The Terminal Access Controller Access-Control System Plus (TACACS+) Protocol
RFC 8907

Document Type RFC - Informational (September 2020; No errata)
Authors Thorsten Dahm  , Andrej Ota  ,  , David Carrel  , Lol Grant 
Last updated 2020-09-30
Replaces draft-dahm-opsawg-tacacs
Stream IETF
Formats plain text html xml pdf htmlized bibtex
Stream WG state Submitted to IESG for Publication
Document shepherd Joe Clarke
Shepherd write-up Show (last changed 2019-03-27)
IESG IESG state RFC 8907 (Informational)
Consensus Boilerplate Yes
Telechat date
Responsible AD Warren Kumari
Send notices to, Joe Clarke <>
IANA IANA review state Version Changed - Review Needed
IANA action state No IANA Actions

Internet Engineering Task Force (IETF)                           T. Dahm
Request for Comments: 8907                                        A. Ota
Category: Informational                                      Google Inc.
ISSN: 2070-1721                                         D.C. Medway Gash
                                                     Cisco Systems, Inc.
                                                               D. Carrel
                                                          IPsec Research
                                                                L. Grant
                                                          September 2020

  The Terminal Access Controller Access-Control System Plus (TACACS+)


   This document describes the Terminal Access Controller Access-Control
   System Plus (TACACS+) protocol, which is widely deployed today to
   provide Device Administration for routers, network access servers,
   and other networked computing devices via one or more centralized

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for informational purposes.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Not all documents
   approved by the IESG are candidates for any level of Internet
   Standard; see Section 2 of RFC 7841.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at

Copyright Notice

   Copyright (c) 2020 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   ( in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

   This document may contain material from IETF Documents or IETF
   Contributions published or made publicly available before November
   10, 2008.  The person(s) controlling the copyright in some of this
   material may not have granted the IETF Trust the right to allow
   modifications of such material outside the IETF Standards Process.
   Without obtaining an adequate license from the person(s) controlling
   the copyright in such materials, this document may not be modified
   outside the IETF Standards Process, and derivative works of it may
   not be created outside the IETF Standards Process, except to format
   it for publication as an RFC or to translate it into languages other
   than English.

Table of Contents

   1.  Introduction
   2.  Conventions
   3.  Technical Definitions
     3.1.  Client
     3.2.  Server
     3.3.  Packet
     3.4.  Connection
     3.5.  Session
     3.6.  Treatment of Enumerated Protocol Values
     3.7.  Treatment of Text Strings
   4.  TACACS+ Packets and Sessions
     4.1.  The TACACS+ Packet Header
     4.2.  The TACACS+ Packet Body
     4.3.  Single Connection Mode
     4.4.  Session Completion
     4.5.  Data Obfuscation
   5.  Authentication
     5.1.  The Authentication START Packet Body
     5.2.  The Authentication REPLY Packet Body
     5.3.  The Authentication CONTINUE Packet Body
     5.4.  Description of Authentication Process
       5.4.1.  Version Behavior
       5.4.2.  Common Authentication Flows
       5.4.3.  Aborting an Authentication Session
   6.  Authorization
     6.1.  The Authorization REQUEST Packet Body
     6.2.  The Authorization REPLY Packet Body
   7.  Accounting
     7.1.  The Account REQUEST Packet Body
     7.2.  The Accounting REPLY Packet Body
   8.  Argument-Value Pairs
     8.1.  Value Encoding
     8.2.  Authorization Arguments
     8.3.  Accounting Arguments
   9.  Privilege Levels
   10. Security Considerations
     10.1.  General Security of the Protocol
     10.2.  Security of Authentication Sessions
     10.3.  Security of Authorization Sessions
     10.4.  Security of Accounting Sessions
     10.5.  TACACS+ Best Practices
       10.5.1.  Shared Secrets
       10.5.2.  Connections and Obfuscation
       10.5.3.  Authentication
       10.5.4.  Authorization
       10.5.5.  Redirection Mechanism
   11. IANA Considerations
   12. References
     12.1.  Normative References
     12.2.  Informative References
   Authors' Addresses

1.  Introduction

   This document describes the Terminal Access Controller Access-Control
Show full document text