the 354 duration of the TACACS+ session. This number MUST be generated by a 355 cryptographically strong random number generation method. Failure to 356 do so will compromise security of the session. For more details 357 refer to RFC 4086 [RFC4086]. 359 length 361 The total length of the packet body (not including the header). 363 4.2. The TACACS+ Packet Body 365 The TACACS+ body types are defined in the packet header. The next 366 sections of this document will address the contents of the different 367 TACACS+ bodies. 369 4.3. Single Connection Mode 371 Single Connection Mode is intended to improve performance by allowing 372 a client to multiplex multiple session on a single TCP connection. 374 The packet header contains the TAC_PLUS_SINGLE_CONNECT_FLAG used by 375 the client and server to negotiate the use of Single Connect Mode. 377 The client sets this flag, to indicate that it supports multiplexing 378 TACACS+ sessions over a single TCP connection. The client MUST NOT 379 send a second packet on a connection until single-connect status has 380 been established. 382 To indicate it will support Single Connection Mode, the server sets 383 this flag in the first reply packet in response to the first request 384 from a client. The server may set this flag even if the client does 385 not set it, but the client may ignore the flag and close the 386 connection after the session completes. 388 The flag is only relevant for the first two packets on a connection, 389 to allow the client and server to establish Single Connection Mode. 390 No provision is made for changing Single Connection Mode after the 391 first two packets: the client and server MUST ignore the flag after 392 the second packet on a connection. 394 If single Connection Mode has not been established in the first two 395 packets of a TCP connection, then both the client and the server 396 close the connection at the end of the first session. 398 The client negotiates Single Connection Mode to improve efficiency. 399 The server may refuse to allow Single Connection Mode for the client. 400 For example, it may not be appropriate to allocate a long-lasting TCP 401 connection to a specific client in some deployments. Even if the 402 server is configured to permit single Connection Mode for a specific 403 client, the server may close the connection. For example: a server 404 may be configured to time out a Single Connection Mode TCP Connection 405 after a specific period of inactivity to preserve its resources. The 406 client MUST accommodate such closures on a TCP session even after 407 Single Connection Mode has been established. 409 4.4. Session Completion 411 The REPLY packets defined for the packets types in the sections below 412 (Authentication, Authorization and Accounting) contain a status 413 field. The complete set of options for this field depend upon the 414 packet type, but all three REPLY packet types define values 415 representing PASS, ERROR and FAIL, which indicate the last packet of 416 a regular session (one which is not aborted). 418 The server responds with a PASS or a FAIL to indicate that the 419 processing of the request completed and the client can apply the 420 result (PASS or FAIL) to control the execution of the action which 421 prompted the request to be sent to the server. 423 The server responds with an ERROR to indicate that the processing of 424 the request did not complete. The client can not apply the result 425 and it MUST behave as if the server could not be connected to. For 426 example, the client tries alternative methods, if they are available, 427 such as sending the request to a backup server, or using local 428 configuration to determine whether the action which prompted the 429 request should be executed. 431 Refer to the section (Section 5.4.3) on Aborting Authentication 432 Sessions for details on handling additional status options. 434 When the session is complete, then the TCP connection should be 435 handled as follows, according to whether Single Connection Mode was 436 negotiated: 438 If Single Connection Mode was not negotiated, then the connection 439 should be closed 441 If Single Connection Mode was enabled, then the connection SHOULD be 442 left open (see section (Section 4.3)), but may still be closed after 443 a timeout period to preserve deployment resources. 445 If Single Connection Mode was enabled, but an ERROR occurred due to 446 connection issues (such as an incorrect secret, see section 447 (Section 4.5)), then any further new sessions MUST NOT be accepted on 448 the connection. If there are any sessions that have already been 449 established then they MAY be completed. Once all active sessions are 450 completed then the connection MUST be closed. 452 It is recommended that client implementations provide robust schemes 453 for dealing with servers which cannot be connected to. Options 454 include providing a list of servers for redundancy, and an option for 455 a local fallback configuration if no servers can be reached. Details 456 will be implementation specific. 458 The client should manage connections and handle the case of a server 459 which establishes a connection, but does not respond. The exact 460 behavior is implementation specific. It is recommended that the 461 client should close the connection after a configurable timeout. 463 4.5. Data Obfuscation 465 The body of packets may be obfuscated. The following sections 466 describe the obfuscation method that is supported in the protocol. 467 In 'The Draft' this process was actually referred to as Encryption, 468 but the algorithm would not meet modern standards, and so will not be 469 termed as encryption in this document. 471 The obfuscation mechanism relies on a secret key, a shared secret 472 value that is known to both the client and the server. The secret 473 keys MUST remain secret. 475 Server implementations MUST allow a unique secret key to be 476 associated with each client. It is a site-dependent decision as to 477 whether the use of separate keys is appropriate. 479 The flag field may be set as follows: 481 TAC_PLUS_UNENCRYPTED_FLAG = 0x0 482 In this case, the packet body is obfuscated by XOR-ing it byte-wise 483 with a pseudo-random pad. 485 ENCRYPTED {data} = data ^ pseudo_pad 487 The packet body can then be de-obfuscated by XOR-ing it byte-wise 488 with a pseudo random pad. 490 data = ENCRYPTED {data} ^ pseudo_pad 492 The pad is generated by concatenating a series of MD5 hashes (each 16 493 bytes long) and truncating it to the length of the input data. 495 Whenever used in this document, MD5 refers to the "RSA Data Security, 496 Inc. MD5 Message-Digest Algorithm" as specified in RFC 1321 497 [RFC1321]. 499 pseudo_pad = {MD5_1 [,MD5_2 [ ... ,MD5_n]]} truncated to len(data) 501 The first MD5 hash is generated by concatenating the session_id, the 502 secret key, the version number and the sequence number and then 503 running MD5 over that stream. All of those input values are 504 available in the packet header, except for the secret key which is a 505 shared secret between the TACACS+ client and server. 507 The version number and session_id are extracted from the header 509 Subsequent hashes are generated by using the same input stream, but 510 concatenating the previous hash value at the end of the input stream. 512 MD5_1 = MD5{session_id, key, version, seq_no} MD5_2 = MD5{session_id, 513 key, version, seq_no, MD5_1} .... MD5_n = MD5{session_id, key, 514 version, seq_no, MD5_n-1} 516 When a server detects that the secret(s) it has configured for the 517 device mismatch, it MUST return ERROR. For details of TCP connection 518 handling on ERROR, refer to section (Section 4.4). 520 TAC_PLUS_UNENCRYPTED_FLAG == 0x1 522 In this case, the entire packet body is in cleartext. Obfuscation 523 and de-obfuscation are null operations. This method should be 524 avoided unless absolutely required for debug purposes, when tooling 525 does not permit de-obfuscation. 527 If deployment is configured for obfuscating a connection then the 528 request MUST be dropped if TAC_PLUS_UNENCRYPTED_FLAG is set to true. 530 After a packet body is de-obfuscated, the lengths of the component 531 values in the packet are summed. If the sum is not identical to the 532 cleartext datalength value from the header, the packet MUST be 533 discarded, and an ERROR signaled. For details of TCP connection 534 handling on ERROR, refer to section (Section 4.4). 536 Commonly such failures are seen when the keys are mismatched between 537 the client and the TACACS+ server. 