This document describes the current implementation of of the TACACS+ protocol. It does not change or add new functionality intended to address existing and well documented shortcomings of the protocol, especially on the security side. TACACS+ is widely deployed and is expected to stay deployed for a foreseeable future, and therefore any future extensions work would benefit from having a stable reference to the current functional specification.
Working Group Summary
The WG process was long for this document, initially resulting from the change of focus to the documentation of existing TACACS+ protocol as deployed and leaving the development of new functionality for further time. There were disagreements on whether the document should be progressed at all, what the intended status should be, and on a notable number of technical details. Eventually the consensus on what should go into the document and what the intended status should be was reached.
Multiple commercial and opensource implementations of the TACACS+ protocol exist, as well as an extensive operational experience with it. Over time there have been several detailed reviews of the document by WG members, as well as feedback from implementation experience.
Joe Clarke is the Document Shepherd for this document. Ignas Bagdonas is the Responsible Area Director.
RFC Editor Note
RFC Editor Note
Please update the following sentence in Section 6.1:
KRB5 and KRB4 are Kerberos version 5 and 4.
KRB5 [RFC4120] and KRB4  are Kerberos version 5 and 4.
And please add the following Informative References:
 Miller, S., Neuman, C., Schiller, J., and J. Saltzer, "Section
E.2.1: Kerberos Authentication and Authorization System",
M.I.T. Project Athena, Cambridge, Massachusetts, December 21,