idnits 2.17.1 draft-ietf-opsawg-tacacs-18.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to contain a disclaimer for pre-RFC5378 work, but was first submitted on or after 10 November 2008. The disclaimer is usually necessary only for documents that revise or obsolete older RFCs, and that take significant amounts of text from those RFCs. If you can contact all authors of the source material and they are willing to grant the BCP78 rights to the IETF Trust, you can and should remove the disclaimer. Otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (March 20, 2020) is 1498 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Missing Reference: 'RFC8174' is mentioned on line 184, but not defined ** Obsolete normative reference: RFC 1334 (Obsoleted by RFC 1994) Summary: 1 error (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Operations T. Dahm 3 Internet-Draft A. Ota 4 Intended status: Informational Google Inc 5 Expires: September 21, 2020 D. Medway Gash 6 Cisco Systems, Inc. 7 D. Carrel 8 vIPtela, Inc. 9 L. Grant 10 March 20, 2020 12 The TACACS+ Protocol 13 draft-ietf-opsawg-tacacs-18 15 Abstract 17 This document describes the Terminal Access Controller Access-Control 18 System Plus (TACACS+) protocol which is widely deployed today to 19 provide Device Administration for routers, network access servers and 20 other networked computing devices via one or more centralized 21 servers. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at https://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on September 21, 2020. 40 Copyright Notice 42 Copyright (c) 2020 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (https://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 This document may contain material from IETF Documents or IETF 56 Contributions published or made publicly available before November 57 10, 2008. The person(s) controlling the copyright in some of this 58 material may not have granted the IETF Trust the right to allow 59 modifications of such material outside the IETF Standards Process. 60 Without obtaining an adequate license from the person(s) controlling 61 the copyright in such materials, this document may not be modified 62 outside the IETF Standards Process, and derivative works of it may 63 not be created outside the IETF Standards Process, except to format 64 it for publication as an RFC or to translate it into languages other 65 than English. 67 Table of Contents 69 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 70 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 4 71 3. Technical Definitions . . . . . . . . . . . . . . . . . . . . 4 72 3.1. Client . . . . . . . . . . . . . . . . . . . . . . . . . 5 73 3.2. Server . . . . . . . . . . . . . . . . . . . . . . . . . 5 74 3.3. Packet . . . . . . . . . . . . . . . . . . . . . . . . . 5 75 3.4. Connection . . . . . . . . . . . . . . . . . . . . . . . 5 76 3.5. Session . . . . . . . . . . . . . . . . . . . . . . . . . 5 77 3.6. Treatment of Enumerated Protocol Values . . . . . . . . . 5 78 3.7. Treatment of Text Strings . . . . . . . . . . . . . . . . 6 79 4. TACACS+ Packets and Sessions . . . . . . . . . . . . . . . . 6 80 4.1. The TACACS+ Packet Header . . . . . . . . . . . . . . . . 6 81 4.2. The TACACS+ Packet Body . . . . . . . . . . . . . . . . . 8 82 4.3. Single Connection Mode . . . . . . . . . . . . . . . . . 8 83 4.4. Session Completion . . . . . . . . . . . . . . . . . . . 9 84 4.5. Data Obfuscation . . . . . . . . . . . . . . . . . . . . 11 85 5. Authentication . . . . . . . . . . . . . . . . . . . . . . . 12 86 5.1. The Authentication START Packet Body . . . . . . . . . . 13 87 5.2. The Authentication REPLY Packet Body . . . . . . . . . . 15 88 5.3. The Authentication CONTINUE Packet Body . . . . . . . . . 17 89 5.4. Description of Authentication Process . . . . . . . . . . 17 90 5.4.1. Version Behavior . . . . . . . . . . . . . . . . . . 18 91 5.4.2. Common Authentication Flows . . . . . . . . . . . . . 19 92 5.4.3. Aborting an Authentication Session . . . . . . . . . 22 93 6. Authorization . . . . . . . . . . . . . . . . . . . . . . . . 23 94 6.1. The Authorization REQUEST Packet Body . . . . . . . . . . 23 95 6.2. The Authorization REPLY Packet Body . . . . . . . . . . . 27 96 7. Accounting . . . . . . . . . . . . . . . . . . . . . . . . . 29 97 7.1. The Account REQUEST Packet Body . . . . . . . . . . . . . 29 98 7.2. The Accounting REPLY Packet Body . . . . . . . . . . . . 30 99 8. Argument-Value Pairs . . . . . . . . . . . . . . . . . . . . 32 100 8.1. Value Encoding . . . . . . . . . . . . . . . . . . . . . 32 101 8.2. Authorization Arguments . . . . . . . . . . . . . . . . . 33 102 8.3. Accounting Arguments . . . . . . . . . . . . . . . . . . 35 103 9. Privilege Levels . . . . . . . . . . . . . . . . . . . . . . 36 104 10. Security Considerations . . . . . . . . . . . . . . . . . . . 37 105 10.1. General Security of the Protocol . . . . . . . . . . . . 38 106 10.2. Security of Authentication Sessions . . . . . . . . . . 39 107 10.3. Security of Authorization Sessions . . . . . . . . . . . 39 108 10.4. Security of Accounting Sessions . . . . . . . . . . . . 40 109 10.5. TACACS+ Best Practices . . . . . . . . . . . . . . . . . 40 110 10.5.1. Shared Secrets . . . . . . . . . . . . . . . . . . . 40 111 10.5.2. Connections and Obfuscation . . . . . . . . . . . . 41 112 10.5.3. Authentication . . . . . . . . . . . . . . . . . . . 42 113 10.5.4. Authorization . . . . . . . . . . . . . . . . . . . 43 114 10.5.5. Redirection Mechanism . . . . . . . . . . . . . . . 43 115 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 43 116 12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 43 117 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 44 118 13.1. Normative References . . . . . . . . . . . . . . . . . . 44 119 13.2. Informative References . . . . . . . . . . . . . . . . . 45 120 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 45 122 1. Introduction 124 This document describes the Terminal Access Controller Access-Control 125 System Plus (TACACS+) protocol. It was conceived initially as a 126 general Authentication, Authorization and Accounting (AAA) protocol. 127 It is widely deployed today but is mainly confined for a specific 128 subset of AAA: Device Administration, that is: authenticating access 129 to network devices, providing central authorization of operations, 130 and audit of those operations. 132 A wide range of TACACS+ clients and servers are already deployed in 133 the field. The TACACS+ protocol they are based on is defined in a 134 draft document that was originally intended for IETF publication, but 135 was never standardized. The draft document is known as `The Draft' 136 [TheDraft]. 138 This Draft was a product of its time, and did not address all of the 139 key security concerns which are considered when designing modern 140 standards. Deployment must therefore be executed with care. These 141 concerns are addressed in the security section (Section 10). 143 The primary intent of this informational document is to clarify the 144 subset of `The Draft' which is common to implementations supporting 145 Device Administration. It is intended that all implementations which 146 conform to this document will conform to `The Draft'. However, it is 147 not intended that all implementations which conform to 'The Draft' 148 will conform to this document. The following features from `The 149 Draft' have been removed: 151 This document officially removes SENDPASS for security reasons. 153 The normative description of Legacy features such as ARAP and 154 outbound authentication has been removed. 156 The Support for forwarding to an alternative daemon 157 (TAC_PLUS_AUTHEN_STATUS_FOLLOW) has been deprecated. 159 The TACACS+ protocol allows for arbitrary length and content 160 authentication exchanges, to support alternative authentication 161 mechanisms. It is extensible to provide for site customization and 162 future development features, and it uses TCP to ensure reliable 163 delivery. The protocol allows the TACACS+ client to request fine- 164 grained access control and allows the server to respond to each 165 component of that request. 167 The separation of authentication, authorization and accounting is a 168 key element of the design of TACACS+ protocol. Essentially it makes 169 TACACS+ a suite of three protocols. This document will address each 170 one in separate sections. Although TACACS+ defines all three, an 171 implementation or deployment is not required to employ all three. 172 Separating the elements is useful for Device Administration use case, 173 specifically, for authorization of individual commands in a session. 174 Note that there is no provision made at the protocol level for 175 association of an authentication to authorization requests. 177 2. Conventions 179 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 180 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 181 "OPTIONAL" in this document are to be interpreted as described in BCP 182 14 [RFC2119] [RFC8174] when, and only when, they appear in all 183 capitals, as shown here. 185 3. Technical Definitions 187 This section provides a few basic definitions that are applicable to 188 this document 190 3.1. Client 192 The client is any device which initiates TACACS+ protocol requests to 193 mediate access, mainly for the Device Administration use case. 195 3.2. Server 197 The server receives TACACS+ protocol requests, and replies according 198 to its business model, in accordance with the flows defined in this 199 document. 201 3.3. Packet 203 All uses of the word packet in this document refer to TACACS+ 204 protocol data units unless explicitly noted otherwise. The informal 205 term "Packet" has become an established part of the definition. 207 3.4. Connection 209 TACACS+ uses TCP for its transport. TCP Server port 49 is allocated 210 by IANA for TACACS+ traffic. 212 3.5. Session 214 The concept of a session is used throughout this document. A TACACS+ 215 session is a single authentication sequence, a single authorization 216 exchange, or a single accounting exchange. 218 An accounting and authorization session will consist of a single pair 219 of packets (the request and its reply). An authentication session 220 may involve an arbitrary number of packets being exchanged. The 221 session is an operational concept that is maintained between the 222 TACACS+ client and server. It does not necessarily correspond to a 223 given user or user action. 225 3.6. Treatment of Enumerated Protocol Values 227 This document describes various enumerated values in the packet 228 header and the headers for specific packet types. For example, in 229 the Authentication start packet type, this document defines the 230 action field with three values TAC_PLUS_AUTHEN_LOGIN, 231 TAC_PLUS_AUTHEN_CHPASS and TAC_PLUS_AUTHEN_SENDAUTH. 233 If the server does not implement one of the defined options in a 234 packet that it receives, or it encounters an option that is not 235 listed in this document for a header field, then it should respond 236 with an ERROR and terminate the session. This will allow the client 237 to try a different option. 239 If an error occurs but the type of the incoming packet cannot be 240 determined, a packet with the identical cleartext header but with a 241 sequence number incremented by one and the length set to zero MUST be 242 returned to indicate an error. 244 3.7. Treatment of Text Strings 246 The TACACS+ protocol makes extensive use of text strings. The 247 original draft intended that these strings would be treated as byte 248 arrays where each byte would represent a US-ASCII character. 250 More recently, server implementations have been extended to interwork 251 with external identity services, and so a more nuanced approach is 252 needed. Usernames MUST be encoded and handled using the 253 UsernameCasePreserved Profile specified in RFC 8265 [RFC8265]. The 254 security considerations in Section 8 of that RFC apply. 256 Where specifically mentioned, data fields contain arrays of arbitrary 257 bytes as required for protocol processing. These are not intended to 258 be made visible through user interface to users. 260 All other text fields in TACACS+ MUST be treated as printable byte 261 arrays of US-ASCII as defined by RFC 20 [RFC0020]. The term 262 "printable" used here means the fields MUST exclude the "Control 263 Characters" defined in section 5.2 of RFC 20 [RFC0020]. 265 4. TACACS+ Packets and Sessions 267 4.1. The TACACS+ Packet Header 269 All TACACS+ packets begin with the following 12-byte header. The 270 header describes the remainder of the packet: 272 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 273 +----------------+----------------+----------------+----------------+ 274 |major | minor | | | | 275 |version| version| type | seq_no | flags | 276 +----------------+----------------+----------------+----------------+ 277 | | 278 | session_id | 279 +----------------+----------------+----------------+----------------+ 280 | | 281 | length | 282 +----------------+----------------+----------------+----------------+ 284 The following general rules apply to all TACACS+ packet types: 286 - To signal that any variable length data fields are unused, the 287 corresponding length values are set to zero. Such fields MUST be 288 ignored, and treated as if not present. 290 - the lengths of data and message fields in a packet are specified 291 by their corresponding length fields, (and are not null 292 terminated.) 294 - All length values are unsigned and in network byte order. 296 major_version 298 This is the major TACACS+ version number. 300 TAC_PLUS_MAJOR_VER := 0xc 302 minor_version 304 The minor TACACS+ version number. 306 TAC_PLUS_MINOR_VER_DEFAULT := 0x0 308 TAC_PLUS_MINOR_VER_ONE := 0x1 310 type 312 This is the packet type. Options are: 314 TAC_PLUS_AUTHEN := 0x01 (Authentication) 316 TAC_PLUS_AUTHOR := 0x02 (Authorization) 318 TAC_PLUS_ACCT := 0x03 (Accounting) 320 seq_no 322 This is the sequence number of the current packet. The first packet 323 in a session MUST have the sequence number 1 and each subsequent 324 packet will increment the sequence number by one. TACACS+ Clients 325 only send packets containing odd sequence numbers, and TACACS+ 326 servers only send packets containing even sequence numbers. 328 The sequence number must never wrap i.e. if the sequence number 2^8-1 329 is ever reached, that session must terminate and be restarted with a 330 sequence number of 1. 332 flags 333 This field contains various bitmapped flags. 335 The flag bit: 337 TAC_PLUS_UNENCRYPTED_FLAG := 0x01 339 This flag indicates that the sender did not obfuscate the body of the 340 packet. This option MUST NOT be used in production. The application 341 of this flag will be covered in the security section (Section 10). 343 This flag SHOULD be clear in all deployments. Modern network traffic 344 tools support encrypted traffic when configured with the shared 345 secret (see section below), so obfuscated mode can and SHOULD be used 346 even during test. 348 The single-connection flag: 350 TAC_PLUS_SINGLE_CONNECT_FLAG := 0x04 352 This flag is used to allow a client and server to negotiate Single 353 Connection Mode (Section 4.3). 355 All other bits MUST be ignored when reading, and SHOULD be set to 356 zero when writing. 358 session_id 360 The Id for this TACACS+ session. This field does not change for the 361 duration of the TACACS+ session. This number MUST be generated by a 362 cryptographically strong random number generation method. Failure to 363 do so will compromise security of the session. For more details 364 refer to RFC 4086 [RFC4086]. 366 length 368 The total length of the packet body (not including the header). 370 4.2. The TACACS+ Packet Body 372 The TACACS+ body types are defined in the packet header. The next 373 sections of this document will address the contents of the different 374 TACACS+ bodies. 376 4.3. Single Connection Mode 378 Single Connection Mode is intended to improve performance where there 379 is a lot of traffic between a client and a server by allowing the 380 client to multiplex multiple session on a single TCP connection. 382 The packet header contains the TAC_PLUS_SINGLE_CONNECT_FLAG used by 383 the client and server to negotiate the use of Single Connect Mode. 385 The client sets this flag, to indicate that it supports multiplexing 386 TACACS+ sessions over a single TCP connection. The client MUST NOT 387 send a second packet on a connection until single-connect status has 388 been established. 390 To indicate it will support Single Connection Mode, the server sets 391 this flag in the first reply packet in response to the first request 392 from a client. The server may set this flag even if the client does 393 not set it, but the client may ignore the flag and close the 394 connection after the session completes. 396 The flag is only relevant for the first two packets on a connection, 397 to allow the client and server to establish Single Connection Mode. 398 No provision is made for changing Single Connection Mode after the 399 first two packets: the client and server MUST ignore the flag after 400 the second packet on a connection. 402 If single Connection Mode has not been established in the first two 403 packets of a TCP connection, then both the client and the server 404 close the connection at the end of the first session. 406 The client negotiates Single Connection Mode to improve efficiency. 407 The server may refuse to allow Single Connection Mode for the client. 408 For example, it may not be appropriate to allocate a long-lasting TCP 409 connection to a specific client in some deployments. Even if the 410 server is configured to permit single Connection Mode for a specific 411 client, the server may close the connection. For example: a server 412 MUST be configured to time out a Single Connection Mode TCP 413 Connection after a specific period of inactivity to preserve its 414 resources. The client MUST accommodate such closures on a TCP 415 session even after Single Connection Mode has been established. 417 The TCP connection underlying the Single Connection Mode will close 418 eventually, either because of the timeout from the server or from an 419 intermediate link. If a session is in progress when the client 420 detects disconnect then the client should handle it as described in 421 Section 4.4. If a session is not in progress, then the client will 422 need to detect this, and restart the single connection mode when the 423 it initiates the next session. 425 4.4. Session Completion 427 The REPLY packets defined for the packets types in the sections below 428 (Authentication, Authorization and Accounting) contain a status 429 field. The complete set of options for this field depend upon the 430 packet type, but all three REPLY packet types define values 431 representing PASS, ERROR and FAIL, which indicate the last packet of 432 a regular session (one which is not aborted). 434 The server responds with a PASS or a FAIL to indicate that the 435 processing of the request completed and the client can apply the 436 result (PASS or FAIL) to control the execution of the action which 437 prompted the request to be sent to the server. 439 The server responds with an ERROR to indicate that the processing of 440 the request did not complete. The client cannot apply the result and 441 it MUST behave as if the server could not be connected to. For 442 example, the client tries alternative methods, if they are available, 443 such as sending the request to a backup server, or using local 444 configuration to determine whether the action which prompted the 445 request should be executed. 447 Refer to Section 5.4.3 on Aborting Authentication Sessions for 448 details on handling additional status options. 450 When the session is complete, then the TCP connection should be 451 handled as follows, according to whether Single Connection Mode was 452 negotiated: 454 If Single Connection Mode was not negotiated, then the connection 455 should be closed 457 If Single Connection Mode was enabled, then the connection SHOULD be 458 left open (see Section 4.3), but may still be closed after a timeout 459 period to preserve deployment resources. 461 If Single Connection Mode was enabled, but an ERROR occurred due to 462 connection issues (such as an incorrect secret, see Section 4.5), 463 then any further new sessions MUST NOT be accepted on the connection. 464 If there are any sessions that have already been established then 465 they MAY be completed. Once all active sessions are completed then 466 the connection MUST be closed. 468 It is recommended that client implementations provide robust schemes 469 for dealing with servers which cannot be connected to. Options 470 include providing a list of servers for redundancy, and an option for 471 a local fallback configuration if no servers can be reached. Details 472 will be implementation specific. 474 The client should manage connections and handle the case of a server 475 which establishes a connection, but does not respond. The exact 476 behavior is implementation specific. It is recommended that the 477 client should close the connection after a configurable timeout. 479 4.5. Data Obfuscation 481 The body of packets may be obfuscated. The following sections 482 describe the obfuscation method that is supported in the protocol. 483 In 'The Draft' this process was actually referred to as Encryption, 484 but the algorithm would not meet modern standards, and so will not be 485 termed as encryption in this document. 487 The obfuscation mechanism relies on a secret key, a shared secret 488 value that is known to both the client and the server. The secret 489 keys MUST remain secret. 491 Server implementations MUST allow a unique secret key to be 492 associated with each client. It is a site-dependent decision as to 493 whether the use of separate keys is appropriate. 