539 5. Authentication 541 Authentication is the action of determining who a user (or entity) 542 is. Authentication can take many forms. Traditional authentication 543 employs a name and a fixed password. However, fixed passwords are 544 vulnerable security, so many modern authentication mechanisms utilize 545 "one-time" passwords or a challenge-response query. TACACS+ is 546 designed to support all of these, and be flexible enough to handle 547 any future mechanisms. Authentication generally takes place when the 548 user first logs in to a machine or requests a service of it. 550 Authentication is not mandatory; it is a site-configured option. 551 Some sites do not require it. Others require it only for certain 552 services (see authorization below). Authentication may also take 553 place when a user attempts to gain extra privileges, and must 554 identify himself or herself as someone who possesses the required 555 information (passwords, etc.) for those privileges. 557 5.1. The Authentication START Packet Body 559 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 560 +----------------+----------------+----------------+----------------+ 561 | action | priv_lvl | authen_type | authen_service | 562 +----------------+----------------+----------------+----------------+ 563 | user_len | port_len | rem_addr_len | data_len | 564 +----------------+----------------+----------------+----------------+ 565 | user ... 566 +----------------+----------------+----------------+----------------+ 567 | port ... 568 +----------------+----------------+----------------+----------------+ 569 | rem_addr ... 570 +----------------+----------------+----------------+----------------+ 571 | data... 572 +----------------+----------------+----------------+----------------+ 574 Packet fields are as follows: 576 action 577 This indicates the authentication action. Valid values are listed 578 below. 580 TAC_PLUS_AUTHEN_LOGIN := 0x01 582 TAC_PLUS_AUTHEN_CHPASS := 0x02 584 TAC_PLUS_AUTHEN_SENDAUTH := 0x04 586 priv_lvl 588 This indicates the privilege level that the user is authenticating 589 as. Please refer to the Privilege Level section (Section 9) below. 591 authen_type 593 The type of authentication. Please see section Common Authentication 594 Flows (Section 5.4.2). Valid values are: 596 TAC_PLUS_AUTHEN_TYPE_ASCII := 0x01 598 TAC_PLUS_AUTHEN_TYPE_PAP := 0x02 600 TAC_PLUS_AUTHEN_TYPE_CHAP := 0x03 602 TAC_PLUS_AUTHEN_TYPE_MSCHAP := 0x05 604 TAC_PLUS_AUTHEN_TYPE_MSCHAPV2 := 0x06 606 authen_service 608 This is the service that is requesting the authentication. Valid 609 values are: 611 TAC_PLUS_AUTHEN_SVC_NONE := 0x00 613 TAC_PLUS_AUTHEN_SVC_LOGIN := 0x01 615 TAC_PLUS_AUTHEN_SVC_ENABLE := 0x02 617 TAC_PLUS_AUTHEN_SVC_PPP := 0x03 619 TAC_PLUS_AUTHEN_SVC_PT := 0x05 621 TAC_PLUS_AUTHEN_SVC_RCMD := 0x06 623 TAC_PLUS_AUTHEN_SVC_X25 := 0x07 624 TAC_PLUS_AUTHEN_SVC_NASI := 0x08 626 TAC_PLUS_AUTHEN_SVC_FWPROXY := 0x09 628 The TAC_PLUS_AUTHEN_SVC_NONE option is intended for the authorization 629 application of this field that indicates that no authentication was 630 performed by the device. 632 The TAC_PLUS_AUTHEN_SVC_LOGIN option indicates regular login (as 633 opposed to ENABLE) to a client device. 635 The TAC_PLUS_AUTHEN_SVC_ENABLE option identifies the ENABLE 636 authen_service, which refers to a service requesting authentication 637 in order to grant the user different privileges. This is comparable 638 to the Unix "su(1)" command, which substitutes the current user's 639 identity with another. An authen_service value of NONE is only to be 640 used when none of the other authen_service values are appropriate. 641 ENABLE may be requested independently, no requirements for previous 642 authentications or authorizations are imposed by the protocol. 644 Other options are included for legacy/backwards compatibility. 646 user, user_len 648 The username is optional in this packet, depending upon the class of 649 authentication. If it is absent, the client MUST set user_len to 0. 650 If included, the user_len indicates the length of the user field, in 651 bytes. 653 port, port_len 655 The name of the client port on which the authentication is taking 656 place. The value of this field is free format text and is client 657 specific. Examples of this this argument include "tty10" to denote 658 the tenth tty line and "async10" to denote the tenth async interface. 659 The client documentation SHOULD define the values and their meanings 660 for this field. For details of text encoding, see (Section 3.7). 661 port_len indicates the length of the port field, in bytes. 663 rem_addr, rem_addr_len 665 A string indicating the remote location from which the user has 666 connected to the client. For details of text encoding, see 667 (Section 3.7). 669 When TACACS+ was used for dial-up services, this value contained the 670 caller ID 671 When TACACS+ is used for Device Administration, the user is normally 672 connected via a network, and in this case the value is intended to 673 hold a network address, IPv4 or IPv6. For IPv6 address text 674 representation defined please see RFC 5952 [RFC5952]. 676 This field is optional (since the information may not be available). 677 The rem_addr_len indicates the length of the user field, in bytes. 679 data, data_len 681 This field is used to send data appropriate for the action and 682 authen_type. It is described in more detail in the section Common 683 Authentication flows (Section 5.4.2). The data_len indicates the 684 length of the data field, in bytes. 686 5.2. The Authentication REPLY Packet Body 688 The TACACS+ server sends only one type of authentication packet (a 689 REPLY packet) to the client. 691 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 692 +----------------+----------------+----------------+----------------+ 693 | status | flags | server_msg_len | 694 +----------------+----------------+----------------+----------------+ 695 | data_len | server_msg ... 696 +----------------+----------------+----------------+----------------+ 697 | data ... 698 +----------------+----------------+ 700 status 702 The current status of the authentication. Valid values are: 704 TAC_PLUS_AUTHEN_STATUS_PASS := 0x01 706 TAC_PLUS_AUTHEN_STATUS_FAIL := 0x02 708 TAC_PLUS_AUTHEN_STATUS_GETDATA := 0x03 710 TAC_PLUS_AUTHEN_STATUS_GETUSER := 0x04 712 TAC_PLUS_AUTHEN_STATUS_GETPASS := 0x05 714 TAC_PLUS_AUTHEN_STATUS_RESTART := 0x06 716 TAC_PLUS_AUTHEN_STATUS_ERROR := 0x07 718 TAC_PLUS_AUTHEN_STATUS_FOLLOW := 0x21 720 flags 722 Bitmapped flags that modify the action to be taken. The following 723 values are defined: 725 TAC_PLUS_REPLY_FLAG_NOECHO := 0x01 727 server_msg, server_msg_len 729 A message to be displayed to the user. This field is optional. The 730 server_msg_len indicates the length of the server_msg field, in 731 bytes. For details of text encoding, see (Section 3.7). 733 data, data_len 735 This field holds data that is a part of the authentication exchange 736 and is intended for client processing, not the user. It is not a 737 printable text encoding. Examples of its use are shown in the 738 section Common Authentication flows (Section 5.4.2). The data_len 739 indicates the length of the data field, in bytes. 741 5.3. The Authentication CONTINUE Packet Body 743 This packet is sent from the client to the server following the 744 receipt of a REPLY packet. 746 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 747 +----------------+----------------+----------------+----------------+ 748 | user_msg len | data_len | 749 +----------------+----------------+----------------+----------------+ 750 | flags | user_msg ... 751 +----------------+----------------+----------------+----------------+ 752 | data ... 753 +----------------+ 755 user_msg, user_msg_len 757 This field is the string that the user entered, or the client 758 provided on behalf of the user, in response to the server_msg from a 759 REPLY packet. The user_len indicates the length of the user field, 760 in bytes. 762 data, data_len 764 This field carries information that is specific to the action and the 765 authen_type for this session. Valid uses of this field are described 766 below. It is not a printable text encoding. The data_len indicates 767 the length of the data field, in bytes. 769 flags 771 This holds the bitmapped flags that modify the action to be taken. 772 The following values are defined: 774 TAC_PLUS_CONTINUE_FLAG_ABORT := 0x01 776 5.4. Description of Authentication Process 778 The action, authen_type and authen_service fields (described above) 779 combine to indicate what kind of authentication is to be performed. 780 Every authentication START, REPLY and CONTINUE packet includes a data 781 field. The use of this field is dependent upon the kind of the 782 Authentication. 784 This document defines a core set of authentication flows to be 785 supported by TACACS+. Each authentication flow consists of a START 786 packet. The server responds either with a request for more 787 information (GETDATA, GETUSER or GETPASS) or a termination PASS, 788 FAIL, ERROR or RESTART. The actions and meanings when the server 789 sends a RESTART or ERROR are common and are described further below. 