Skip to main content

RFC 9887 - Terminal Access Controller Access-Control System Plus (TACACS+) over TLS 1.3

Document Information

  • RFC Number: 9887
  • Title: Terminal Access Controller Access-Control System Plus (TACACS+) over TLS 1.3
  • Publication Date: December 2025
  • Status: PROPOSED STANDARD
  • Authors:
    • T. Dahm
    • J. Heasley (NTT)
    • D. C. Medway Gash (Cisco Systems, Inc.)
    • A. Ota (Google Inc.)

Abstract

This document specifies the use of Transport Layer Security (TLS) version 1.3 to secure the communication channel between a Terminal Access Controller Access-Control System Plus (TACACS+) client and server. TACACS+ is a protocol used for Authentication, Authorization, and Accounting (AAA) in networked environments. The original TACACS+ protocol does not mandate the use of encryption or secure transport. This specification defines a profile for using TLS 1.3 with TACACS+, including guidance on authentication, connection establishment, and operational considerations. The goal is to enhance the confidentiality, integrity, and authenticity of TACACS+ traffic, aligning the protocol with modern security best practices.

This document updates RFC 8907.

Status of This Memo

This is an Internet Standards Track document.

This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at ````https://www.rfc-editor.org/info/rfc9887\````.

Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved.

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (````https://trustee.ietf.org/license-info\````) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.

Table of Contents

Document Overview

This RFC document defines how to use TLS 1.3 encryption to protect the TACACS+ protocol, significantly enhancing the security of network device management and administration. This specification updates RFC 8907 by:

  • Mandating TLS 1.3 as the minimum version for secure transport
  • Obsoleting MD5-based obfuscation mechanisms
  • Defining a new well-known port (300) for TLS TACACS+ traffic
  • Providing comprehensive guidance on certificate-based and PSK authentication

Key Technical Requirements

  • Mandatory TLS 1.3: Earlier TLS versions MUST NOT be used
  • Mutual Authentication: Both client and server must authenticate each other
  • Port Separation: TLS traffic (port 300) must be separate from non-TLS traffic (port 49)
  • No Fallback: Clients MUST NOT fall back to non-TLS connections
  • No 0-RTT: Early data MUST NOT be sent to prevent replay attacks

Reading Guide

For implementers and operators, the recommended reading order is:

  1. Section 1 - Introduction: Understand the motivation and scope
  2. Section 3 - TACACS+ over TLS: Core technical specifications
  3. Section 5 - Security Considerations: Critical security requirements
  4. Section 6 - Operational Considerations: Migration and deployment guidance

For a quick overview, read the Abstract and Section 1, then focus on Section 3.1 and 3.2 for connection establishment basics.

Implementation Status: This document is a Standards Track RFC and represents the consensus of the IETF community.