CCNA 6.6: Describe device security using AAA with TACACS+ and RADIUS

Overview:

A device can be secured by using AAA with TACACS+, RADIUS or a combination of both.  The use of TACACS+ and/or RADIUS allows a client to be authenticated against a remote server versus local authentication on the device.

 

Study Notes:

AAA

  • AAA Authentication, Authorization, Accounting
  • Access control is the way you control who is allowed access to the network device and what services they are allowed to use once they have access
  • Authentication, authorization, and accounting (AAA) network security services provide the primary framework through which you set up access control on your router or access server
  • Authentication—Provides the method of identifying users, including login and password dialog, challenge and response, messaging support, and, depending on the security protocol you select, encryption
  • Authorization—Provides the method for remote access control, including one-time authorization or authorization for each service, per-user account list and profile, user group support, and support of IP, IPX, ARA (AppleTalk), and Telnet
  • Accounting—Provides the method for collecting and sending security server information used for billing, auditing, and reporting, such as user identities, start and stop times, executed commands (such as PPP), number of packets, and number of bytes
  • In many circumstances, AAA uses protocols such as RADIUS, TACACS+, or Kerberos to administer its security functions
  • If your router or access server is acting as a network access server, AAA is the means through which you establish communication between your network access server and your RADIUS, TACACS+, or Kerberos security server

 

TACACS+

  • TACACS+ Terminal Access Controller Access Control Service Plus
  • TACACS+ is a security application that provides centralized validation of users attempting to gain access to a router or network access server
  • TACACS+ services are maintained in a database on a TACACS+ daemon running, typically, on a UNIX or Windows NT workstation
  • You must have access to and must configure a TACACS+ server before the configured TACACS+ features on your network access server are available
  • TACACS+ provides for separate and modular authentication, authorization, and accounting facilities
  • TACACS+ allows for a single access control server (the TACACS+ daemon) to provide each service—authentication, authorization, and accounting—independently
  • Each service can be tied into its own database to take advantage of other services available on that server or on the network, depending on the capabilities of the daemon
  • The goal of TACACS+ is to provide a methodology for managing multiple network access points from a single management service
  • The Cisco family of access servers and routers and the Cisco IOS user interface (for both routers and access servers) can be network access servers

 

RADIUS

  • RADIUS Remote Access Dial-In User Service
  • RADIUS is a fully open protocol, distributed in source code format, that can be modified to work with any security system currently available on the market
  • RADIUS is a distributed client/server system that secures networks against unauthorized access
  • In the Cisco implementation, RADIUS clients run on Cisco routers and send authentication requests to a central RADIUS server that contains all user authentication and network service access information
  • Cisco supports RADIUS under its AAA security paradigm
  • RADIUS can be used with other AAA security protocols, such as TACACS+, Kerberos, and local username lookup
  • RADIUS is supported on all Cisco platforms, but some RADIUS-supported features run only on specified platforms

 

TACACS+ vs RADIUS

  • The primary functional difference between RADIUS and TACACS+ is that TACACS+ separates out the Authorization functionality, where RADIUS combines both Authentication and Authorization
  • When a RADIUS Authentication request is sent to the AAA server, the AAA client expects to receive a reply containing the Authorization result

 

 

Leave a Reply
s2Member®