RFC 1492 (rfc1492) - Page 1 of 21
An Access Control Protocol, Sometimes Called TACACS
Alternative Format: Original Text Document
Network Working Group C. Finseth
Request for Comments: 1492 University of Minnesota
July 1993
An Access Control Protocol, Sometimes Called TACACS
Status of this Memo
This memo provides information for the Internet community. It does
not specify an Internet standard. Distribution of this memo is
unlimited.
Background
There used to be a network called ARPANET. This network consisted of
end nodes (hosts), routing nodes (IMPs) and links. There were (at
least) two types of IMPs: those that connected dedicated lines only
and those that could accept dial up lines. The latter were called
"TIPs."
People being what they were, there was a desire to control who could
use the dial up lines. Someone invented a protocol, called "TACACS"
(Terminal Access Controller Access Control System?), which allowed a
TIP to accept a username and password and send a query to a TACACS
authentication server, sometimes called a TACACS daemon or simply
TACACSD. This server was normally a program running on a host. The
host would determine whether to accept or deny the request and sent a
response back. The TIP would then allow access or not, based upon
the response.
While TIPs are -- shall we say? -- no longer a major presence on the
Internet, terminal servers are. Cisco Systems terminal servers
implement an extended version of this TACACS protocol. Thus, the
access control decision is delegated to a host. In this way, the
process of making the decision is "opened up" and the algorithms and
data used to make the decision are under the complete control of
whoever is running the TACACS daemon. For example, "anyone with a
first name of Joe can only login after 10:00 PM Mon-Fri, unless his
last name is Smith or there is a Susan already logged in."
The extensions to the protocol provide for more types of
authentication requests and more types of response codes than were in
the original specification.
The original TACACS protocol specification does exist. However, due
to copyright issues, I was not able to obtain a copy of this document
Finseth