495 The flag field MUST be configured with the following bit as follows: 497 TAC_PLUS_UNENCRYPTED_FLAG = 0x0 499 So that the packet body is obfuscated by XOR-ing it byte-wise with a 500 pseudo-random pad. 502 ENCRYPTED {data} = data ^ pseudo_pad 504 The packet body can then be de-obfuscated by XOR-ing it byte-wise 505 with a pseudo random pad. 507 data = ENCRYPTED {data} ^ pseudo_pad 509 The pad is generated by concatenating a series of MD5 hashes (each 16 510 bytes long) and truncating it to the length of the input data. 512 Whenever used in this document, MD5 refers to the "RSA Data Security, 513 Inc. MD5 Message-Digest Algorithm" as specified in RFC 1321 514 [RFC1321]. 516 pseudo_pad = {MD5_1 [,MD5_2 [ ... ,MD5_n]]} truncated to len(data) 518 The first MD5 hash is generated by concatenating the session_id, the 519 secret key, the version number and the sequence number and then 520 running MD5 over that stream. All of those input values are 521 available in the packet header, except for the secret key which is a 522 shared secret between the TACACS+ client and server. 524 The version number and session_id are extracted from the header 525 Subsequent hashes are generated by using the same input stream, but 526 concatenating the previous hash value at the end of the input stream. 528 MD5_1 = MD5{session_id, key, version, seq_no} MD5_2 = MD5{session_id, 529 key, version, seq_no, MD5_1} .... MD5_n = MD5{session_id, key, 530 version, seq_no, MD5_n-1} 532 When a server detects that the secret(s) it has configured for the 533 device mismatch, it MUST return ERROR. For details of TCP connection 534 handling on ERROR, refer to Section 4.4. 536 TAC_PLUS_UNENCRYPTED_FLAG == 0x1 538 This option is deprecated and MUST NOT be used in production. In 539 this case, the entire packet body is in cleartext. A request MUST be 540 dropped if TAC_PLUS_UNENCRYPTED_FLAG is set to true. 542 After a packet body is de-obfuscated, the lengths of the component 543 values in the packet are summed. If the sum is not identical to the 544 cleartext datalength value from the header, the packet MUST be 545 discarded, and an ERROR signaled. For details of TCP connection 546 handling on ERROR, refer to Section 4.4. 548 Commonly such failures are seen when the keys are mismatched between 549 the client and the TACACS+ server. 551 5. Authentication 553 Authentication is the action of determining who a user (or entity) 554 is. Authentication can take many forms. Traditional authentication 555 employs a name and a fixed password. However, fixed passwords are 556 vulnerable security, so many modern authentication mechanisms utilize 557 "one-time" passwords or a challenge-response query. TACACS+ is 558 designed to support all of these, and be flexible enough to handle 559 any future mechanisms. Authentication generally takes place when the 560 user first logs in to a machine or requests a service of it. 562 Authentication is not mandatory; it is a site-configured option. 563 Some sites do not require it. Others require it only for certain 564 services (see authorization below). Authentication may also take 565 place when a user attempts to gain extra privileges, and must 566 identify himself or herself as someone who possesses the required 567 information (passwords, etc.) for those privileges. 569 5.1. The Authentication START Packet Body 571 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 572 +----------------+----------------+----------------+----------------+ 573 | action | priv_lvl | authen_type | authen_service | 574 +----------------+----------------+----------------+----------------+ 575 | user_len | port_len | rem_addr_len | data_len | 576 +----------------+----------------+----------------+----------------+ 577 | user ... 578 +----------------+----------------+----------------+----------------+ 579 | port ... 580 +----------------+----------------+----------------+----------------+ 581 | rem_addr ... 582 +----------------+----------------+----------------+----------------+ 583 | data... 584 +----------------+----------------+----------------+----------------+ 586 Packet fields are as follows: 588 action 590 This indicates the authentication action. Valid values are listed 591 below. 593 TAC_PLUS_AUTHEN_LOGIN := 0x01 595 TAC_PLUS_AUTHEN_CHPASS := 0x02 597 TAC_PLUS_AUTHEN_SENDAUTH := 0x04 599 priv_lvl 601 This indicates the privilege level that the user is authenticating 602 as. Please refer to the Privilege Level section (Section 9) below. 604 authen_type 606 The type of authentication. Please see section Common Authentication 607 Flows (Section 5.4.2). Valid values are: 609 TAC_PLUS_AUTHEN_TYPE_ASCII := 0x01 611 TAC_PLUS_AUTHEN_TYPE_PAP := 0x02 613 TAC_PLUS_AUTHEN_TYPE_CHAP := 0x03 615 TAC_PLUS_AUTHEN_TYPE_MSCHAP := 0x05 616 TAC_PLUS_AUTHEN_TYPE_MSCHAPV2 := 0x06 618 authen_service 620 This is the service that is requesting the authentication. Valid 621 values are: 623 TAC_PLUS_AUTHEN_SVC_NONE := 0x00 625 TAC_PLUS_AUTHEN_SVC_LOGIN := 0x01 627 TAC_PLUS_AUTHEN_SVC_ENABLE := 0x02 629 TAC_PLUS_AUTHEN_SVC_PPP := 0x03 631 TAC_PLUS_AUTHEN_SVC_PT := 0x05 633 TAC_PLUS_AUTHEN_SVC_RCMD := 0x06 635 TAC_PLUS_AUTHEN_SVC_X25 := 0x07 637 TAC_PLUS_AUTHEN_SVC_NASI := 0x08 639 TAC_PLUS_AUTHEN_SVC_FWPROXY := 0x09 641 The TAC_PLUS_AUTHEN_SVC_NONE option is intended for the authorization 642 application of this field that indicates that no authentication was 643 performed by the device. 645 The TAC_PLUS_AUTHEN_SVC_LOGIN option indicates regular login (as 646 opposed to ENABLE) to a client device. 648 The TAC_PLUS_AUTHEN_SVC_ENABLE option identifies the ENABLE 649 authen_service, which refers to a service requesting authentication 650 in order to grant the user different privileges. This is comparable 651 to the Unix "su(1)" command, which substitutes the current user's 652 identity with another. An authen_service value of NONE is only to be 653 used when none of the other authen_service values are appropriate. 654 ENABLE may be requested independently, no requirements for previous 655 authentications or authorizations are imposed by the protocol. 657 Other options are included for legacy/backwards compatibility. 659 user, user_len 661 The username is optional in this packet, depending upon the class of 662 authentication. If it is absent, the client MUST set user_len to 0. 664 If included, the user_len indicates the length of the user field, in 665 bytes. 667 port, port_len 669 The name of the client port on which the authentication is taking 670 place. The value of this field is free format text and is client 671 specific. Examples of this this argument include "tty10" to denote 672 the tenth tty line and "async10" to denote the tenth async interface. 673 The client documentation SHOULD define the values and their meanings 674 for this field. For details of text encoding, see (Section 3.7). 675 port_len indicates the length of the port field, in bytes. 677 rem_addr, rem_addr_len 679 A string indicating the remote location from which the user has 680 connected to the client. For details of text encoding, see 681 (Section 3.7). 683 When TACACS+ was used for dial-up services, this value contained the 684 caller ID 686 When TACACS+ is used for Device Administration, the user is normally 687 connected via a network, and in this case the value is intended to 688 hold a network address, IPv4 or IPv6. For IPv6 address text 689 representation defined please see RFC 5952 [RFC5952]. 691 This field is optional (since the information may not be available). 692 The rem_addr_len indicates the length of the user field, in bytes. 694 data, data_len 696 This field is used to send data appropriate for the action and 697 authen_type. It is described in more detail in the section Common 698 Authentication flows (Section 5.4.2). The data_len indicates the 699 length of the data field, in bytes. 701 5.2. The Authentication REPLY Packet Body 703 The TACACS+ server sends only one type of authentication packet (a 704 REPLY packet) to the client. 706 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 707 +----------------+----------------+----------------+----------------+ 708 | status | flags | server_msg_len | 709 +----------------+----------------+----------------+----------------+ 710 | data_len | server_msg ... 711 +----------------+----------------+----------------+----------------+ 712 | data ... 713 +----------------+----------------+ 715 status 717 The current status of the authentication. Valid values are: 719 TAC_PLUS_AUTHEN_STATUS_PASS := 0x01 721 TAC_PLUS_AUTHEN_STATUS_FAIL := 0x02 723 TAC_PLUS_AUTHEN_STATUS_GETDATA := 0x03 725 TAC_PLUS_AUTHEN_STATUS_GETUSER := 0x04 727 TAC_PLUS_AUTHEN_STATUS_GETPASS := 0x05 729 TAC_PLUS_AUTHEN_STATUS_RESTART := 0x06 731 TAC_PLUS_AUTHEN_STATUS_ERROR := 0x07 733 TAC_PLUS_AUTHEN_STATUS_FOLLOW := 0x21 735 flags 737 Bitmapped flags that modify the action to be taken. The following 738 values are defined: 740 TAC_PLUS_REPLY_FLAG_NOECHO := 0x01 742 server_msg, server_msg_len 744 A message to be displayed to the user. This field is optional. The 745 server_msg_len indicates the length of the server_msg field, in 746 bytes. For details of text encoding, see (Section 3.7). 748 data, data_len 750 This field holds data that is a part of the authentication exchange 751 and is intended for client processing, not the user. It is not a 752 printable text encoding. Examples of its use are shown in the 753 section Common Authentication flows (Section 5.4.2). The data_len 754 indicates the length of the data field, in bytes. 756 5.3. The Authentication CONTINUE Packet Body 758 This packet is sent from the client to the server following the 759 receipt of a REPLY packet. 761 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 762 +----------------+----------------+----------------+----------------+ 763 | user_msg len | data_len | 764 +----------------+----------------+----------------+----------------+ 765 | flags | user_msg ... 766 +----------------+----------------+----------------+----------------+ 767 | data ... 768 +----------------+ 770 user_msg, user_msg_len 772 This field is the string that the user entered, or the client 773 provided on behalf of the user, in response to the server_msg from a 774 REPLY packet. The user_len indicates the length of the user field, 775 in bytes. 777 data, data_len 779 This field carries information that is specific to the action and the 780 authen_type for this session. Valid uses of this field are described 781 below. It is not a printable text encoding. The data_len indicates 782 the length of the data field, in bytes. 784 flags 786 This holds the bitmapped flags that modify the action to be taken. 787 The following values are defined: 789 TAC_PLUS_CONTINUE_FLAG_ABORT := 0x01 791 5.4. Description of Authentication Process 793 The action, authen_type and authen_service fields (described above) 794 combine to indicate what kind of authentication is to be performed. 