791 When the REPLY status equals TAC_PLUS_AUTHEN_STATUS_GETDATA, 792 TAC_PLUS_AUTHEN_STATUS_GETUSER or TAC_PLUS_AUTHEN_STATUS_GETPASS, 793 then authentication continues and the server SHOULD provide 794 server_msg content for the client to prompt the user for more 795 information. The client MUST then return a CONTINUE packet 796 containing the requested information in the user_msg field. 798 The client should interpret TAC_PLUS_AUTHEN_STATUS_GETUSER as a 799 request for username and TAC_PLUS_AUTHEN_STATUS_GETPASS as a request 800 for password. The TAC_PLUS_AUTHEN_STATUS_GETDATA is the generic 801 request for more information to flexibly support future requirements. 803 If the information being requested by the server form the client is 804 sensitive, then the server should set the TAC_PLUS_REPLY_FLAG_NOECHO 805 flag. When the client queries the user for the information, the 806 response MUST NOT be reflected in the user interface as it is 807 entered. 809 The data field is only used in the REPLY where explicitly defined 810 below. 812 5.4.1. Version Behavior 814 The TACACS+ protocol is versioned to allow revisions while 815 maintaining backwards compatibility. The version number is in every 816 packet header. The changes between minor_version 0 and 1 apply only 817 to the authentication process, and all deal with the way that CHAP 818 and PAP authentications are handled. minor_version 1 may only be used 819 for authentication kinds that explicitly call for it in the table 820 below: 822 LOGIN CHPASS SENDAUTH 823 ASCII v0 v0 - 824 PAP v1 - v1 825 CHAP v1 - v1 826 MS-CHAPv1/2 v1 - v1 828 The '-' symbol represents that the option is not valid. 830 All authorization and accounting and ASCII authentication use 831 minor_version number of 0. 833 PAP, CHAP and MS-CHAP login use minor_version 1. The normal exchange 834 is a single START packet from the client and a single REPLY from the 835 server. 837 The removal of SENDPASS was prompted by security concerns, and is no 838 longer considered part of the TACACS+ protocol. 840 5.4.2. Common Authentication Flows 842 This section describes common authentication flows. If the server 843 does not implement an option, it MUST respond with 844 TAC_PLUS_AUTHEN_STATUS_FAIL. 846 5.4.2.1. ASCII Login 848 action = TAC_PLUS_AUTHEN_LOGIN 849 authen_type = TAC_PLUS_AUTHEN_TYPE_ASCII 850 minor_version = 0x0 852 This is a standard ASCII authentication. The START packet MAY 853 contain the username. If the user does not include the username then 854 the server MUST obtain it from the client with a CONTINUE 855 TAC_PLUS_AUTHEN_STATUS_GETUSER. If the user does not provide a 856 username then the server can send another 857 TAC_PLUS_AUTHEN_STATUS_GETUSER request, but the server MUST limit the 858 number of retries that are permitted, recommended limit is three 859 attempts. When the server has the username, it will obtain the 860 password using a continue with TAC_PLUS_AUTHEN_STATUS_GETPASS. ASCII 861 login uses the user_msg field for both the username and password. 862 The data fields in both the START and CONTINUE packets are not used 863 for ASCII logins, any content MUST be ignored. The session is 864 composed of a single START followed by zero or more pairs of REPLYs 865 and CONTINUEs, followed by a final REPLY indicating PASS, FAIL or 866 ERROR. 868 5.4.2.2. PAP Login 870 action = TAC_PLUS_AUTHEN_LOGIN 871 authen_type = TAC_PLUS_AUTHEN_TYPE_PAP 872 minor_version = 0x1 874 The entire exchange MUST consist of a single START packet and a 875 single REPLY. The START packet MUST contain a username and the data 876 field MUST contain the PAP ASCII password. A PAP authentication only 877 consists of a username and password RFC 1334 [RFC1334] (Obsolete). 878 The REPLY from the server MUST be either a PASS, FAIL or ERROR. 880 5.4.2.3. CHAP login 882 action = TAC_PLUS_AUTHEN_LOGIN 883 authen_type = TAC_PLUS_AUTHEN_TYPE_CHAP 884 minor_version = 0x1 886 The entire exchange MUST consist of a single START packet and a 887 single REPLY. The START packet MUST contain the username in the user 888 field and the data field is a concatenation of the PPP id, the 889 challenge and the response. 891 The length of the challenge value can be determined from the length 892 of the data field minus the length of the id (always 1 octet) and the 893 length of the response field (always 16 octets). 895 To perform the authentication, the server calculates the PPP hash as 896 defined in the PPP Authentication RFC 1334 [RFC1334] and then 897 compares that value with the response. The MD5 algorithm option is 898 always used. The REPLY from the server MUST be a PASS, FAIL or 899 ERROR. 901 The selection of the challenge and its length are not an aspect of 902 the TACACS+ protocol. However, it is strongly recommended that the 903 client/endstation interaction is configured with a secure challenge. 904 The TACACS+ server can help by rejecting authentications where the 905 challenge is below a minimum length (Minimum recommended is 8 bytes). 907 5.4.2.4. MS-CHAP v1 login 909 action = TAC_PLUS_AUTHEN_LOGIN 910 authen_type = TAC_PLUS_AUTHEN_TYPE_MSCHAP 911 minor_version = 0x1 913 The entire exchange MUST consist of a single START packet and a 914 single REPLY. The START packet MUST contain the username in the user 915 field and the data field will be a concatenation of the PPP id, the 916 MS-CHAP challenge and the MS-CHAP response. 918 The length of the challenge value can be determined from the length 919 of the data field minus the length of the id (always 1 octet) and the 920 length of the response field (always 49 octets). 922 To perform the authentication, the server will use a combination of 923 MD4 and DES on the user's secret and the challenge, as defined in RFC 924 2433 [RFC2433] and then compare the resulting value with the 925 response. The REPLY from the server MUST be a PASS or FAIL. 927 For best practices, please refer to RFC 2433 [RFC2433]. The TACACS+ 928 server MUST reject authentications where the challenge deviates from 929 8 bytes as defined in the RFC. 931 5.4.2.5. MS-CHAP v2 login 933 action = TAC_PLUS_AUTHEN_LOGIN 934 authen_type = TAC_PLUS_AUTHEN_TYPE_MSCHAPV2 935 minor_version = 0x1 937 The entire exchange MUST consist of a single START packet and a 938 single REPLY. The START packet MUST contain the username in the user 939 field and the data field will be a concatenation of the PPP id, the 940 MS-CHAP challenge and the MS-CHAP response. 942 The length of the challenge value can be determined from the length 943 of the data field minus the length of the id (always 1 octet) and the 944 length of the response field (always 49 octets). 946 To perform the authentication, the server will use the algorithm 947 specified RFC 2759 [RFC2759] on the user's secret and challenge and 948 then compare the resulting value with the response. The REPLY from 949 the server MUST be a PASS or FAIL. 951 For best practices for MS-CHAP v2, please refer to RFC2759 [RFC2759]. 952 The TACACS+ server MUST reject authentications where the challenge 953 deviates from 16 bytes as defined in the RFC. 955 5.4.2.6. Enable Requests 957 action = TAC_PLUS_AUTHEN_LOGIN 958 priv_lvl = implementation dependent 959 authen_type = not used 960 service = TAC_PLUS_AUTHEN_SVC_ENABLE 962 This is an ENABLE request, used to change the current running 963 privilege level of a user. The exchange MAY consist of multiple 964 messages while the server collects the information it requires in 965 order to allow changing the principal's privilege level. This 966 exchange is very similar to an ASCII login (Section 5.4.2.1). 968 In order to readily distinguish enable requests from other types of 969 request, the value of the authen_service field MUST be set to 970 TAC_PLUS_AUTHEN_SVC_ENABLE when requesting an ENABLE. It MUST NOT be 971 set to this value when requesting any other operation. 973 5.4.2.7. ASCII change password request 975 action = TAC_PLUS_AUTHEN_CHPASS 976 authen_type = TAC_PLUS_AUTHEN_TYPE_ASCII 978 This exchange consists of multiple messages while the server collects 979 the information it requires in order to change the user's password. 980 It is very similar to an ASCII login. The status value 981 TAC_PLUS_AUTHEN_STATUS_GETPASS MUST only be used when requesting the 982 "new" password. It MAY be sent multiple times. When requesting the 983 "old" password, the status value MUST be set to 984 TAC_PLUS_AUTHEN_STATUS_GETDATA. 986 5.4.3. Aborting an Authentication Session 988 The client may prematurely terminate a session by setting the 989 TAC_PLUS_CONTINUE_FLAG_ABORT flag in the CONTINUE message. If this 990 flag is set, the data portion of the message may contain a message 991 explaining the reason for the abort. For details of text encoding, 992 see (Section 3.7). This information will be handled by the server 993 according to the requirements of the deployment. The session is 994 terminated, for more details about session termination, refer to 995 section (Section 4.4). 