TACACS

Protocol suite:	TCP/IP.
Protocol type:	Application layer protocol.
Multicast addresses:
Ports:	49 (UDP).
URI:
MIME subtype:
SNMP MIBs:
Working groups:
Links:	wiki: TACACS.

MAC header

IP header

UDP header

TACACS packet

TACACS, Simple form.

00	01	02	03	04	05	06	07	08	09	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25	26	27	28	29	30	31
Version								Type								Nonce
Username length / Response								Password length / Reason								Data :::

TACACS, Extended form.

00	08	16	24
Version	Type	Nonce
Username length	Password length	Response	Reason
Result 1
Destination address
Destination port		Line
Result 2
Result 3		Data :::

Version. 8 bits.
Must be set to 0 for simple form, 128 for extended form.

Type. 8 bits.

Type	Description
0
1	LOGIN.
2	RESPONSE (server to client only).
3	CHANGE.
4	FOLLOW.
5	CONNECT.
6	SUPERUSER.
7	LOGOUT.
8	RELOAD.
9	SLIPON.
10	SLIPOFF.
11	SLIPADDR.
12 - 128
129 - 255	Local use.

Nonce. 16 bits.
Set by the client to an arbitrary value. It allows clients that may have multiple outstanding requests to identify which request a response is for. The server must copy this value to the reply unaltered.

Username length. 8 bits, 0 to 255.
Set by the client to the length of the username in characters. The server must copy this value to the reply unaltered.

Response. 8 bits.
The server sets the value to one of the following:

Response	Description
0	Accepted.
1	Rejected.

Password length. 8 bits, 0 to 255.
Set by the client to the length of the password in characters. The server must copy this value to the reply unaltered.

Reason. 8 bits.

Reason	Description
0
1	Expiring.
2	Password.
3	Denied.
4	Quit.
5	Idle.
6	Drop.
7	Bad.

Result 1. 32 bits.
Cleared by the client to zero. For LOGIN or CONNECT requests, it is set by the server as specified in the request description. For all other requests, it should be cleared by the server to zero.

Destination address. 32 bits.
Set by the client. On CONNECT, SLIPON, and SLIPOFF requests it specifies an IP address. It should be set to zero on all other requests. For SLIPON and SLIPOFF request, this value should be the IP address assigned to the line. For CONNECT requests, this value is the IP address of the host that the user is attempting to connect to. The server copies this value to the reply.

Destination port. 16 bits.
Set by the client. On CONNECT requests it specifies the port number that the user is attempting to connect to. It should be set to zero on all other requests. The server copies this value to the reply.

Line. 16 bits.
Set by the client to the line number that the request is for. The server copies this value to the reply.

Result 2. 32 bits.
Set by the client to zero. For LOGIN or CONNECT requests, it is set by the server as specified in the request description. For all other requests, it should be set by the server to zero.

Result 3. 16 bits.
Set by the client to zero. For LOGIN or CONNECT requests, it is set by the server as specified in the request description. For all other requests, it should be set by the server to zero.

Data. Variable length.
Contains just the text of the username and password, with no separator characters (you use username length and password length to sort them out). The server does not copy the values to the reply. (However, the server does copy the username length and password length fields to the reply.) The username data may be in upper case. Comparisons should be case-insensitive.

Glossary:

RFCs:

[RFC 1492] An Access Control Protocol, Sometimes Called TACACS.

Publications:

Obsolete RFCs: