Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: NSI again removes services

  • From: hardie
  • Date: Tue Oct 19 15:48:48 1999

> TAC as in tacacs?

Yep.  The original TACACS specification was in a BBN technical
memo, CC-0045; RFC 1492 contains an informal specification
of the extended version that Cisco implemented.  The background
section of RFC 1492 gives a bit of the history:

Background

  There used to be a network called ARPANET.  This network consisted of
  end nodes (hosts), routing nodes (IMPs) and links.  There were (at
  least) two types of IMPs: those that connected dedicated lines only
  and those that could accept dial up lines.  The latter were called
  "TIPs."

  People being what they were, there was a desire to control who could
  use the dial up lines.  Someone invented a protocol, called "TACACS"
  (Terminal Access Controller Access Control System?), which allowed a
  TIP to accept a username and password and send a query to a TACACS
  authentication server, sometimes called a TACACS daemon or simply
  TACACSD.  This server was normally a program running on a host. The
  host would determine whether to accept or deny the request and sent a
  response back.  The TIP would then allow access or not, based upon
  the response.

  While TIPs are -- shall we say? -- no longer a major presence on the
  Internet, terminal servers are.  Cisco Systems terminal servers
  implement an extended version of this TACACS protocol.  Thus, the
  access control decision is delegated to a host.  In this way, the
  process of making the decision is "opened up" and the algorithms and
  data used to make the decision are under the complete control of
  whoever is running the TACACS daemon.  For example, "anyone with a
  first name of Joe can only login after 10:00 PM Mon-Fri, unless his
  last name is Smith or there is a Susan already logged in."

  The extensions to the protocol provide for more types of
  authentication requests and more types of response codes than were in
  the original specification.

  The original TACACS protocol specification does exist.  However, due
  to copyright issues, I was not able to obtain a copy of this document
  and this lack of access is the main reason for the writing of this
  document.  This version of the specification was developed with the
  assistance of Cisco Systems, who has an implementation of the TACACS
  protocol that is believed to be compatible with the original
  specification.  To be precise, the Cisco Systems implementation
  supports both the simple (non-extended) and extended versions.  It is
  the simple version that would be compatible with the original.

  Please keep in mind that this is an informational RFC and does not
  specify a standard, and that more information may be uncovered in the
  future (i.e., the original specification may become available) that
  could cause parts of this document to be known to be incorrect.

  This RFC documents the extended TACACS protocol use by the Cisco
  Systems terminal servers.  This same protocol is used by the
  University of Minnesota's distributed authentication system.


			regards,
				Ted Hardie





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.