TACACS+ Client Test Suite Data Sheet
Test Suite:
TACACS+ Client Test Suite
Direction:
Client

TACACS+ provides access control for routers, network access servers and other networked computing devices via one or more centralized servers. TACACS+ provides separate authentication, authorization and accounting services (AAA). Since robust AAA is vital for the smooth functioning of society, the dependability of TACACS+ implementations must be verified. This test suite can be used to test TACACS+ Client implementations for security flaws and robustness problems.

Used specifications

Specification
Title
draft-grant-tacacs-02

The TACACS+ Protocol

draft-ietf-opsawg-tacacs-05

The TACACS+ Protocol

Tool-specific information

Tested messages
Specifications
Notes
Authentication REPLY
draft-grant-tacacs-02
Authorization RESPONSE
draft-grant-tacacs-02
Accounting REPLY
draft-grant-tacacs-02

Supported protocol features
Specifications
Notes
Transport over TCP
draft-grant-tacacs-02
TACACS+ encryption
draft-grant-tacacs-02
TACACS+ encryption scheme is based on MD5 and was considered insecure already in 2000. The 'main security feature' is a shared key and a 4-octet session ID field that could be random, but is not mandatory to be. In fact, the latest draft (draft-ietf-opsawg-tacacs-06) defines the encryption as obfuscation.

Supported SafeGuard Checks

Insufficient Randomness

Test tool general features
  • Fully automated black-box negative testing
  • Ready-made test cases
  • Written in Java(tm)
  • GUI command line remote interface modes
  • Instrumentation (health-check) capability
  • Support and maintenance
  • Comprehensive user documentation
  • Results reporting and analysis