997 In cases of PASS, FAIL or ERROR, the server can insert a message into 998 server_msg to be displayed to the user. 1000 The Draft `The Draft' [TheDraft] defined a mechanism to direct 1001 authentication requests to an alternative server. This mechanism is 1002 regarded as insecure, is deprecated, and not covered here. The 1003 client should treat TAC_PLUS_AUTHEN_STATUS_FOLLOW as 1004 TAC_PLUS_AUTHEN_STATUS_FAIL 1006 If the status equals TAC_PLUS_AUTHEN_STATUS_ERROR, then the host is 1007 indicating that it is experiencing an unrecoverable error and the 1008 authentication will proceed as if that host could not be contacted. 1009 The data field may contain a message to be printed on an 1010 administrative console or log. 1012 If the status equals TAC_PLUS_AUTHEN_STATUS_RESTART, then the 1013 authentication sequence is restarted with a new START packet from the 1014 client, with new session Id, and seq_no set to 1. This REPLY packet 1015 indicates that the current authen_type value (as specified in the 1016 START packet) is not acceptable for this session. The client may try 1017 an alternative authen_type. 1019 If a client does not implement TAC_PLUS_AUTHEN_STATUS_RESTART option, 1020 then it MUST process the response as if the status was 1021 TAC_PLUS_AUTHEN_STATUS_FAIL. 1023 6. Authorization 1025 In the TACACS+ Protocol, authorization is the action of determining 1026 what a user is allowed to do. Generally, authentication precedes 1027 authorization, though it is not mandatory that a client use the same 1028 service for authentication that it will use for authorization. An 1029 authorization request may indicate that the user is not authenticated 1030 (we don't know who they are). In this case it is up to the server to 1031 determine, according to its configuration, if an unauthenticated user 1032 is allowed the services in question. 1034 Authorization does not merely provide yes or no answers, but it may 1035 also customize the service for the particular user. A common use of 1036 authorization is to provision a shell session when a user first logs 1037 into a device to administer it. The TACACS+ server might respond to 1038 the request by allowing the service, but placing a time restriction 1039 on the login shell. For a list of common arguments used in 1040 authorization, see the Authorization Arguments section (Section 8.2). 1042 In the TACACS+ protocol an authorization is always a single pair of 1043 messages: a REQUEST from the client followed by a REPLY from the 1044 server. 1046 The authorization REQUEST message contains a fixed set of fields that 1047 indicate how the user was authenticated and a variable set of 1048 arguments that describe the services and options for which 1049 authorization is requested. 1051 The REPLY contains a variable set of response arguments (argument- 1052 value pairs) that can restrict or modify the client's actions. 1054 6.1. The Authorization REQUEST Packet Body 1056 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1057 +----------------+----------------+----------------+----------------+ 1058 | authen_method | priv_lvl | authen_type | authen_service | 1059 +----------------+----------------+----------------+----------------+ 1060 | user_len | port_len | rem_addr_len | arg_cnt | 1061 +----------------+----------------+----------------+----------------+ 1062 | arg_1_len | arg_2_len | ... | arg_N_len | 1063 +----------------+----------------+----------------+----------------+ 1064 | user ... 1065 +----------------+----------------+----------------+----------------+ 1066 | port ... 1067 +----------------+----------------+----------------+----------------+ 1068 | rem_addr ... 1069 +----------------+----------------+----------------+----------------+ 1070 | arg_1 ... 1071 +----------------+----------------+----------------+----------------+ 1072 | arg_2 ... 1073 +----------------+----------------+----------------+----------------+ 1074 | ... 1075 +----------------+----------------+----------------+----------------+ 1076 | arg_N ... 1077 +----------------+----------------+----------------+----------------+ 1079 authen_method 1081 This indicates the authentication method used by the client to 1082 acquire the user information. As this information is not always 1083 subject to verification, it is recommended that this field is 1084 ignored. 1086 TAC_PLUS_AUTHEN_METH_NOT_SET := 0x00 1088 TAC_PLUS_AUTHEN_METH_NONE := 0x01 1090 TAC_PLUS_AUTHEN_METH_KRB5 := 0x02 1092 TAC_PLUS_AUTHEN_METH_LINE := 0x03 1093 TAC_PLUS_AUTHEN_METH_ENABLE := 0x04 1095 TAC_PLUS_AUTHEN_METH_LOCAL := 0x05 1097 TAC_PLUS_AUTHEN_METH_TACACSPLUS := 0x06 1099 TAC_PLUS_AUTHEN_METH_GUEST := 0x08 1101 TAC_PLUS_AUTHEN_METH_RADIUS := 0x10 1103 TAC_PLUS_AUTHEN_METH_KRB4 := 0x11 1105 TAC_PLUS_AUTHEN_METH_RCMD := 0x20 1107 KRB5 and KRB4 are Kerberos version 5 and 4. LINE refers to a fixed 1108 password associated with the terminal line used to gain access. 1109 LOCAL is a client local user database. ENABLE is a command that 1110 authenticates in order to grant new privileges. TACACSPLUS is, of 1111 course, TACACS+. GUEST is an unqualified guest authentication. 1112 RADIUS is the Radius authentication protocol. RCMD refers to 1113 authentication provided via the R-command protocols from Berkeley 1114 Unix. 1116 priv_lvl 1118 This field is used in the same way as the priv_lvl field in 1119 authentication request and is described in the Privilege Level 1120 section (Section 9) below. It indicates the users current privilege 1121 level. 1123 authen_type 1125 This field corresponds to the authen_type field in the authentication 1126 section (Section 5) above. It indicates the type of authentication 1127 that was performed. If this information is not available, then the 1128 client will set authen_type to: TAC_PLUS_AUTHEN_TYPE_NOT_SET := 0x00. 1129 This value is valid only in authorization and accounting requests. 1131 authen_service 1133 This field is the same as the authen_service field in the 1134 authentication section (Section 5) above. It indicates the service 1135 through which the user authenticated. 1137 user, user_len 1139 This field contains the user's account name. The user_len MUST 1140 indicate the length of the user field, in bytes. 1142 port, port_len 1144 This field matches the port field in the authentication section 1145 (Section 5) above. The port_len indicates the length of the port 1146 field, in bytes. 1148 rem_addr, rem_addr_len 1150 This field matches the rem_addr field in the authentication section 1151 (Section 5) above. The rem_addr_len indicates the length of the port 1152 field, in bytes. 1154 arg_cnt 1156 The number of authorization arguments to follow 1158 arg_1 ... arg_N, arg_1_len .... arg_N_len 1160 The arguments are the primary elements of the authorization 1161 interaction. In the request packet, they describe the specifics of 1162 the authorization that is being requested. Each argument is encoded 1163 in the packet as a single arg field (arg_1... arg_N) with a 1164 corresponding length fields (which indicates the length of each 1165 argument in bytes). 1167 The authorization arguments in both the REQUEST and the REPLY are 1168 argument-value pairs. The argument and the value are in a single 1169 string and are separated by either a "=" (0X3D) or a "*" (0X2A). The 1170 equals sign indicates a mandatory argument. The asterisk indicates 1171 an optional one. For details of text encoding, see (Section 3.7). 1173 An argument name MUST NOT contain either of the separators. An 1174 argument value MAY contain the separators. This means that the 1175 arguments must be parsed until the first separator is encountered, 1176 all characters in the argument, after this separator, are interpreted 1177 as the argument value. 1179 Optional arguments are ones that may be disregarded by either client 1180 or server. Mandatory arguments require that the receiving side can 1181 handle the argument, that is: its implementation and configuration 1182 includes the details of how to act on it. If the client receives a 1183 mandatory argument that it cannot handle, it MUST consider the 1184 authorization to have failed. The value part of an argument-value 1185 pair may be empty, that is: the length of the value may be zero. 1187 Argument-value strings are not NULL terminated, rather their length 1188 value indicates their end. The maximum length of an argument-value 1189 string is 255 characters. The minimum is two characters (one name- 1190 value character and the separator) 1192 Though the arguments allow extensibility, a common core set of 1193 authorization arguments SHOULD be supported by clients and servers, 1194 these are listed in the Authorization Arguments (Section 8.2) section 1195 below. 