NSI again removes services
Dean Anderson
dean at av8.com
Tue Oct 19 22:35:25 UTC 1999
Hmm. I always thought the unix tip command was a reference to tip and ring of phone line pairs. This sounds more likely... Something for Peter Salus...
--Dean
Around 12:36 PM 10/19/1999 -0700, rumor has it that hardie at equinix.com said:
>> TAC as in tacacs?
>
>Yep. The original TACACS specification was in a BBN technical
>memo, CC-0045; RFC 1492 contains an informal specification
>of the extended version that Cisco implemented. The background
>section of RFC 1492 gives a bit of the history:
>
>Background
>
> There used to be a network called ARPANET. This network consisted of
> end nodes (hosts), routing nodes (IMPs) and links. There were (at
> least) two types of IMPs: those that connected dedicated lines only
> and those that could accept dial up lines. The latter were called
> "TIPs."
>
> People being what they were, there was a desire to control who could
> use the dial up lines. Someone invented a protocol, called "TACACS"
> (Terminal Access Controller Access Control System?), which allowed a
> TIP to accept a username and password and send a query to a TACACS
> authentication server, sometimes called a TACACS daemon or simply
> TACACSD. This server was normally a program running on a host. The
> host would determine whether to accept or deny the request and sent a
> response back. The TIP would then allow access or not, based upon
> the response.
>
> While TIPs are -- shall we say? -- no longer a major presence on the
> Internet, terminal servers are. Cisco Systems terminal servers
> implement an extended version of this TACACS protocol. Thus, the
> access control decision is delegated to a host. In this way, the
> process of making the decision is "opened up" and the algorithms and
> data used to make the decision are under the complete control of
> whoever is running the TACACS daemon. For example, "anyone with a
> first name of Joe can only login after 10:00 PM Mon-Fri, unless his
> last name is Smith or there is a Susan already logged in."
>
> The extensions to the protocol provide for more types of
> authentication requests and more types of response codes than were in
> the original specification.
>
> The original TACACS protocol specification does exist. However, due
> to copyright issues, I was not able to obtain a copy of this document
> and this lack of access is the main reason for the writing of this
> document. This version of the specification was developed with the
> assistance of Cisco Systems, who has an implementation of the TACACS
> protocol that is believed to be compatible with the original
> specification. To be precise, the Cisco Systems implementation
> supports both the simple (non-extended) and extended versions. It is
> the simple version that would be compatible with the original.
>
> Please keep in mind that this is an informational RFC and does not
> specify a standard, and that more information may be uncovered in the
> future (i.e., the original specification may become available) that
> could cause parts of this document to be known to be incorrect.
>
> This RFC documents the extended TACACS protocol use by the Cisco
> Systems terminal servers. This same protocol is used by the
> University of Minnesota's distributed authentication system.
>
>
> regards,
> Ted Hardie
>
>
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Plain Aviation, Inc dean at av8.com
LAN/WAN/UNIX/NT/TCPIP http://www.av8.com
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
More information about the NANOG
mailing list