RFC 1492 (rfc1492) - Page 2 of 21

An Access Control Protocol, Sometimes Called TACACS

RFC 1492                         TACACS                        July 1993


   and this lack of access is the main reason for the writing of this
   document.  This version of the specification was developed with the
   assistance of Cisco Systems, who has an implementation of the TACACS
   protocol that is believed to be compatible with the original
   specification.  To be precise, the Cisco Systems implementation
   supports both the simple (non-extended) and extended versions.  It is
   the simple version that would be compatible with the original.

   Please keep in mind that this is an informational RFC and does not
   specify a standard, and that more information may be uncovered in the
   future (i.e., the original specification may become available) that
   could cause parts of this document to be known to be incorrect.

   This RFC documents the extended TACACS protocol use by the Cisco
   Systems terminal servers.  This same protocol is used by the
   University of Minnesota's distributed authentication system.

1. Protocol Semantics

   This section will describe the requests and responses.  The following
   two sections will describe two different ways of encoding the
   protocol.

   A request/response pair is the basic unit of interaction.  In this
   pair, the client sends a request and the server replies with a
   response.  All requests must be acknowledged with a response.  This
   requirement implies that all requests can be denied, although it is
   probably futile to attempt to deny a "logout" request.

1.1 Connections

   In some cases, a string of request/response pairs forms a larger
   unit, called a "connection."

   There are three types of connections:

   1) Authenticate only, no connection:

           client:  sends an AUTH packet
           server:  responds with a REPLY











Finseth