1197 6.2. The Authorization REPLY Packet Body 1199 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1200 +----------------+----------------+----------------+----------------+ 1201 | status | arg_cnt | server_msg len | 1202 +----------------+----------------+----------------+----------------+ 1203 + data_len | arg_1_len | arg_2_len | 1204 +----------------+----------------+----------------+----------------+ 1205 | ... | arg_N_len | server_msg ... 1206 +----------------+----------------+----------------+----------------+ 1207 | data ... 1208 +----------------+----------------+----------------+----------------+ 1209 | arg_1 ... 1210 +----------------+----------------+----------------+----------------+ 1211 | arg_2 ... 1212 +----------------+----------------+----------------+----------------+ 1213 | ... 1214 +----------------+----------------+----------------+----------------+ 1215 | arg_N ... 1216 +----------------+----------------+----------------+----------------+ 1218 status This field indicates the authorization status 1220 TAC_PLUS_AUTHOR_STATUS_PASS_ADD := 0x01 1222 TAC_PLUS_AUTHOR_STATUS_PASS_REPL := 0x02 1224 TAC_PLUS_AUTHOR_STATUS_FAIL := 0x10 1226 TAC_PLUS_AUTHOR_STATUS_ERROR := 0x11 1228 TAC_PLUS_AUTHOR_STATUS_FOLLOW := 0x21 1230 server_msg, server_msg_len 1232 This is a string that may be presented to the user. The 1233 server_msg_len indicates the length of the server_msg field, in 1234 bytes. For details of text encoding, see (Section 3.7). 1236 data, data_len 1237 This is a string that may be presented on an administrative display, 1238 console or log. The decision to present this message is client 1239 specific. The data_len indicates the length of the data field, in 1240 bytes. For details of text encoding, see (Section 3.7). 1242 arg_cnt 1244 The number of authorization arguments to follow. 1246 arg_1 ... arg_N, arg_1_len .... arg_N_len 1248 The arguments describe the specifics of the authorization that is 1249 being requested. For details of the content of the args, refer to: 1250 Authorization Arguments (Section 8.2) section below. Each argument 1251 is encoded in the packet as a single arg field (arg_1... arg_N) with 1252 a corresponding length fields (which indicates the length of each 1253 argument in bytes). 1255 If the status equals TAC_PLUS_AUTHOR_STATUS_FAIL, then the requested 1256 authorization MUST be denied. 1258 If the status equals TAC_PLUS_AUTHOR_STATUS_PASS_ADD, then the 1259 arguments specified in the request are authorized and the arguments 1260 in the response MUST be applied according to the rules described 1261 above. 1263 If the status equals TAC_PLUS_AUTHOR_STATUS_PASS_REPL then the client 1264 MUST use the authorization argument-value pairs (if any) in the 1265 response, instead of the authorization argument-value pairs from the 1266 request. 1268 To approve the authorization with no modifications, the server sets 1269 the status to TAC_PLUS_AUTHOR_STATUS_PASS_ADD and the arg_cnt to 0. 1271 A status of TAC_PLUS_AUTHOR_STATUS_ERROR indicates an error occurred 1272 on the server. For the differences between ERROR and FAIL, refer to 1273 section Session Completion (Section 4.4). None of the arg values 1274 have any relevance if an ERROR is set, and must be ignored. 1276 When the status equals TAC_PLUS_AUTHOR_STATUS_FOLLOW, then the 1277 arg_cnt MUST be 0. In that case, the actions to be taken and the 1278 contents of the data field are identical to the 1279 TAC_PLUS_AUTHEN_STATUS_FOLLOW status for Authentication. 1281 7. Accounting 1283 Accounting is typically the third action after authentication and 1284 authorization. But again, neither authentication nor authorization 1285 is required. Accounting is the action of recording what a user is 1286 doing, and/or has done. Accounting in TACACS+ can serve two 1287 purposes: It may be used as an auditing tool for security services. 1288 It may also be used to account for services used, such as in a 1289 billing environment. To this end, TACACS+ supports three types of 1290 accounting records. Start records indicate that a service is about 1291 to begin. Stop records indicate that a service has just terminated, 1292 and Update records are intermediate notices that indicate that a 1293 service is still being performed. TACACS+ accounting records contain 1294 all the information used in the authorization records, and also 1295 contain accounting specific information such as start and stop times 1296 (when appropriate) and resource usage information. A list of 1297 accounting arguments is defined in the accounting section 1298 (Section 7). 1300 7.1. The Account REQUEST Packet Body 1302 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1303 +----------------+----------------+----------------+----------------+ 1304 | flags | authen_method | priv_lvl | authen_type | 1305 +----------------+----------------+----------------+----------------+ 1306 | authen_service | user_len | port_len | rem_addr_len | 1307 +----------------+----------------+----------------+----------------+ 1308 | arg_cnt | arg_1_len | arg_2_len | ... | 1309 +----------------+----------------+----------------+----------------+ 1310 | arg_N_len | user ... 1311 +----------------+----------------+----------------+----------------+ 1312 | port ... 1313 +----------------+----------------+----------------+----------------+ 1314 | rem_addr ... 1315 +----------------+----------------+----------------+----------------+ 1316 | arg_1 ... 1317 +----------------+----------------+----------------+----------------+ 1318 | arg_2 ... 1319 +----------------+----------------+----------------+----------------+ 1320 | ... 1321 +----------------+----------------+----------------+----------------+ 1322 | arg_N ... 1323 +----------------+----------------+----------------+----------------+ 1325 flags 1327 This holds bitmapped flags. 1329 TAC_PLUS_ACCT_FLAG_START := 0x02 1331 TAC_PLUS_ACCT_FLAG_STOP := 0x04 1333 TAC_PLUS_ACCT_FLAG_WATCHDOG := 0x08 1335 All other fields are defined in the authorization and authentication 1336 sections above and have the same semantics. They provide details for 1337 the conditions on the client, and authentication context, so that 1338 these details may be logged for accounting purposes. 1340 See the Accounting Arguments section (Section 8.3) for the dictionary 1341 of arguments relevant to accounting. 1343 7.2. The Accounting REPLY Packet Body 1345 The purpose of accounting is to record the action that has occurred 1346 on the client. The server MUST reply with success only when the 1347 accounting request has been recorded. If the server did not record 1348 the accounting request then it MUST reply with ERROR. 1350 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1351 +----------------+----------------+----------------+----------------+ 1352 | server_msg len | data_len | 1353 +----------------+----------------+----------------+----------------+ 1354 | status | server_msg ... 1355 +----------------+----------------+----------------+----------------+ 1356 | data ... 1357 +----------------+ 1359 status 1361 This is the return status. Values are: 1363 TAC_PLUS_ACCT_STATUS_SUCCESS := 0x01 1365 TAC_PLUS_ACCT_STATUS_ERROR := 0x02 1367 TAC_PLUS_ACCT_STATUS_FOLLOW := 0x21 1369 server_msg, server_msg_len 1371 This is a string that may be presented to the user. The 1372 server_msg_len indicates the length of the server_msg field, in 1373 bytes. For details of text encoding, see (Section 3.7). 1375 data, data_len 1376 This is a string that may be presented on an administrative display, 1377 console or log. The decision to present this message is client 1378 specific. The data_len indicates the length of the data field, in 1379 bytes. For details of text encoding, see (Section 3.7). 1381 When the status equals TAC_PLUS_ACCT_STATUS_FOLLOW, then the actions 1382 to be taken and the contents of the data field are identical to the 1383 TAC_PLUS_AUTHEN_STATUS_FOLLOW status for Authentication. 1385 TACACS+ accounting is intended to record various types of events on 1386 clients, for example: login sessions, command entry, and others as 1387 required by the client implementation. These events are collectively 1388 referred to in `The Draft' [TheDraft] as "tasks". 1390 The TAC_PLUS_ACCT_FLAG_START flag indicates that this is a start 1391 accounting message. Start messages will only be sent once when a 1392 task is started. The TAC_PLUS_ACCT_FLAG_STOP indicates that this is 1393 a stop record and that the task has terminated. The 1394 TAC_PLUS_ACCT_FLAG_WATCHDOG flag means that this is an update record. 1396 Summary of Accounting Packets 1398 +----------+-------+-------+-------------+-------------------------+ 1399 | Watchdog | Stop | Start | Flags & 0xE | Meaning | 1400 +----------+-------+-------+-------------+-------------------------+ 1401 | 0 | 0 | 0 | 0 | INVALID | 1402 | 0 | 0 | 1 | 2 | Start Accounting Record | 1403 | 0 | 1 | 0 | 4 | Stop Accounting Record | 1404 | 0 | 1 | 1 | 6 | INVALID | 1405 | 1 | 0 | 0 | 8 | Watchdog, no update | 1406 | 1 | 0 | 1 | A | Watchdog, with update | 1407 | 1 | 1 | 0 | C | INVALID | 1408 | 1 | 1 | 1 | E | INVALID | 1409 +----------+-------+-------+-------------+-------------------------+ 1411 The START and STOP flags are mutually exclusive. 1413 The WATCHDOG flag is used by the client to communicate ongoing status 1414 of a long-running task. Update records are sent at the client's 1415 discretion. The frequency of the update depends upon the intended 1416 application: A watchdog to provide progress indication will require 1417 higher frequency than a daily keep-alive. When the WATCHDOG flag is 1418 set along with the START flag, it indicates that the update record 1419 provides additional or updated arguments from the original START 1420 record. If the START flag is not set, then this indicates only that 1421 task is still running, and no new information is provided (servers 1422 MUST ignore any arguments). The STOP flag MUST NOT be set in 1423 conjunction with the WATCHDOG flag. 1425 The Server MUST respond with TAC_PLUS_ACCT_STATUS_ERROR if the client 1426 requests an INVALID option. 1428 8. Argument-Value Pairs 1430 TACACS+ is intended to be an extensible protocol. The arguments used 1431 in Authorization and Accounting are not limited by this document. 1432 Some arguments are defined below for common use cases, clients MUST 1433 use these arguments when supporting the corresponding use cases. 1435 8.1. Value Encoding 1437 All argument values are encoded as strings. For details of text 1438 encoding, see (Section 3.7). The following type representations 1439 SHOULD be followed 1441 Numeric 1443 All numeric values in an argument-value string are provided as 1444 decimal numbers, unless otherwise stated. All arguments include a 1445 length field, and TACACS+ implementations MUST verify that they can 1446 accommodate the lengths of numeric arguments before attempting to 1447 process them. If the length cannot be accommodated then the argument 1448 MUST be regarded as not handled and the logic in authorization 1449 section (Section 6.1) regarding the processing of arguments MUST be 1450 applied. 1452 Boolean 1454 All Boolean arguments are encoded with values "true" or "false". 1456 IP-Address 1458 It is recommended that hosts be specified as a IP address so as to 1459 avoid any ambiguities. For details of text encoding, see 1460 (Section 3.7). IPv4 address are specified as octet numerics 1461 separated by dots ('.'), IPv6 address text representation defined in 1462 RFC 5952 [RFC5952]. 1464 Date Time 1466 Absolute date/times are specified in seconds since the epoch, 12:00am 1467 Jan 1 1970. The timezone MUST be UTC unless a timezone argument is 1468 specified. 1470 String 1471 Many values have no specific type representation and so are 1472 interpreted as plain strings. 1474 Empty Values 1476 Arguments may be submitted with no value, in which case they consist 1477 of the name and the mandatory or optional separator. For example, 1478 the argument "cmd" which has no value is transmitted as a string of 1479 four characters "cmd=" 1481 8.2. Authorization Arguments 1483 service (String) 1485 The primary service. Specifying a service argument indicates that 1486 this is a request for authorization or accounting of that service. 1487 For example: "shell", "tty-server", "connection", "system" and 1488 "firewall", others may be chosen for the required application. This 1489 argument MUST always be included. 1491 protocol (String) 1493 the protocol field may be used to indicate a subset of a service. 1495 cmd (String) 1497 a shell (exec) command. This indicates the command name of the 1498 command that is to be run. The "cmd" argument MUST be specified if 1499 service equals "shell". 1501 Authorization of shell commands is a common use-case for the TACACS+ 1502 protocol. Command Authorization generally takes one of two forms: 1503 session-based and command-based. 1505 For session-based shell authorization, the "cmd" argument will have 1506 an empty value. The client determines which commands are allowed in 1507 a session according to the arguments present in the authorization. 1509 In command-based authorization, the client requests that the server 1510 determine whether a command is allowed by making an authorization 1511 request for each command. The "cmd" argument will have the command 1512 name as its value. 1514 cmd-arg (String) 1516 an argument to a shell (exec) command. This indicates an argument 1517 for the shell command that is to be run. Multiple cmd-arg arguments 1518 may be specified, and they are order dependent. 1520 acl (Numeric) 1522 a number representing a connection access list. Applicable only to 1523 session-based shell authorization. For details of text encoding, see 1524 (Section 3.7). 1526 inacl (String) 1528 identifier (name) of an interface input access list. For details of 1529 text encoding, see (Section 3.7). 1531 outacl (String) 1533 identifier (name) of an interface output access list. For details of 1534 text encoding, see (Section 3.7). 1536 addr (IP-Address) 1538 a network address 1540 addr-pool (String) 1542 The identifier of an address pool from which the client can assign an 1543 address. 1545 timeout (Numeric) 1547 an absolute timer for the connection (in minutes). A value of zero 1548 indicates no timeout. 1550 idletime (Numeric) 1552 an idle-timeout for the connection (in minutes). A value of zero 1553 indicates no timeout. 1555 autocmd (String) 1557 an auto-command to run. Applicable only to session-based shell 1558 authorization. 1560 noescape (Boolean) 1562 Prevents user from using an escape character. Applicable only to 1563 session-based shell authorization. 1565 nohangup (Boolean) 1566 Boolean. Do not disconnect after an automatic command. Applicable 1567 only to session-based shell authorization. 1569 priv-lvl (Numeric) 1571 privilege level to be assigned. Please refer to the Privilege Level 1572 section (Section 9) below. 1574 8.3. Accounting Arguments 1576 The following arguments are defined for TACACS+ accounting only. 1577 They MUST precede any argument-value pairs that are defined in the 1578 authorization section (Section 6) above. 1580 task_id (String) 1582 Start and stop records for the same event MUST have matching task_id 1583 argument values. The client MUST ensure that active task_ids are not 1584 duplicated: a client MUST NOT reuse a task_id a start record until it 1585 has sent a stop record for that task_id. Servers MUST NOT make 1586 assumptions about the format of a task_id. 1588 start_time (Date Time) 1590 The time the action started (in seconds since the epoch.). 1592 stop_time (Date Time) 1594 The time the action stopped (in seconds since the epoch.) 1596 elapsed_time (Numeric) 1598 The elapsed time in seconds for the action. 1600 timezone (String) 1602 The timezone abbreviation for all timestamps included in this packet. 1603 A database of timezones is maintained here: TZDB [TZDB]. 1605 event (String) 1607 Used only when "service=system". Current values are "net_acct", 1608 "cmd_acct", "conn_acct", "shell_acct" "sys_acct" and "clock_change". 1609 These indicate system-level changes. The flags field SHOULD indicate 1610 whether the service started or stopped. 1612 reason (String) 1613 Accompanies an event argument. It describes why the event occurred. 1615 bytes (Numeric) 1617 The number of bytes transferred by this action 1619 bytes_in (Numeric) 1621 The number of bytes transferred by this action from the endstation to 1622 the client port 1624 bytes_out (Numeric) 1626 The number of bytes transferred by this action from the client to the 1627 endstation port 1629 paks (Numeric) 1631 The number of packets transferred by this action. 1633 paks_in (Numeric) 1635 The number of input packets transferred by this action from the 1636 endstation to the client port. 1638 paks_out (Numeric) 1640 The number of output packets transferred by this action from the 1641 client port to the endstation. 1643 err_msg (String) 1645 string describing the status of the action. For details of text 1646 encoding, see (Section 3.7). 1648 9. Privilege Levels 1650 The TACACS+ Protocol supports flexible authorization schemes through 1651 the extensible arguments. 1653 One scheme is built into the protocol and has been extensively used 1654 for Session-based shell authorization: Privilege Levels. Privilege 1655 Levels are ordered values from 0 to 15 with each level being a 1656 superset of the next lower value. Configuration and implementation 1657 of the client will map actions (such as the permission to execute of 1658 specific commands) to different privilege levels. The allocation of 1659 commands to privilege levels is highly dependent upon the deployment. 