795 Every authentication START, REPLY and CONTINUE packet includes a data 796 field. The use of this field is dependent upon the kind of the 797 Authentication. 799 This document defines a core set of authentication flows to be 800 supported by TACACS+. Each authentication flow consists of a START 801 packet. The server responds either with a request for more 802 information (GETDATA, GETUSER or GETPASS) or a termination PASS, 803 FAIL, ERROR or RESTART. The actions and meanings when the server 804 sends a RESTART or ERROR are common and are described further below. 806 When the REPLY status equals TAC_PLUS_AUTHEN_STATUS_GETDATA, 807 TAC_PLUS_AUTHEN_STATUS_GETUSER or TAC_PLUS_AUTHEN_STATUS_GETPASS, 808 then authentication continues and the server SHOULD provide 809 server_msg content for the client to prompt the user for more 810 information. The client MUST then return a CONTINUE packet 811 containing the requested information in the user_msg field. 813 The client should interpret TAC_PLUS_AUTHEN_STATUS_GETUSER as a 814 request for username and TAC_PLUS_AUTHEN_STATUS_GETPASS as a request 815 for password. The TAC_PLUS_AUTHEN_STATUS_GETDATA is the generic 816 request for more information to flexibly support future requirements. 818 If the information being requested by the server form the client is 819 sensitive, then the server should set the TAC_PLUS_REPLY_FLAG_NOECHO 820 flag. When the client queries the user for the information, the 821 response MUST NOT be reflected in the user interface as it is 822 entered. 824 The data field is only used in the REPLY where explicitly defined 825 below. 827 5.4.1. Version Behavior 829 The TACACS+ protocol is versioned to allow revisions while 830 maintaining backwards compatibility. The version number is in every 831 packet header. The changes between minor_version 0 and 1 apply only 832 to the authentication process, and all deal with the way that CHAP 833 and PAP authentications are handled. minor_version 1 may only be used 834 for authentication kinds that explicitly call for it in the table 835 below: 837 LOGIN CHPASS SENDAUTH 838 ASCII v0 v0 - 839 PAP v1 - v1 840 CHAP v1 - v1 841 MS-CHAPv1/2 v1 - v1 843 The '-' symbol represents that the option is not valid. 845 All authorization and accounting and ASCII authentication use 846 minor_version number of 0. 848 PAP, CHAP and MS-CHAP login use minor_version 1. The normal exchange 849 is a single START packet from the client and a single REPLY from the 850 server. 852 The removal of SENDPASS was prompted by security concerns, and is no 853 longer considered part of the TACACS+ protocol. 855 5.4.2. Common Authentication Flows 857 This section describes common authentication flows. If the server 858 does not implement an option, it MUST respond with 859 TAC_PLUS_AUTHEN_STATUS_FAIL. 861 5.4.2.1. ASCII Login 863 action = TAC_PLUS_AUTHEN_LOGIN 864 authen_type = TAC_PLUS_AUTHEN_TYPE_ASCII 865 minor_version = 0x0 867 This is a standard ASCII authentication. The START packet MAY 868 contain the username. If the user does not include the username then 869 the server MUST obtain it from the client with a CONTINUE 870 TAC_PLUS_AUTHEN_STATUS_GETUSER. If the user does not provide a 871 username then the server can send another 872 TAC_PLUS_AUTHEN_STATUS_GETUSER request, but the server MUST limit the 873 number of retries that are permitted, recommended limit is three 874 attempts. When the server has the username, it will obtain the 875 password using a continue with TAC_PLUS_AUTHEN_STATUS_GETPASS. ASCII 876 login uses the user_msg field for both the username and password. 877 The data fields in both the START and CONTINUE packets are not used 878 for ASCII logins, any content MUST be ignored. The session is 879 composed of a single START followed by zero or more pairs of REPLYs 880 and CONTINUEs, followed by a final REPLY indicating PASS, FAIL or 881 ERROR. 883 5.4.2.2. PAP Login 885 action = TAC_PLUS_AUTHEN_LOGIN 886 authen_type = TAC_PLUS_AUTHEN_TYPE_PAP 887 minor_version = 0x1 889 The entire exchange MUST consist of a single START packet and a 890 single REPLY. The START packet MUST contain a username and the data 891 field MUST contain the PAP ASCII password. A PAP authentication only 892 consists of a username and password RFC 1334 [RFC1334] (Obsolete). 893 The REPLY from the server MUST be either a PASS, FAIL or ERROR. 895 5.4.2.3. CHAP login 897 action = TAC_PLUS_AUTHEN_LOGIN 898 authen_type = TAC_PLUS_AUTHEN_TYPE_CHAP 899 minor_version = 0x1 901 The entire exchange MUST consist of a single START packet and a 902 single REPLY. The START packet MUST contain the username in the user 903 field and the data field is a concatenation of the PPP id, the 904 challenge and the response. 906 The length of the challenge value can be determined from the length 907 of the data field minus the length of the id (always 1 octet) and the 908 length of the response field (always 16 octets). 910 To perform the authentication, the server calculates the PPP hash as 911 defined in the PPP Authentication RFC 1334 [RFC1334] and then 912 compares that value with the response. The MD5 algorithm option is 913 always used. The REPLY from the server MUST be a PASS, FAIL or 914 ERROR. 916 The selection of the challenge and its length are not an aspect of 917 the TACACS+ protocol. However, it is strongly recommended that the 918 client/endstation interaction is configured with a secure challenge. 919 The TACACS+ server can help by rejecting authentications where the 920 challenge is below a minimum length (Minimum recommended is 8 bytes). 922 5.4.2.4. MS-CHAP v1 login 924 action = TAC_PLUS_AUTHEN_LOGIN 925 authen_type = TAC_PLUS_AUTHEN_TYPE_MSCHAP 926 minor_version = 0x1 928 The entire exchange MUST consist of a single START packet and a 929 single REPLY. The START packet MUST contain the username in the user 930 field and the data field will be a concatenation of the PPP id, the 931 MS-CHAP challenge and the MS-CHAP response. 933 The length of the challenge value can be determined from the length 934 of the data field minus the length of the id (always 1 octet) and the 935 length of the response field (always 49 octets). 937 To perform the authentication, the server will use a combination of 938 MD4 and DES on the user's secret and the challenge, as defined in RFC 939 2433 [RFC2433] and then compare the resulting value with the 940 response. The REPLY from the server MUST be a PASS or FAIL. 942 For best practices, please refer to RFC 2433 [RFC2433]. The TACACS+ 943 server MUST reject authentications where the challenge deviates from 944 8 bytes as defined in the RFC. 946 5.4.2.5. MS-CHAP v2 login 948 action = TAC_PLUS_AUTHEN_LOGIN 949 authen_type = TAC_PLUS_AUTHEN_TYPE_MSCHAPV2 950 minor_version = 0x1 952 The entire exchange MUST consist of a single START packet and a 953 single REPLY. The START packet MUST contain the username in the user 954 field and the data field will be a concatenation of the PPP id, the 955 MS-CHAP challenge and the MS-CHAP response. 957 The length of the challenge value can be determined from the length 958 of the data field minus the length of the id (always 1 octet) and the 959 length of the response field (always 49 octets). 961 To perform the authentication, the server will use the algorithm 962 specified RFC 2759 [RFC2759] on the user's secret and challenge and 963 then compare the resulting value with the response. The REPLY from 964 the server MUST be a PASS or FAIL. 966 For best practices for MS-CHAP v2, please refer to RFC2759 [RFC2759]. 967 The TACACS+ server MUST reject authentications where the challenge 968 deviates from 16 bytes as defined in the RFC. 970 5.4.2.6. Enable Requests 972 action = TAC_PLUS_AUTHEN_LOGIN 973 priv_lvl = implementation dependent 974 authen_type = not used 975 service = TAC_PLUS_AUTHEN_SVC_ENABLE 977 This is an ENABLE request, used to change the current running 978 privilege level of a user. The exchange MAY consist of multiple 979 messages while the server collects the information it requires in 980 order to allow changing the principal's privilege level. This 981 exchange is very similar to an ASCII login (Section 5.4.2.1). 983 In order to readily distinguish enable requests from other types of 984 request, the value of the authen_service field MUST be set to 985 TAC_PLUS_AUTHEN_SVC_ENABLE when requesting an ENABLE. It MUST NOT be 986 set to this value when requesting any other operation. 988 5.4.2.7. ASCII change password request 990 action = TAC_PLUS_AUTHEN_CHPASS 991 authen_type = TAC_PLUS_AUTHEN_TYPE_ASCII 993 This exchange consists of multiple messages while the server collects 994 the information it requires in order to change the user's password. 995 It is very similar to an ASCII login. The status value 996 TAC_PLUS_AUTHEN_STATUS_GETPASS MUST only be used when requesting the 997 "new" password. It MAY be sent multiple times. When requesting the 998 "old" password, the status value MUST be set to 999 TAC_PLUS_AUTHEN_STATUS_GETDATA. 1001 5.4.3. Aborting an Authentication Session 1003 The client may prematurely terminate a session by setting the 1004 TAC_PLUS_CONTINUE_FLAG_ABORT flag in the CONTINUE message. If this 1005 flag is set, the data portion of the message may contain a message 1006 explaining the reason for the abort. For details of text encoding, 1007 see (Section 3.7). This information will be handled by the server 1008 according to the requirements of the deployment. The session is 1009 terminated, for more details about session termination, refer to 1010 Section 4.4. 1012 In cases of PASS, FAIL or ERROR, the server can insert a message into 1013 server_msg to be displayed to the user. 1015 The Draft `The Draft' [TheDraft] defined a mechanism to direct 1016 authentication requests to an alternative server. This mechanism is 1017 regarded as insecure, is deprecated, and not covered here. The 1018 client should treat TAC_PLUS_AUTHEN_STATUS_FOLLOW as 1019 TAC_PLUS_AUTHEN_STATUS_FAIL 1021 If the status equals TAC_PLUS_AUTHEN_STATUS_ERROR, then the host is 1022 indicating that it is experiencing an unrecoverable error and the 1023 authentication will proceed as if that host could not be contacted. 1024 The data field may contain a message to be printed on an 1025 administrative console or log. 1027 If the status equals TAC_PLUS_AUTHEN_STATUS_RESTART, then the 1028 authentication sequence is restarted with a new START packet from the 1029 client, with new session Id, and seq_no set to 1. This REPLY packet 1030 indicates that the current authen_type value (as specified in the 1031 START packet) is not acceptable for this session. The client may try 1032 an alternative authen_type. 1034 If a client does not implement TAC_PLUS_AUTHEN_STATUS_RESTART option, 1035 then it MUST process the response as if the status was 1036 TAC_PLUS_AUTHEN_STATUS_FAIL. 1038 6. Authorization 1040 In the TACACS+ Protocol, authorization is the action of determining 1041 what a user is allowed to do. Generally, authentication precedes 1042 authorization, though it is not mandatory that a client use the same 1043 service for authentication that it will use for authorization. An 1044 authorization request may indicate that the user is not authenticated 1045 (we don't know who they are). In this case it is up to the server to 1046 determine, according to its configuration, if an unauthenticated user 1047 is allowed the services in question. 