TACACS
Description Glossary RFCs Publications Obsolete RFCs

Description:

Protocol suite:TCP/IP.
Type:Application layer protocol.
Port: 49 (UDP).
MAC header IP header UDP header TACACS packet

TACACS, Simple form.

0001020304050607 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Version Type Nonce
Username length / Response Password length / Reason Data :::

TACACS, Extended form.

0001020304050607 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Version Type Nonce
Username length Password length Response Reason
Result 1
Destination address
Destination port Line
Result 2
Result 3 Data :::

Version. 8 bits.
Must be set to 0 for simple form, 128 for extended form.

Type. 8 bits.

TypeDescription
0 
1 LOGIN.
2 RESPONSE (server to client only).
3 CHANGE.
4 FOLLOW.
5 CONNECT. 
6 SUPERUSER. 
7 LOGOUT.
8 RELOAD. 
9 SLIPON. 
10 SLIPOFF. 
11 SLIPADDR.
12
-
128		  
129
-
255		 Local use.

Nonce. 16 bits.
Set by the client to an arbitrary value. It allows clients that may have multiple outstanding requests to identify which request a response is for. The server must copy this value to the reply unaltered.

Username length. 8 bits, 0 to 255.
Set by the client to the length of the username in characters. The server must copy this value to the reply unaltered.

Response. 8 bits.
The server sets the value to one of the following:

ResponseDescription
0Accepted.
1 Rejected.

Password length. 8 bits, 0 to 255.
Set by the client to the length of the password in characters. The server must copy this value to the reply unaltered.

Reason. 8 bits.

ReasonDescription
0 
1 Expiring.
2 Password.
3 Denied.
4 Quit.
5 Idle.
6 Drop.
7 Bad.

Result 1. 32 bits.
Cleared by the client to zero. For LOGIN or CONNECT requests, it is set by the server as specified in the request description. For all other requests, it should be cleared by the server to zero.

Destination address. 32 bits.
Set by the client. On CONNECT, SLIPON, and SLIPOFF requests it specifies an IP address. It should be set to zero on all other requests. For SLIPON and SLIPOFF request, this value should be the IP address assigned to the line. For CONNECT requests, this value is the IP address of the host that the user is attempting to connect to. The server copies this value to the reply.

Destination port. 16 bits.
Set by the client. On CONNECT requests it specifies the port number that the user is attempting to connect to. It should be set to zero on all other requests. The server copies this value to the reply.

Line. 16 bits.
Set by the client to the line number that the request is for. The server copies this value to the reply.

Result 2. 32 bits.
Set by the client to zero. For LOGIN or CONNECT requests, it is set by the server as specified in the request description. For all other requests, it should be set by the server to zero.

Result 3. 16 bits.
Set by the client to zero. For LOGIN or CONNECT requests, it is set by the server as specified in the request description. For all other requests, it should be set by the server to zero.

Data. Variable length.
Contains just the text of the username and password, with no separator characters (you use username length and password length to sort them out). The server does not copy the values to the reply. (However, the server does copy the username length and password length fields to the reply.) The username data may be in upper case. Comparisons should be case-insensitive.

Glossary:

RFCs:

[RFC 1492] An Access Control Protocol, Sometimes Called TACACS.

Description Glossary RFCs Publications Obsolete RFCs