Browse Prior Art Database

An Access Control Protocol, Sometimes Called TACACS (RFC1492)

IP.com Disclosure Number: IPCOM000002320D
Original Publication Date: 1993-Jul-01
Included in the Prior Art Database: 2000-Sep-12
Document File: 17 page(s) / 39K

Publishing Venue

Internet Society Requests For Comment (RFCs)

Related People

C. Finseth: AUTHOR

Abstract

There used to be a network called ARPANET. This network consisted of end nodes (hosts), routing nodes (IMPs) and links. There were (at least) two types of IMPs: those that connected dedicated lines only and those that could accept dial up lines. The latter were called "TIPs."

This text was extracted from a ASCII Text document.
This is the abbreviated version, containing approximately 8% of the total text.

Network Working Group C. Finseth

Request for Comments: 1492 University of Minnesota

July 1993

An Access Control Protocol, Sometimes Called TACACS

Status of this Memo

This memo provides information for the Internet community. It does

not specify an Internet standard. Distribution of this memo is

unlimited.

Background

There used to be a network called ARPANET. This network consisted of

end nodes (hosts), routing nodes (IMPs) and links. There were (at

least) two types of IMPs: those that connected dedicated lines only

and those that could accept dial up lines. The latter were called

"TIPs."

People being what they were, there was a desire to control who could

use the dial up lines. Someone invented a protocol, called "TACACS"

(Terminal Access Controller Access Control System?), which allowed a

TIP to accept a username and password and send a query to a TACACS

authentication server, sometimes called a TACACS daemon or simply

TACACSD. This server was normally a program running on a host. The

host would determine whether to accept or deny the request and sent a

response back. The TIP would then allow access or not, based upon

the response.

While TIPs are -- shall we say? -- no longer a major presence on the

Internet, terminal servers are. Cisco Systems terminal servers

implement an extended version of this TACACS protocol. Thus, the

access control decision is delegated to a host. In this way, the

process of making the decision is "opened up" and the algorithms and

data used to make the decision are under the complete control of

whoever is running the TACACS daemon. For example, "anyone with a

first name of Joe can only login after 10:00 PM Mon-Fri, unless his

last name is Smith or there is a Susan already logged in."

The extensions to the protocol provide for more types of

authentication requests and more types of response codes than were in

the original specification.

The original TACACS protocol specification does exist. However, due

to copyright issues, I was not able to obtain a copy of this document

and this lack of access is the main reason for the writing of this

document. This version of the specification was developed with the

assistance of Cisco Systems, who has an implementation of the TACACS

protocol that is believed to be compatible with the original

specification. To be precise, the Cisco Systems implementation

supports both the simple (non-extended) and extended versions. It is

the simple version that would be compatible with the original.

Please keep in mind that this is an informational RFC and does not

specify a standard, and that more information may be uncovered in the

future (i.e., the original specification may become available) that

could cause parts of this document to be known to be incorrect.

This RF...