1049 Authorization does not merely provide yes or no answers, but it may 1050 also customize the service for the particular user. A common use of 1051 authorization is to provision a shell session when a user first logs 1052 into a device to administer it. The TACACS+ server might respond to 1053 the request by allowing the service, but placing a time restriction 1054 on the login shell. For a list of common arguments used in 1055 authorization, see the Authorization Arguments section (Section 8.2). 1057 In the TACACS+ protocol an authorization is always a single pair of 1058 messages: a REQUEST from the client followed by a REPLY from the 1059 server. 1061 The authorization REQUEST message contains a fixed set of fields that 1062 indicate how the user was authenticated and a variable set of 1063 arguments that describe the services and options for which 1064 authorization is requested. 1066 The REPLY contains a variable set of response arguments (argument- 1067 value pairs) that can restrict or modify the client's actions. 1069 6.1. The Authorization REQUEST Packet Body 1070 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1071 +----------------+----------------+----------------+----------------+ 1072 | authen_method | priv_lvl | authen_type | authen_service | 1073 +----------------+----------------+----------------+----------------+ 1074 | user_len | port_len | rem_addr_len | arg_cnt | 1075 +----------------+----------------+----------------+----------------+ 1076 | arg_1_len | arg_2_len | ... | arg_N_len | 1077 +----------------+----------------+----------------+----------------+ 1078 | user ... 1079 +----------------+----------------+----------------+----------------+ 1080 | port ... 1081 +----------------+----------------+----------------+----------------+ 1082 | rem_addr ... 1083 +----------------+----------------+----------------+----------------+ 1084 | arg_1 ... 1085 +----------------+----------------+----------------+----------------+ 1086 | arg_2 ... 1087 +----------------+----------------+----------------+----------------+ 1088 | ... 1089 +----------------+----------------+----------------+----------------+ 1090 | arg_N ... 1091 +----------------+----------------+----------------+----------------+ 1093 authen_method 1095 This filed allows the client to indicate the authentication method 1096 used by the acquire the user information. 1098 TAC_PLUS_AUTHEN_METH_NOT_SET := 0x00 1100 TAC_PLUS_AUTHEN_METH_NONE := 0x01 1102 TAC_PLUS_AUTHEN_METH_KRB5 := 0x02 1104 TAC_PLUS_AUTHEN_METH_LINE := 0x03 1106 TAC_PLUS_AUTHEN_METH_ENABLE := 0x04 1108 TAC_PLUS_AUTHEN_METH_LOCAL := 0x05 1110 TAC_PLUS_AUTHEN_METH_TACACSPLUS := 0x06 1112 TAC_PLUS_AUTHEN_METH_GUEST := 0x08 1114 TAC_PLUS_AUTHEN_METH_RADIUS := 0x10 1116 TAC_PLUS_AUTHEN_METH_KRB4 := 0x11 1117 TAC_PLUS_AUTHEN_METH_RCMD := 0x20 1119 As this information is not always subject to verification, it is 1120 recommended that this field is in policy evaluastion. LINE refers to 1121 a fixed password associated with the terminal line used to gain 1122 access. LOCAL is a client local user database. ENABLE is a command 1123 that authenticates in order to grant new privileges. TACACSPLUS is, 1124 of course, TACACS+. GUEST is an unqualified guest authentication. 1125 RADIUS is the Radius authentication protocol. RCMD refers to 1126 authentication provided via the R-command protocols from Berkeley 1127 Unix. KRB5 and KRB4 are Kerberos version 5 and 4. 1129 As mentioned above, this field is used by the client to indicate how 1130 it performed the authentication. One of the options 1131 (TAC_PLUS_AUTHEN_METH_TACACSPLUS := 0x06) is TACACS+ itself, and so 1132 the detail of how the client performed this option is given in 1133 Authentication Section (Section 5). For all other options, such as 1134 KRB and RADIUS, then TACACS+ protocol did not play any part in the 1135 authentication phase; as those interactions were not conducted using 1136 the TACACS+ protocol they will not be documented here. For 1137 implementers of clients who need details of the other protocols, 1138 please refer to the respective Kerberos [RFC4120] and RADIUS 1139 [RFC3579] RFCs. 1141 priv_lvl 1143 This field is used in the same way as the priv_lvl field in 1144 authentication request and is described in the Privilege Level 1145 section (Section 9) below. It indicates the users current privilege 1146 level. 1148 authen_type 1150 This field corresponds to the authen_type field in the authentication 1151 section (Section 5) above. It indicates the type of authentication 1152 that was performed. If this information is not available, then the 1153 client will set authen_type to: TAC_PLUS_AUTHEN_TYPE_NOT_SET := 0x00. 1154 This value is valid only in authorization and accounting requests. 1156 authen_service 1158 This field is the same as the authen_service field in the 1159 authentication section (Section 5) above. It indicates the service 1160 through which the user authenticated. 1162 user, user_len 1163 This field contains the user's account name. The user_len MUST 1164 indicate the length of the user field, in bytes. 1166 port, port_len 1168 This field matches the port field in the authentication section 1169 (Section 5) above. The port_len indicates the length of the port 1170 field, in bytes. 1172 rem_addr, rem_addr_len 1174 This field matches the rem_addr field in the authentication section 1175 (Section 5) above. The rem_addr_len indicates the length of the port 1176 field, in bytes. 1178 arg_cnt 1180 The number of authorization arguments to follow 1182 arg_1 ... arg_N, arg_1_len .... arg_N_len 1184 The arguments are the primary elements of the authorization 1185 interaction. In the request packet, they describe the specifics of 1186 the authorization that is being requested. Each argument is encoded 1187 in the packet as a single arg field (arg_1... arg_N) with a 1188 corresponding length fields (which indicates the length of each 1189 argument in bytes). 1191 The authorization arguments in both the REQUEST and the REPLY are 1192 argument-value pairs. The argument and the value are in a single 1193 string and are separated by either a "=" (0X3D) or a "*" (0X2A). The 1194 equals sign indicates a mandatory argument. The asterisk indicates 1195 an optional one. For details of text encoding, see (Section 3.7). 1197 An argument name MUST NOT contain either of the separators. An 1198 argument value MAY contain the separators. This means that the 1199 arguments must be parsed until the first separator is encountered, 1200 all characters in the argument, after this separator, are interpreted 1201 as the argument value. 1203 Optional arguments are ones that may be disregarded by either client 1204 or server. Mandatory arguments require that the receiving side can 1205 handle the argument, that is: its implementation and configuration 1206 includes the details of how to act on it. If the client receives a 1207 mandatory argument that it cannot handle, it MUST consider the 1208 authorization to have failed. The value part of an argument-value 1209 pair may be empty, that is: the length of the value may be zero. 1211 Argument-value strings are not NULL terminated, rather their length 1212 value indicates their end. The maximum length of an argument-value 1213 string is 255 characters. The minimum is two characters (one name- 1214 value character and the separator) 1216 Though the arguments allow extensibility, a common core set of 1217 authorization arguments SHOULD be supported by clients and servers, 1218 these are listed in the Authorization Arguments (Section 8.2) section 1219 below. 1221 6.2. The Authorization REPLY Packet Body 1223 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1224 +----------------+----------------+----------------+----------------+ 1225 | status | arg_cnt | server_msg len | 1226 +----------------+----------------+----------------+----------------+ 1227 + data_len | arg_1_len | arg_2_len | 1228 +----------------+----------------+----------------+----------------+ 1229 | ... | arg_N_len | server_msg ... 1230 +----------------+----------------+----------------+----------------+ 1231 | data ... 1232 +----------------+----------------+----------------+----------------+ 1233 | arg_1 ... 1234 +----------------+----------------+----------------+----------------+ 1235 | arg_2 ... 1236 +----------------+----------------+----------------+----------------+ 1237 | ... 1238 +----------------+----------------+----------------+----------------+ 1239 | arg_N ... 1240 +----------------+----------------+----------------+----------------+ 1242 status This field indicates the authorization status 1244 TAC_PLUS_AUTHOR_STATUS_PASS_ADD := 0x01 1246 TAC_PLUS_AUTHOR_STATUS_PASS_REPL := 0x02 1248 TAC_PLUS_AUTHOR_STATUS_FAIL := 0x10 1250 TAC_PLUS_AUTHOR_STATUS_ERROR := 0x11 1252 TAC_PLUS_AUTHOR_STATUS_FOLLOW := 0x21 1254 server_msg, server_msg_len 1256 This is a string that may be presented to the user. The 1257 server_msg_len indicates the length of the server_msg field, in 1258 bytes. For details of text encoding, see (Section 3.7). 1260 data, data_len 1262 This is a string that may be presented on an administrative display, 1263 console or log. The decision to present this message is client 1264 specific. The data_len indicates the length of the data field, in 1265 bytes. For details of text encoding, see (Section 3.7). 1267 arg_cnt 1269 The number of authorization arguments to follow. 1271 arg_1 ... arg_N, arg_1_len .... arg_N_len 1273 The arguments describe the specifics of the authorization that is 1274 being requested. For details of the content of the args, refer to: 1275 Authorization Arguments (Section 8.2) section below. Each argument 1276 is encoded in the packet as a single arg field (arg_1... arg_N) with 1277 a corresponding length fields (which indicates the length of each 1278 argument in bytes). 1280 If the status equals TAC_PLUS_AUTHOR_STATUS_FAIL, then the requested 1281 authorization MUST be denied. 1283 If the status equals TAC_PLUS_AUTHOR_STATUS_PASS_ADD, then the 1284 arguments specified in the request are authorized and the arguments 1285 in the response MUST be applied according to the rules described 1286 above. 1288 If the status equals TAC_PLUS_AUTHOR_STATUS_PASS_REPL then the client 1289 MUST use the authorization argument-value pairs (if any) in the 1290 response, instead of the authorization argument-value pairs from the 1291 request. 1293 To approve the authorization with no modifications, the server sets 1294 the status to TAC_PLUS_AUTHOR_STATUS_PASS_ADD and the arg_cnt to 0. 