Skip to main content

1. Introduction

"The Terminal Access Controller Access-Control System Plus (TACACS+) Protocol" [RFC8907] provides device administration for routers, network access servers, and other networked computing devices via one or more centralized TACACS+ servers. The protocol provides authentication, authorization, and accounting services (AAA) for TACACS+ clients within the device administration use case.

The content of the protocol is highly sensitive and requires secure transport to safeguard a deployment. However, TACACS+ lacks effective confidentiality, integrity, and authentication of the connection and network traffic between the TACACS+ server and client. The security mechanisms as described in Section 4.5 of [RFC8907] are extremely weak.

To address these deficiencies, this document updates the TACACS+ protocol to use TLS 1.3 authentication and encryption [RFC8446], and obsoletes the use of TACACS+ obfuscation mechanisms. The maturity of TLS in version 1.3 and above makes it a suitable choice for the TACACS+ protocol.

2. Technical Definitions

The terms defined in Section 3 of [RFC8907] are fully applicable here and will not be repeated. The following terms are also used in this document.

Obfuscation: TACACS+ was originally intended to incorporate a mechanism for securing the body of its packets. The algorithm is categorized as obfuscation in Section 10.5.2 of [RFC8907]. The term is used to ensure that the algorithm is not mistaken for encryption. It should not be considered secure.

Non-TLS connection: This term refers to the connection defined in [RFC8907]. It is a connection without TLS, using the unsecure TACACS+ authentication and obfuscation (or the unobfuscated option for testing). The use of well-known TCP/IP host port number 49 is specified as the default for non-TLS connections.

TLS connection: A TLS connection is a TCP/IP connection with TLS authentication and encryption used by TACACS+ for transport. A TLS connection for TACACS+ is always between one TACACS+ client and one TACACS+ server.

TLS TACACS+ server: This document describes a variant of the TACACS+ server, introduced in Section 3.2 of [RFC8907], which utilizes TLS for transport, and makes some associated protocol optimizations. Both server variants respond to TACACS+ traffic, but this document specifically defines a TACACS+ server (whether TLS or non-TLS) as being bound to a specific port number on a particular IP address or hostname. This definition is important in the context of the configuration of TACACS+ clients to ensure they direct their traffic to the correct TACACS+ servers.

Peer: The peer of a TACACS+ client (or server) in the context of a TACACS+ connection, is a TACACS+ server (or client). Together, the ends of a TACACS+ connection are referred to as peers.

2.1. Requirements Language

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

Last updated on