North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: NSI again removes services

  • From: Dean Anderson
  • Date: Tue Oct 19 18:57:28 1999

Hmm. I always thought the unix tip command was a reference to tip and ring of phone line pairs.  This sounds more likely...  Something for Peter Salus...


Around 12:36 PM 10/19/1999 -0700, rumor has it that [email protected] said:
>> TAC as in tacacs?
>Yep.  The original TACACS specification was in a BBN technical
>memo, CC-0045; RFC 1492 contains an informal specification
>of the extended version that Cisco implemented.  The background
>section of RFC 1492 gives a bit of the history:
>  There used to be a network called ARPANET.  This network consisted of
>  end nodes (hosts), routing nodes (IMPs) and links.  There were (at
>  least) two types of IMPs: those that connected dedicated lines only
>  and those that could accept dial up lines.  The latter were called
>  "TIPs."
>  People being what they were, there was a desire to control who could
>  use the dial up lines.  Someone invented a protocol, called "TACACS"
>  (Terminal Access Controller Access Control System?), which allowed a
>  TIP to accept a username and password and send a query to a TACACS
>  authentication server, sometimes called a TACACS daemon or simply
>  TACACSD.  This server was normally a program running on a host. The
>  host would determine whether to accept or deny the request and sent a
>  response back.  The TIP would then allow access or not, based upon
>  the response.
>  While TIPs are -- shall we say? -- no longer a major presence on the
>  Internet, terminal servers are.  Cisco Systems terminal servers
>  implement an extended version of this TACACS protocol.  Thus, the
>  access control decision is delegated to a host.  In this way, the
>  process of making the decision is "opened up" and the algorithms and
>  data used to make the decision are under the complete control of
>  whoever is running the TACACS daemon.  For example, "anyone with a
>  first name of Joe can only login after 10:00 PM Mon-Fri, unless his
>  last name is Smith or there is a Susan already logged in."
>  The extensions to the protocol provide for more types of
>  authentication requests and more types of response codes than were in
>  the original specification.
>  The original TACACS protocol specification does exist.  However, due
>  to copyright issues, I was not able to obtain a copy of this document
>  and this lack of access is the main reason for the writing of this
>  document.  This version of the specification was developed with the
>  assistance of Cisco Systems, who has an implementation of the TACACS
>  protocol that is believed to be compatible with the original
>  specification.  To be precise, the Cisco Systems implementation
>  supports both the simple (non-extended) and extended versions.  It is
>  the simple version that would be compatible with the original.
>  Please keep in mind that this is an informational RFC and does not
>  specify a standard, and that more information may be uncovered in the
>  future (i.e., the original specification may become available) that
>  could cause parts of this document to be known to be incorrect.
>  This RFC documents the extended TACACS protocol use by the Cisco
>  Systems terminal servers.  This same protocol is used by the
>  University of Minnesota's distributed authentication system.
>			regards,
>				Ted Hardie
           Plain Aviation, Inc                  [email protected]