1296 A status of TAC_PLUS_AUTHOR_STATUS_ERROR indicates an error occurred 1297 on the server. For the differences between ERROR and FAIL, refer to 1298 Session Completion (Section 4.4). None of the arg values have any 1299 relevance if an ERROR is set, and must be ignored. 1301 When the status equals TAC_PLUS_AUTHOR_STATUS_FOLLOW, then the 1302 arg_cnt MUST be 0. In that case, the actions to be taken and the 1303 contents of the data field are identical to the 1304 TAC_PLUS_AUTHEN_STATUS_FOLLOW status for Authentication. 1306 7. Accounting 1308 Accounting is typically the third action after authentication and 1309 authorization. But again, neither authentication nor authorization 1310 is required. Accounting is the action of recording what a user is 1311 doing, and/or has done. Accounting in TACACS+ can serve two 1312 purposes: It may be used as an auditing tool for security services. 1313 It may also be used to account for services used, such as in a 1314 billing environment. To this end, TACACS+ supports three types of 1315 accounting records. Start records indicate that a service is about 1316 to begin. Stop records indicate that a service has just terminated, 1317 and Update records are intermediate notices that indicate that a 1318 service is still being performed. TACACS+ accounting records contain 1319 all the information used in the authorization records, and also 1320 contain accounting specific information such as start and stop times 1321 (when appropriate) and resource usage information. A list of 1322 accounting arguments is defined in the accounting section 1323 (Section 7). 1325 7.1. The Account REQUEST Packet Body 1327 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1328 +----------------+----------------+----------------+----------------+ 1329 | flags | authen_method | priv_lvl | authen_type | 1330 +----------------+----------------+----------------+----------------+ 1331 | authen_service | user_len | port_len | rem_addr_len | 1332 +----------------+----------------+----------------+----------------+ 1333 | arg_cnt | arg_1_len | arg_2_len | ... | 1334 +----------------+----------------+----------------+----------------+ 1335 | arg_N_len | user ... 1336 +----------------+----------------+----------------+----------------+ 1337 | port ... 1338 +----------------+----------------+----------------+----------------+ 1339 | rem_addr ... 1340 +----------------+----------------+----------------+----------------+ 1341 | arg_1 ... 1342 +----------------+----------------+----------------+----------------+ 1343 | arg_2 ... 1344 +----------------+----------------+----------------+----------------+ 1345 | ... 1346 +----------------+----------------+----------------+----------------+ 1347 | arg_N ... 1348 +----------------+----------------+----------------+----------------+ 1350 flags 1352 This holds bitmapped flags. 1354 TAC_PLUS_ACCT_FLAG_START := 0x02 1356 TAC_PLUS_ACCT_FLAG_STOP := 0x04 1358 TAC_PLUS_ACCT_FLAG_WATCHDOG := 0x08 1360 All other fields are defined in the authorization and authentication 1361 sections above and have the same semantics. They provide details for 1362 the conditions on the client, and authentication context, so that 1363 these details may be logged for accounting purposes. 1365 See the Accounting Arguments section (Section 8.3) for the dictionary 1366 of arguments relevant to accounting. 1368 7.2. The Accounting REPLY Packet Body 1370 The purpose of accounting is to record the action that has occurred 1371 on the client. The server MUST reply with success only when the 1372 accounting request has been recorded. If the server did not record 1373 the accounting request then it MUST reply with ERROR. 1375 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1376 +----------------+----------------+----------------+----------------+ 1377 | server_msg len | data_len | 1378 +----------------+----------------+----------------+----------------+ 1379 | status | server_msg ... 1380 +----------------+----------------+----------------+----------------+ 1381 | data ... 1382 +----------------+ 1384 status 1386 This is the return status. Values are: 1388 TAC_PLUS_ACCT_STATUS_SUCCESS := 0x01 1390 TAC_PLUS_ACCT_STATUS_ERROR := 0x02 1392 TAC_PLUS_ACCT_STATUS_FOLLOW := 0x21 1394 server_msg, server_msg_len 1396 This is a string that may be presented to the user. The 1397 server_msg_len indicates the length of the server_msg field, in 1398 bytes. For details of text encoding, see (Section 3.7). 1400 data, data_len 1401 This is a string that may be presented on an administrative display, 1402 console or log. The decision to present this message is client 1403 specific. The data_len indicates the length of the data field, in 1404 bytes. For details of text encoding, see (Section 3.7). 1406 When the status equals TAC_PLUS_ACCT_STATUS_FOLLOW, then the actions 1407 to be taken and the contents of the data field are identical to the 1408 TAC_PLUS_AUTHEN_STATUS_FOLLOW status for Authentication. 1410 TACACS+ accounting is intended to record various types of events on 1411 clients, for example: login sessions, command entry, and others as 1412 required by the client implementation. These events are collectively 1413 referred to in `The Draft' [TheDraft] as "tasks". 1415 The TAC_PLUS_ACCT_FLAG_START flag indicates that this is a start 1416 accounting message. Start messages will only be sent once when a 1417 task is started. The TAC_PLUS_ACCT_FLAG_STOP indicates that this is 1418 a stop record and that the task has terminated. The 1419 TAC_PLUS_ACCT_FLAG_WATCHDOG flag means that this is an update record. 1421 Summary of Accounting Packets 1423 +----------+-------+-------+-------------+-------------------------+ 1424 | Watchdog | Stop | Start | Flags & 0xE | Meaning | 1425 +----------+-------+-------+-------------+-------------------------+ 1426 | 0 | 0 | 0 | 0 | INVALID | 1427 | 0 | 0 | 1 | 2 | Start Accounting Record | 1428 | 0 | 1 | 0 | 4 | Stop Accounting Record | 1429 | 0 | 1 | 1 | 6 | INVALID | 1430 | 1 | 0 | 0 | 8 | Watchdog, no update | 1431 | 1 | 0 | 1 | A | Watchdog, with update | 1432 | 1 | 1 | 0 | C | INVALID | 1433 | 1 | 1 | 1 | E | INVALID | 1434 +----------+-------+-------+-------------+-------------------------+ 1436 The START and STOP flags are mutually exclusive. 1438 The WATCHDOG flag is used by the client to communicate ongoing status 1439 of a long-running task. Update records are sent at the client's 1440 discretion. The frequency of the update depends upon the intended 1441 application: A watchdog to provide progress indication will require 1442 higher frequency than a daily keep-alive. When the WATCHDOG flag is 1443 set along with the START flag, it indicates that the update record 1444 provides additional or updated arguments from the original START 1445 record. If the START flag is not set, then this indicates only that 1446 task is still running, and no new information is provided (servers 1447 MUST ignore any arguments). The STOP flag MUST NOT be set in 1448 conjunction with the WATCHDOG flag. 1450 The Server MUST respond with TAC_PLUS_ACCT_STATUS_ERROR if the client 1451 requests an INVALID option. 1453 8. Argument-Value Pairs 1455 TACACS+ is intended to be an extensible protocol. The arguments used 1456 in Authorization and Accounting are not limited by this document. 1457 Some arguments are defined below for common use cases, clients MUST 1458 use these arguments when supporting the corresponding use cases. 1460 8.1. Value Encoding 1462 All argument values are encoded as strings. For details of text 1463 encoding, see (Section 3.7). The following type representations 1464 SHOULD be followed 1466 Numeric 1468 All numeric values in an argument-value string are provided as 1469 decimal numbers, unless otherwise stated. All arguments include a 1470 length field, and TACACS+ implementations MUST verify that they can 1471 accommodate the lengths of numeric arguments before attempting to 1472 process them. If the length cannot be accommodated then the argument 1473 MUST be regarded as not handled and the logic in authorization 1474 section (Section 6.1) regarding the processing of arguments MUST be 1475 applied. 1477 Boolean 1479 All Boolean arguments are encoded with values "true" or "false". 1481 IP-Address 1483 It is recommended that hosts be specified as a IP address so as to 1484 avoid any ambiguities. For details of text encoding, see 1485 (Section 3.7). IPv4 address are specified as octet numerics 1486 separated by dots ('.'), IPv6 address text representation defined in 1487 RFC 5952 [RFC5952]. 1489 Date Time 1491 Absolute date/times are specified in seconds since the epoch, 12:00am 1492 Jan 1 1970. The timezone MUST be UTC unless a timezone argument is 1493 specified. 1495 String 1496 Many values have no specific type representation and are interpreted 1497 as plain strings. 1499 Empty Values 1501 Arguments may be submitted with no value, in which case they consist 1502 of the name and the mandatory or optional separator. For example, 1503 the argument "cmd" which has no value is transmitted as a string of 1504 four characters "cmd=" 1506 8.2. Authorization Arguments 1508 service (String) 1510 The primary service. Specifying a service argument indicates that 1511 this is a request for authorization or accounting of that service. 1512 For example: "shell", "tty-server", "connection", "system" and 1513 "firewall", others may be chosen for the required application. This 1514 argument MUST always be included. 1516 protocol (String) 1518 the protocol field may be used to indicate a subset of a service. 1520 cmd (String) 1522 a shell (exec) command. This indicates the command name of the 1523 command that is to be run. The "cmd" argument MUST be specified if 1524 service equals "shell". 1526 Authorization of shell commands is a common use-case for the TACACS+ 1527 protocol. Command Authorization generally takes one of two forms: 1528 session-based and command-based. 1530 For session-based shell authorization, the "cmd" argument will have 1531 an empty value. The client determines which commands are allowed in 1532 a session according to the arguments present in the authorization. 1534 In command-based authorization, the client requests that the server 1535 determine whether a command is allowed by making an authorization 1536 request for each command. The "cmd" argument will have the command 1537 name as its value. 1539 cmd-arg (String) 1541 an argument to a shell (exec) command. This indicates an argument 1542 for the shell command that is to be run. Multiple cmd-arg arguments 1543 may be specified, and they are order dependent. 1545 acl (Numeric) 1547 a number representing a connection access list. Applicable only to 1548 session-based shell authorization. For details of text encoding, see 1549 (Section 3.7). 1551 inacl (String) 1553 identifier (name) of an interface input access list. For details of 1554 text encoding, see (Section 3.7). 