1660 Common allocations are as follows: 1662 TAC_PLUS_PRIV_LVL_MIN := 0x00. The level normally allocated to an 1663 unauthenticated session. 1665 TAC_PLUS_PRIV_LVL_USER := 0x01. The level normally allocated to a 1666 regular authenticated session 1668 TAC_PLUS_PRIV_LVL_ROOT := 0x0f. The level normally allocated to a 1669 session authenticated by a highly privileged user to allow 1670 commands with significant system impact. 1672 TAC_PLUS_PRIV_LVL_MAX := 0x0f. The highest privilege level. 1674 A Privilege level can be assigned to a shell (EXEC) session when it 1675 starts. The client will permit the actions associated with this 1676 level to be executed. This privilege level is returned by the Server 1677 in a session-based shell authorization (when "service" equals "shell" 1678 and "cmd" is empty). When a user required to perform actions that 1679 are mapped to a higher privilege level, then an ENABLE type 1680 reauthentication can be initiated by the client. The client will 1681 insert the required privilege level into the authentication header 1682 for enable authentication request. 1684 The use of Privilege levels to determine session-based access to 1685 commands and resources is not mandatory for clients. Although the 1686 privilege level scheme is widely supported, its lack of flexibility 1687 in requiring a single monotonic hierarchy of permissions means that 1688 other session-based command authorization schemes have evolved, and 1689 so it is no longer mandatory for clients to use it. However, it is 1690 still common enough that it SHOULD be supported by servers. 1692 10. Security Considerations 1694 The original TACACS+ Draft `The Draft' [TheDraft] from 1998 did not 1695 address all of the key security concerns which are considered when 1696 designing modern standards. This section addresses known limitations 1697 and concerns which will impact overall security of the protocol and 1698 systems where this protocol is deployed to manage central 1699 authentication, authorization or accounting for network device 1700 administration. 1702 Multiple implementations of the protocol described in the original 1703 TACACS+ Draft `The Draft' [TheDraft] have been deployed. As the 1704 protocol was never standardized, current implementations may be 1705 incompatible in non-obvious ways, giving rise to additional security 1706 risks. This section does not claim to enumerate all possible 1707 security vulnerabilities. 1709 10.1. General Security of the Protocol 1711 TACACS+ protocol does not include a security mechanism that would 1712 meet modern-day requirements. These security mechanisms would be 1713 best referred to as "obfuscation" and not "encryption" since they 1714 provide no meaningful integrity, privacy or replay protection. An 1715 attacker with access to the data stream should be assumed to be able 1716 to read and modify all TACACS+ packets. Without mitigation, a range 1717 of risks such as the following are possible: 1719 Accounting information may be modified by the man-in-the-middle 1720 attacker, making such logs unsuitable and not trustable for 1721 auditing purposes. 1723 Invalid or misleading values may be inserted by the man-in-the- 1724 middle attacker in various fields at known offsets to try and 1725 circumvent the authentication or authorization checks even inside 1726 the obfuscated body. 1728 While the protocol provides some measure of transport privacy, it is 1729 vulnerable to at least the following attacks: 1731 Brute force attacks exploiting increased efficiency of MD5 digest 1732 computation. 1734 Known plaintext attacks which may decrease the cost of brute force 1735 attack. 1737 Chosen plaintext attacks which may decrease the cost of a brute 1738 force attack. 1740 No forward secrecy. 1742 Even though, to the best knowledge of authors, this method of 1743 encryption wasn't rigorously tested, enough information is available 1744 that it is best referred to as "obfuscation" and not "encryption". 1746 For these reasons, users deploying TACACS+ protocol in their 1747 environments MUST limit access to known clients and MUST control the 1748 security of the entire transmission path. Attackers who can guess 1749 the key or otherwise break the obfuscation will gain unrestricted and 1750 undetected access to all TACACS+ traffic. Ensuring that a 1751 centralized AAA system like TACACS+ is deployed on a secured 1752 transport is essential to managing the security risk of such an 1753 attack. 1755 The following parts of this section enumerate only the session- 1756 specific risks which are in addition to general risk associated with 1757 bare obfuscation and lack of integrity checking. 1759 10.2. Security of Authentication Sessions 1761 Authentication sessions SHOULD be used via a secure transport (see 1762 Best Practices section (Section 10.5)) as the man-in-the-middle 1763 attack may completely subvert them. Even CHAP, which may be 1764 considered resistant to password interception, is unsafe as it does 1765 not protect the username from a trivial man-in-the-middle attack. 1767 This document deprecates the redirection mechanism using the 1768 TAC_PLUS_AUTHEN_STATUS_FOLLOW option which was included in the 1769 original draft. As part of this process, the secret key for a new 1770 server was sent to the client. This public exchange of secret keys 1771 means that once one session is broken, it may be possible to leverage 1772 that key to attacking connections to other servers. This mechanism 1773 MUST NOT be used in modern deployments. It MUST NOT be used outside 1774 a secured deployment. 1776 10.3. Security of Authorization Sessions 1778 Authorization sessions SHOULD be used via a secure transport (see 1779 Best Practices section (Section 10.5)) as it's trivial to execute a 1780 successful man-in-the-middle attacks that changes well-known 1781 plaintext in either requests or responses. 1783 As an example, take the field "authen_method". It's not unusual in 1784 actual deployments to authorize all commands received via the device 1785 local serial port (a console port) as that one is usually considered 1786 secure by virtue of the device located in a physically secure 1787 location. If an administrator would configure the authorization 1788 system to allow all commands entered by the user on a local console 1789 to aid in troubleshooting, that would give all access to all commands 1790 to any attacker that would be able to change the "authen_method" from 1791 TAC_PLUS_AUTHEN_METH_TACACSPLUS to TAC_PLUS_AUTHEN_METH_LINE. In 1792 this regard, the obfuscation provided by the protocol itself wouldn't 1793 help much, because: 1795 Lack of integrity means that any byte in the payload may be 1796 changed without either side detecting the change. 1798 Known plaintext means that an attacker would know with certainty 1799 which octet is the target of the attack (in this case, 1st octet 1800 after the header). 1802 In combination with known plaintext, the attacker can determine 1803 with certainty the value of the crypto-pad octet used to obfuscate 1804 the original octet. 1806 10.4. Security of Accounting Sessions 1808 Accounting sessions SHOULD be used via a secure transport (see Best 1809 Practices section (Section 10.5). Although Accounting sessions are 1810 not directly involved in authentication or authorizing operations on 1811 the device, man-in-the-middle attacker may do any of the following: 1813 Replace accounting data with new valid or garbage which can 1814 confuse auditors or hide information related to their 1815 authentication and/or authorization attack attempts. 1817 Try and poison accounting log with entries designed to make 1818 systems behave in unintended ways (which includes TACACS+ server 1819 and any other systems that would manage accounting entries). 1821 In addition to these direct manipulations, different client 1822 implementations pass different fidelity of accounting data. Some 1823 vendors have been observed in the wild that pass sensitive data like 1824 passwords, encryption keys and similar as part of the accounting log. 1825 Due to lack of strong encryption with perfect forward secrecy, this 1826 data may be revealed in future, leading to a security incident. 1828 10.5. TACACS+ Best Practices 1830 With respect to the observations about the security issues described 1831 above, a network administrator MUST NOT rely on the obfuscation of 1832 the TACACS+ protocol. TACACS+ MUST be used within a secure 1833 deployment: TACACS+ MUST be deployed over networks which ensure 1834 privacy and integrity of the communication, and MUST be deployed over 1835 a network which is separated from other traffic. Failure to do so 1836 will impact overall network security. 