TACACS+ Header
The TACACS+ header format is as follows.
+----+----+--------+--------+--------+ |maj |min | type | seq_no | flags | |ver |ver | | | | +----+----+--------+--------+--------+ | session_id | +------------------------------------+ | length | +------------------------------------+
maj ver
This 4-bit field identifies the TACACS+ major protocol version, and must contain a value of 0xC .
min ver
This 4-bit field identifies the TACACS+ minor protocol version, and must contain either a value of 0x0 (identifying TACACS+ minor version 0) or a value of 0x1 . (identifying TACACS+ minor version 1). Minor versions 0 and 1 differ only in the processing of PAP and CHAP logins.
type
This 8-bit field identifies the TACACS+ AAA service as follows:
0x1 — TACACS+ Authentication
0x2 — TACACS+ Authorization
0x3 — TACACS+ Accounting
sequence-no
This 8-bit field contains the packet sequence for the current session.
The first packet of a TACACS+ session must contain the value 1; each following packet increments the sequence count by 1. As TACACS+ sessions are always initiated by the client, all client-originated packets carry an odd sequence number, and all daemon-originated packets carry an even sequence number. TACACS+ protocol strictures do not allow the sequence_no field to wrap. If the sequence count reaches 255, the session must be stopped and restarted with a new sequence number of 1.
flags
This 8-bit field contains flags as described in Section 3 of the draft RFC; flags are not under user control.
session_id
This 32-bit field contains a random number that identifies the current TACACS+ session — it is used by clients and daemons to correlate TACACS+ requests and responses.
length
This 32-bit field contains the total length of the TACACS+ message, excluding the 12-octet header — in other words, the length of the message body.