1556 outacl (String) 1558 identifier (name) of an interface output access list. For details of 1559 text encoding, see (Section 3.7). 1561 addr (IP-Address) 1563 a network address 1565 addr-pool (String) 1567 The identifier of an address pool from which the client can assign an 1568 address. 1570 timeout (Numeric) 1572 an absolute timer for the connection (in minutes). A value of zero 1573 indicates no timeout. 1575 idletime (Numeric) 1577 an idle-timeout for the connection (in minutes). A value of zero 1578 indicates no timeout. 1580 autocmd (String) 1582 an auto-command to run. Applicable only to session-based shell 1583 authorization. 1585 noescape (Boolean) 1587 Prevents user from using an escape character. Applicable only to 1588 session-based shell authorization. 1590 nohangup (Boolean) 1591 Boolean. Do not disconnect after an automatic command. Applicable 1592 only to session-based shell authorization. 1594 priv-lvl (Numeric) 1596 privilege level to be assigned. Please refer to the Privilege Level 1597 section (Section 9) below. 1599 8.3. Accounting Arguments 1601 The following arguments are defined for TACACS+ accounting only. 1602 They MUST precede any argument-value pairs that are defined in the 1603 authorization section (Section 6) above. 1605 task_id (String) 1607 Start and stop records for the same event MUST have matching task_id 1608 argument values. The client MUST ensure that active task_ids are not 1609 duplicated: a client MUST NOT reuse a task_id a start record until it 1610 has sent a stop record for that task_id. Servers MUST NOT make 1611 assumptions about the format of a task_id. 1613 start_time (Date Time) 1615 The time the action started (in seconds since the epoch.). 1617 stop_time (Date Time) 1619 The time the action stopped (in seconds since the epoch.) 1621 elapsed_time (Numeric) 1623 The elapsed time in seconds for the action. 1625 timezone (String) 1627 The timezone abbreviation for all timestamps included in this packet. 1628 A database of timezones is maintained here: TZDB [TZDB]. 1630 event (String) 1632 Used only when "service=system". Current values are "net_acct", 1633 "cmd_acct", "conn_acct", "shell_acct" "sys_acct" and "clock_change". 1634 These indicate system-level changes. The flags field SHOULD indicate 1635 whether the service started or stopped. 1637 reason (String) 1638 Accompanies an event argument. It describes why the event occurred. 1640 bytes (Numeric) 1642 The number of bytes transferred by this action 1644 bytes_in (Numeric) 1646 The number of bytes transferred by this action from the endstation to 1647 the client port 1649 bytes_out (Numeric) 1651 The number of bytes transferred by this action from the client to the 1652 endstation port 1654 paks (Numeric) 1656 The number of packets transferred by this action. 1658 paks_in (Numeric) 1660 The number of input packets transferred by this action from the 1661 endstation to the client port. 1663 paks_out (Numeric) 1665 The number of output packets transferred by this action from the 1666 client port to the endstation. 1668 err_msg (String) 1670 string describing the status of the action. For details of text 1671 encoding, see (Section 3.7). 1673 9. Privilege Levels 1675 The TACACS+ Protocol supports flexible authorization schemes through 1676 the extensible arguments. 1678 One scheme is built into the protocol and has been extensively used 1679 for Session-based shell authorization: Privilege Levels. Privilege 1680 Levels are ordered values from 0 to 15 with each level being a 1681 superset of the next lower value. Configuration and implementation 1682 of the client will map actions (such as the permission to execute of 1683 specific commands) to different privilege levels. The allocation of 1684 commands to privilege levels is highly dependent upon the deployment. 1685 Common allocations are as follows: 1687 TAC_PLUS_PRIV_LVL_MIN := 0x00. The level normally allocated to an 1688 unauthenticated session. 1690 TAC_PLUS_PRIV_LVL_USER := 0x01. The level normally allocated to a 1691 regular authenticated session 1693 TAC_PLUS_PRIV_LVL_ROOT := 0x0f. The level normally allocated to a 1694 session authenticated by a highly privileged user to allow 1695 commands with significant system impact. 1697 TAC_PLUS_PRIV_LVL_MAX := 0x0f. The highest privilege level. 1699 A Privilege level can be assigned to a shell (EXEC) session when it 1700 starts. The client will permit the actions associated with this 1701 level to be executed. This privilege level is returned by the Server 1702 in a session-based shell authorization (when "service" equals "shell" 1703 and "cmd" is empty). When a user required to perform actions that 1704 are mapped to a higher privilege level, then an ENABLE type 1705 reauthentication can be initiated by the client. The client will 1706 insert the required privilege level into the authentication header 1707 for enable authentication request. 1709 The use of Privilege levels to determine session-based access to 1710 commands and resources is not mandatory for clients. Although the 1711 privilege level scheme is widely supported, its lack of flexibility 1712 in requiring a single monotonic hierarchy of permissions means that 1713 other session-based command authorization schemes have evolved. 1714 However, it is still common enough that it SHOULD be supported by 1715 servers. 1717 10. Security Considerations 1719 The original TACACS+ Draft `The Draft' [TheDraft] from 1998 did not 1720 address all of the key security concerns which are considered when 1721 designing modern standards. This section addresses known limitations 1722 and concerns which will impact overall security of the protocol and 1723 systems where this protocol is deployed to manage central 1724 authentication, authorization or accounting for network device 1725 administration. 1727 Multiple implementations of the protocol described in the original 1728 TACACS+ Draft `The Draft' [TheDraft] have been deployed. As the 1729 protocol was never standardized, current implementations may be 1730 incompatible in non-obvious ways, giving rise to additional security 1731 risks. This section does not claim to enumerate all possible 1732 security vulnerabilities. 1734 10.1. General Security of the Protocol 1736 TACACS+ protocol does not include a security mechanism that would 1737 meet modern-day requirements. These security mechanisms would be 1738 best referred to as "obfuscation" and not "encryption" since they 1739 provide no meaningful integrity, privacy or replay protection. An 1740 attacker with access to the data stream should be assumed to be able 1741 to read and modify all TACACS+ packets. Without mitigation, a range 1742 of risks such as the following are possible: 1744 Accounting information may be modified by the man-in-the-middle 1745 attacker, making such logs unsuitable and not trustable for 1746 auditing purposes. 1748 Invalid or misleading values may be inserted by the man-in-the- 1749 middle attacker in various fields at known offsets to try and 1750 circumvent the authentication or authorization checks even inside 1751 the obfuscated body. 1753 While the protocol provides some measure of transport privacy, it is 1754 vulnerable to at least the following attacks: 1756 Brute force attacks exploiting increased efficiency of MD5 digest 1757 computation. 1759 Known plaintext attacks which may decrease the cost of brute force 1760 attack. 1762 Chosen plaintext attacks which may decrease the cost of a brute 1763 force attack. 1765 No forward secrecy. 1767 Even though, to the best knowledge of authors, this method of 1768 encryption wasn't rigorously tested, enough information is available 1769 that it is best referred to as "obfuscation" and not "encryption". 1771 For these reasons, users deploying TACACS+ protocol in their 1772 environments MUST limit access to known clients and MUST control the 1773 security of the entire transmission path. Attackers who can guess 1774 the key or otherwise break the obfuscation will gain unrestricted and 1775 undetected access to all TACACS+ traffic. Ensuring that a 1776 centralized AAA system like TACACS+ is deployed on a secured 1777 transport is essential to managing the security risk of such an 1778 attack. 1780 The following parts of this section enumerate only the session- 1781 specific risks which are in addition to general risk associated with 1782 bare obfuscation and lack of integrity checking. 1784 10.2. Security of Authentication Sessions 1786 Authentication sessions SHOULD be used via a secure transport (see 1787 Best Practices section (Section 10.5)) as the man-in-the-middle 1788 attack may completely subvert them. Even CHAP, which may be 1789 considered resistant to password interception, is unsafe as it does 1790 not protect the username from a trivial man-in-the-middle attack. 1792 This document deprecates the redirection mechanism using the 1793 TAC_PLUS_AUTHEN_STATUS_FOLLOW option which was included in the 1794 original draft. As part of this process, the secret key for a new 1795 server was sent to the client. This public exchange of secret keys 1796 means that once one session is broken, it may be possible to leverage 1797 that key to attacking connections to other servers. This mechanism 1798 MUST NOT be used in modern deployments. It MUST NOT be used outside 1799 a secured deployment. 1801 10.3. Security of Authorization Sessions 1803 Authorization sessions SHOULD be used via a secure transport (see 1804 Best Practices section (Section 10.5)) as it's trivial to execute a 1805 successful man-in-the-middle attacks that changes well-known 1806 plaintext in either requests or responses. 1808 As an example, take the field "authen_method". It's not unusual in 1809 actual deployments to authorize all commands received via the device 1810 local serial port (a console port) as that one is usually considered 1811 secure by virtue of the device located in a physically secure 1812 location. If an administrator would configure the authorization 1813 system to allow all commands entered by the user on a local console 1814 to aid in troubleshooting, that would give all access to all commands 1815 to any attacker that would be able to change the "authen_method" from 1816 TAC_PLUS_AUTHEN_METH_TACACSPLUS to TAC_PLUS_AUTHEN_METH_LINE. In 1817 this regard, the obfuscation provided by the protocol itself wouldn't 1818 help much, because: 1820 Lack of integrity means that any byte in the payload may be 1821 changed without either side detecting the change. 1823 Known plaintext means that an attacker would know with certainty 1824 which octet is the target of the attack (in this case, 1st octet 1825 after the header). 1827 In combination with known plaintext, the attacker can determine 1828 with certainty the value of the crypto-pad octet used to obfuscate 1829 the original octet. 