1838 The following recommendations impose restrictions on how the protocol 1839 is applied. These restrictions were not imposed in the original 1840 draft. New implementations, and upgrades of current implementations, 1841 MUST implement these recommendations. Vendors SHOULD provide 1842 mechanisms to assist the administrator to achieve these best 1843 practices. 1845 10.5.1. Shared Secrets 1847 TACACS+ servers and clients MUST treat shared secrets as sensitive 1848 data to be managed securely, as would be expected for other sensitive 1849 data such as identity credential information. TACACS+ servers MUST 1850 NOT leak sensitive data. For example, TACACS+ servers MUST NOT 1851 expose shared secrets in logs. 1853 TACACS+ servers MUST allow a dedicated secret key to be defined for 1854 each client. 1856 TACACS+ server management systems MUST provide a mechanism to track 1857 secret key lifetimes and notify administrators to update them 1858 periodically. TACACS+ server administrators SHOULD change secret 1859 keys at regular intervals. 1861 TACACS+ servers SHOULD warn administrators if secret keys are not 1862 unique per client. 1864 TACACS+ server administrators SHOULD always define a secret for each 1865 client. 1867 TACACS+ servers and clients MUST support shared keys that are at 1868 least 32 characters long. 1870 TACACS+ servers MUST support policy to define minimum complexity for 1871 shared keys. 1873 TACACS+ clients SHOULD NOT allow servers to be configured without 1874 shared secret key, or shared key that is less than 16 characters 1875 long. 1877 TACACS+ server administrators SHOULD configure secret keys of minimum 1878 16 characters length. 1880 10.5.2. Connections and Obfuscation 1882 TACACS+ servers MUST allow the definition of individual clients. The 1883 servers MUST only accept network connection attempts from these 1884 defined, known clients. 1886 TACACS+ servers MUST reject connections with 1887 TAC_PLUS_UNENCRYPTED_FLAG set, when there is a shared secret set on 1888 the server for the client requesting the connection. 1890 If an invalid shared secret is detected when processing packets for a 1891 client, TACACS+ servers MUST NOT accept any new sessions on that 1892 connection. TACACS+ servers MUST terminate the connection on 1893 completion of any sessions that were previously established with a 1894 valid shared secret on that connection. 1896 TACACS+ clients MUST NOT set TAC_PLUS_UNENCRYPTED_FLAG when a secret 1897 is defined. Clients MUST be implemented in a way that requires 1898 explicit configuration to enable the use of 1899 TAC_PLUS_UNENCRYPTED_FLAG. 1901 When a TACACS+ client receives responses from servers where: 1903 the response packet was received from the server configured with 1904 shared key, but the packet has TAC_PLUS_UNENCRYPTED_FLAG set. 1906 the response packet was received from the server configured not to 1907 use obfuscation, but the packet has TAC_PLUS_UNENCRYPTED_FLAG not 1908 set. 1910 then the TACACS+ client MUST close TCP session, and process the 1911 response in the same way that a TAC_PLUS_AUTHEN_STATUS_FAIL 1912 (authentication sessions) or TAC_PLUS_AUTHOR_STATUS_FAIL 1913 (authorization sessions) was received. 1915 10.5.3. Authentication 1917 To help TACACS+ administrators select less weak authentication 1918 options, TACACS+ servers MUST allow the administrator to configure 1919 the server to only accept challenge/response options for 1920 authentication (TAC_PLUS_AUTHEN_TYPE_CHAP or 1921 TAC_PLUS_AUTHEN_TYPE_MSCHAP or TAC_PLUS_AUTHEN_TYPE_MSCHAPV2 for 1922 authen_type). 1924 TACACS+ server administrators SHOULD enable the option mentioned in 1925 the previous paragraph. TACACS+ Server deployments SHOULD ONLY 1926 enable other options (such as TAC_PLUS_AUTHEN_TYPE_ASCII or 1927 TAC_PLUS_AUTHEN_TYPE_PAP) when unavoidable due to requirements of 1928 identity/password systems. 1930 TACACS+ server administrators SHOULD NOT allow the same credentials 1931 to be applied in challenge-based (TAC_PLUS_AUTHEN_TYPE_CHAP or 1932 TAC_PLUS_AUTHEN_TYPE_MSCHAP or TAC_PLUS_AUTHEN_TYPE_MSCHAPV2) and non 1933 challenge-based authen_type options as the insecurity of the latter 1934 will compromise the security of the former. 1936 TAC_PLUS_AUTHEN_SENDAUTH and TAC_PLUS_AUTHEN_SENDPASS options 1937 mentioned in the original draft SHOULD NOT be used, due to their 1938 security implications. TACACS+ servers SHOULD NOT implement them. 1939 If they must be implemented, the servers MUST default to the options 1940 being disabled and MUST warn the administrator that these options are 1941 not secure. 1943 10.5.4. Authorization 1945 The authorization and accounting features are intended to provide 1946 extensibility and flexibility. There is a base dictionary defined in 1947 this document, but it may be extended in deployments by using new 1948 argument names. The cost of the flexibility is that administrators 1949 and implementors MUST ensure that the argument and value pairs shared 1950 between the clients and servers have consistent interpretation. 1952 TACACS+ clients that receive an unrecognized mandatory argument MUST 1953 evaluate server response as if they received 1954 TAC_PLUS_AUTHOR_STATUS_FAIL. 1956 10.5.5. Redirection Mechanism 1958 The original draft described a redirection mechanism 1959 (TAC_PLUS_AUTHEN_STATUS_FOLLOW). This feature is difficult to 1960 secure. The option to send secret keys in the server list is 1961 particularly insecure, as it can reveal client shared secrets. 1963 TACACS+ servers MUST deprecate the redirection mechanism. 1965 If the redirection mechanism is implemented then TACACS+ servers MUST 1966 disable it by default, and MUST warn TACACS+ server administrators 1967 that it must only be enabled within a secure deployment due to the 1968 risks of revealing shared secrets. 1970 TACACS+ clients SHOULD deprecate this feature by treating 1971 TAC_PLUS_AUTHEN_STATUS_FOLLOW as TAC_PLUS_AUTHEN_STATUS_FAIL. 1973 11. IANA Considerations 1975 This informational document describes TACACS+ protocol and its common 1976 deployments. There is no further consideration required from IANA. 1978 12. Acknowledgements 1980 The authors would like to thank the following reviewers whose 1981 comments and contributions made considerable improvements to the 1982 document: Alan DeKok, Alexander Clouter, Chris Janicki, Tom Petch, 1983 Robert Drake, John Heasley, among many others. 1985 The authors would particularly like to thank Alan DeKok, who provided 1986 significant insights and recommendations on all aspects of the 1987 document and the protocol. Alan DeKok has dedicated considerable 1988 time and effort to help improve the document, identifying weaknesses 1989 and providing remediation. 1991 The authors would also like to thank the support from the OPSAWG 1992 Chairs and advisors, especially Joe Clarke. 1994 13. References 1996 13.1. Normative References 1998 [RFC0020] Cerf, V., "ASCII format for network interchange", STD 80, 1999 RFC 20, DOI 10.17487/RFC0020, October 1969, 2000 . 2002 [RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, 2003 April 1992. 2005 [RFC1334] Lloyd, B. and W. Simpson, "PPP Authentication Protocols", 2006 RFC 1334, DOI 10.17487/RFC1334, October 1992, 2007 . 2009 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 2010 Requirement Levels", BCP 14, RFC 2119, 2011 DOI 10.17487/RFC2119, March 1997, 2012 . 2014 [RFC2433] Zorn, G. and S. Cobb, "Microsoft PPP CHAP Extensions", 2015 RFC 2433, DOI 10.17487/RFC2433, October 1998, 2016 . 2018 [RFC2759] Zorn, G., "Microsoft PPP CHAP Extensions, Version 2", 2019 RFC 2759, DOI 10.17487/RFC2759, January 2000, 2020 . 2022 [RFC4086] Eastlake 3rd, D., Crocker, S., and J. Schiller, 2023 "Randomness Requirements for Security", RFC 4086, 2024 DOI 10.17487/RFC4086, June 2005, 2025 . 2027 [RFC5952] Kawamura, S. and M. Kawashima, "A Recommendation for IPv6 2028 Address Text Representation", RFC 5952, 2029 DOI 10.17487/RFC5952, August 2010, 2030 . 2032 [RFC8265] Saint-Andre, P. and A. Melnikov, "Preparation, 2033 Enforcement, and Comparison of Internationalized Strings 2034 Representing Usernames and Passwords", RFC 8265, 2035 DOI 10.17487/RFC8265, October 2017, 2036 . 2038 13.2. Informative References 2040 [TheDraft] 2041 Carrel, D. and L. Grant, "The TACACS+ Protocol Version 2042 1.78", June 1997, 2043 . 2045 [TZDB] Eggert, P. and A. Olson, "Sources for Time Zone and 2046 Daylight Saving Time Data", 1987, 2047 . 2049 Authors' Addresses 2051 Thorsten Dahm 2052 Google Inc 2053 1600 Amphitheatre Parkway 2054 Mountain View, CA 94043 2055 US 2057 EMail: thorstendlux@google.com 2059 Andrej Ota 2060 Google Inc 2061 1600 Amphitheatre Parkway 2062 Mountain View, CA 94043 2063 US 2065 EMail: andrej@ota.si 2067 Douglas C. Medway Gash 2068 Cisco Systems, Inc. 2069 170 West Tasman Dr. 2070 San Jose, CA 95134 2071 US 2073 EMail: dcmgash@cisco.com 2075 David Carrel 2076 vIPtela, Inc. 2077 1732 North First St. 2078 San Jose, CA 95112 2079 US 2081 EMail: dcarrel@viptela.com 2082 Lol Grant 2084 EMail: lol.grant@gmail.com