1831 10.4. Security of Accounting Sessions 1833 Accounting sessions SHOULD be used via a secure transport (see Best 1834 Practices section (Section 10.5). Although Accounting sessions are 1835 not directly involved in authentication or authorizing operations on 1836 the device, man-in-the-middle attacker may do any of the following: 1838 Replace accounting data with new valid or garbage which can 1839 confuse auditors or hide information related to their 1840 authentication and/or authorization attack attempts. 1842 Try and poison accounting log with entries designed to make 1843 systems behave in unintended ways (which includes TACACS+ server 1844 and any other systems that would manage accounting entries). 1846 In addition to these direct manipulations, different client 1847 implementations pass different fidelity of accounting data. Some 1848 vendors have been observed in the wild that pass sensitive data like 1849 passwords, encryption keys and similar as part of the accounting log. 1850 Due to lack of strong encryption with perfect forward secrecy, this 1851 data may be revealed in future, leading to a security incident. 1853 10.5. TACACS+ Best Practices 1855 With respect to the observations about the security issues described 1856 above, a network administrator MUST NOT rely on the obfuscation of 1857 the TACACS+ protocol. TACACS+ MUST be used within a secure 1858 deployment: TACACS+ MUST be deployed over networks which ensure 1859 privacy and integrity of the communication, and MUST be deployed over 1860 a network which is separated from other traffic. Failure to do so 1861 will impact overall network security. 1863 The following recommendations impose restrictions on how the protocol 1864 is applied. These restrictions were not imposed in the original 1865 draft. New implementations, and upgrades of current implementations, 1866 MUST implement these recommendations. Vendors SHOULD provide 1867 mechanisms to assist the administrator to achieve these best 1868 practices. 1870 10.5.1. Shared Secrets 1872 TACACS+ servers and clients MUST treat shared secrets as sensitive 1873 data to be managed securely, as would be expected for other sensitive 1874 data such as identity credential information. TACACS+ servers MUST 1875 NOT leak sensitive data. For example, TACACS+ servers MUST NOT 1876 expose shared secrets in logs. 1878 TACACS+ servers MUST allow a dedicated secret key to be defined for 1879 each client. 1881 TACACS+ server management systems MUST provide a mechanism to track 1882 secret key lifetimes and notify administrators to update them 1883 periodically. TACACS+ server administrators SHOULD change secret 1884 keys at regular intervals. 1886 TACACS+ servers SHOULD warn administrators if secret keys are not 1887 unique per client. 1889 TACACS+ server administrators SHOULD always define a secret for each 1890 client. 1892 TACACS+ servers and clients MUST support shared keys that are at 1893 least 32 characters long. 1895 TACACS+ servers MUST support policy to define minimum complexity for 1896 shared keys. 1898 TACACS+ clients SHOULD NOT allow servers to be configured without 1899 shared secret key, or shared key that is less than 16 characters 1900 long. 1902 TACACS+ server administrators SHOULD configure secret keys of minimum 1903 16 characters length. 1905 10.5.2. Connections and Obfuscation 1907 TACACS+ servers MUST allow the definition of individual clients. The 1908 servers MUST only accept network connection attempts from these 1909 defined, known clients. 1911 TACACS+ servers MUST reject connections with 1912 TAC_PLUS_UNENCRYPTED_FLAG set. There MUST always be a shared secret 1913 set on the server for the client requesting the connection. 1915 If an invalid shared secret is detected when processing packets for a 1916 client, TACACS+ servers MUST NOT accept any new sessions on that 1917 connection. TACACS+ servers MUST terminate the connection on 1918 completion of any sessions that were previously established with a 1919 valid shared secret on that connection. 1921 TACACS+ clients MUST NOT set TAC_PLUS_UNENCRYPTED_FLAG. Clients MUST 1922 be implemented in a way that requires explicit configuration to 1923 enable the use of TAC_PLUS_UNENCRYPTED_FLAG, this option MUST NOT be 1924 used when the client is in production 1926 When a TACACS+ client receives responses from servers where: 1928 the response packet was received from the server configured with 1929 shared key, but the packet has TAC_PLUS_UNENCRYPTED_FLAG set. 1931 the response packet was received from the server configured not to 1932 use obfuscation, but the packet has TAC_PLUS_UNENCRYPTED_FLAG not 1933 set. 1935 then the TACACS+ client MUST close TCP session, and process the 1936 response in the same way that a TAC_PLUS_AUTHEN_STATUS_FAIL 1937 (authentication sessions) or TAC_PLUS_AUTHOR_STATUS_FAIL 1938 (authorization sessions) was received. 1940 10.5.3. Authentication 1942 To help TACACS+ administrators select less weak authentication 1943 options, TACACS+ servers MUST allow the administrator to configure 1944 the server to only accept challenge/response options for 1945 authentication (TAC_PLUS_AUTHEN_TYPE_CHAP or 1946 TAC_PLUS_AUTHEN_TYPE_MSCHAP or TAC_PLUS_AUTHEN_TYPE_MSCHAPV2 for 1947 authen_type). 1949 TACACS+ server administrators SHOULD enable the option mentioned in 1950 the previous paragraph. TACACS+ Server deployments SHOULD ONLY 1951 enable other options (such as TAC_PLUS_AUTHEN_TYPE_ASCII or 1952 TAC_PLUS_AUTHEN_TYPE_PAP) when unavoidable due to requirements of 1953 identity/password systems. 1955 TACACS+ server administrators SHOULD NOT allow the same credentials 1956 to be applied in challenge-based (TAC_PLUS_AUTHEN_TYPE_CHAP or 1957 TAC_PLUS_AUTHEN_TYPE_MSCHAP or TAC_PLUS_AUTHEN_TYPE_MSCHAPV2) and non 1958 challenge-based authen_type options as the insecurity of the latter 1959 will compromise the security of the former. 1961 TAC_PLUS_AUTHEN_SENDAUTH and TAC_PLUS_AUTHEN_SENDPASS options 1962 mentioned in the original draft SHOULD NOT be used, due to their 1963 security implications. TACACS+ servers SHOULD NOT implement them. 1964 If they must be implemented, the servers MUST default to the options 1965 being disabled and MUST warn the administrator that these options are 1966 not secure. 1968 10.5.4. Authorization 1970 The authorization and accounting features are intended to provide 1971 extensibility and flexibility. There is a base dictionary defined in 1972 this document, but it may be extended in deployments by using new 1973 argument names. The cost of the flexibility is that administrators 1974 and implementers MUST ensure that the argument and value pairs shared 1975 between the clients and servers have consistent interpretation. 1977 TACACS+ clients that receive an unrecognized mandatory argument MUST 1978 evaluate server response as if they received 1979 TAC_PLUS_AUTHOR_STATUS_FAIL. 1981 10.5.5. Redirection Mechanism 1983 The original draft described a redirection mechanism 1984 (TAC_PLUS_AUTHEN_STATUS_FOLLOW). This feature is difficult to 1985 secure. The option to send secret keys in the server list is 1986 particularly insecure, as it can reveal client shared secrets. 1988 TACACS+ servers MUST deprecate the redirection mechanism. 1990 If the redirection mechanism is implemented then TACACS+ servers MUST 1991 disable it by default, and MUST warn TACACS+ server administrators 1992 that it must only be enabled within a secure deployment due to the 1993 risks of revealing shared secrets. 1995 TACACS+ clients SHOULD deprecate this feature by treating 1996 TAC_PLUS_AUTHEN_STATUS_FOLLOW as TAC_PLUS_AUTHEN_STATUS_FAIL. 1998 11. IANA Considerations 2000 This informational document describes TACACS+ protocol and its common 2001 deployments. There is no further consideration required from IANA. 2003 12. Acknowledgements 2005 The authors would like to thank the following reviewers whose 2006 comments and contributions made considerable improvements to the 2007 document: Alan DeKok, Alexander Clouter, Chris Janicki, Tom Petch, 2008 Robert Drake, John Heasley, among many others. 2010 The authors would particularly like to thank Alan DeKok, who provided 2011 significant insights and recommendations on all aspects of the 2012 document and the protocol. Alan DeKok has dedicated considerable 2013 time and effort to help improve the document, identifying weaknesses 2014 and providing remediation. 2016 The authors would also like to thank the support from the OPSAWG 2017 Chairs and advisors, especially Joe Clarke. 2019 13. References 2021 13.1. Normative References 2023 [RFC0020] Cerf, V., "ASCII format for network interchange", STD 80, 2024 RFC 20, DOI 10.17487/RFC0020, October 1969, 2025 . 2027 [RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, 2028 April 1992. 2030 [RFC1334] Lloyd, B. and W. Simpson, "PPP Authentication Protocols", 2031 RFC 1334, DOI 10.17487/RFC1334, October 1992, 2032 . 2034 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 2035 Requirement Levels", BCP 14, RFC 2119, 2036 DOI 10.17487/RFC2119, March 1997, 2037 . 2039 [RFC2433] Zorn, G. and S. Cobb, "Microsoft PPP CHAP Extensions", 2040 RFC 2433, DOI 10.17487/RFC2433, October 1998, 2041 . 2043 [RFC2759] Zorn, G., "Microsoft PPP CHAP Extensions, Version 2", 2044 RFC 2759, DOI 10.17487/RFC2759, January 2000, 2045 . 2047 [RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication 2048 Dial In User Service) Support For Extensible 2049 Authentication Protocol (EAP)", RFC 3579, 2050 DOI 10.17487/RFC3579, September 2003, 2051 . 2053 [RFC4086] Eastlake 3rd, D., Crocker, S., and J. Schiller, 2054 "Randomness Requirements for Security", RFC 4086, 2055 DOI 10.17487/RFC4086, June 2005, 2056 . 2058 [RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The 2059 Kerberos Network Authentication Service (V5)", RFC 4120, 2060 DOI 10.17487/RFC4120, July 2005, 2061 . 2063 [RFC5952] Kawamura, S. and M. Kawashima, "A Recommendation for IPv6 2064 Address Text Representation", RFC 5952, 2065 DOI 10.17487/RFC5952, August 2010, 2066 . 2068 [RFC8265] Saint-Andre, P. and A. Melnikov, "Preparation, 2069 Enforcement, and Comparison of Internationalized Strings 2070 Representing Usernames and Passwords", RFC 8265, 2071 DOI 10.17487/RFC8265, October 2017, 2072 . 2074 13.2. Informative References 2076 [TheDraft] 2077 Carrel, D. and L. Grant, "The TACACS+ Protocol Version 2078 1.78", June 1997, 2079 . 2081 [TZDB] Eggert, P. and A. Olson, "Sources for Time Zone and 2082 Daylight Saving Time Data", 1987, 2083 . 2085 Authors' Addresses 2087 Thorsten Dahm 2088 Google Inc 2089 1600 Amphitheatre Parkway 2090 Mountain View, CA 94043 2091 US 2093 EMail: thorstendlux@google.com 2095 Andrej Ota 2096 Google Inc 2097 1600 Amphitheatre Parkway 2098 Mountain View, CA 94043 2099 US 2101 EMail: andrej@ota.si 2102 Douglas C. Medway Gash 2103 Cisco Systems, Inc. 2104 170 West Tasman Dr. 2105 San Jose, CA 95134 2106 US 2108 EMail: dcmgash@cisco.com 2110 David Carrel 2111 vIPtela, Inc. 2112 1732 North First St. 2113 San Jose, CA 95112 2114 US 2116 EMail: dcarrel@viptela.com 2118 Lol Grant 2120 EMail: lol.grant@gmail.com