8. TACACS+ Server Flashcards
What is an Access Control Server (ACS)?
An ACS (Access Control Server) is a central database of usernames and passwords.
On an enterprise network we have hundreds or thousands of users who need to access multiple systems. Creating a separate user name and PW can be unmanageable., so we can use a ACS. Must inform the router that it needs to access the ACS for authentication and autherrisation.
Whar are RADIUS and TACACS+
There is always one of two protocols sitting between the client and the ACS (Access Control Centre). This is either RADIUM or TACACS+
What is AUTHENTICATION?
Authentication determines the identity of the client. Can be done with use of username and password.
What is AUTHORISATION?
Authorisation occurs after authentication & involves the assignment of privileges. E.g. the resources you can access, the tasks you can perform and how long you have access.
What is ACCOUNTING?
This is the logging of user activity, what they access and when / how long for.
What is AAA?
AAA means Authentication Authorisation and Accounting - the fundementals of accessing a network
What is TACACS+?
TACACS+ is Terminal Access Control System Plus. It is developed by Cisco
It uses a client server model.
The Network Access Server (NAS) acts in the CLIENT role.
Performs AAA over a secure TCP connections on Port 49.
The TACACS+ device performs server tasks.
While the RADIUS commbines the authentication and authorising oricesses, the TACACS+ seperates them.
The NAS or NAD communicates with the TACACS+ server to obtain the username by using the CONTINUE message
The NAD then contacts the TACS+ server to obtain the PW.
The TACACS will respond with an ACCEPT message if the credentials are valid, or a REJECT message if they are invalid.
If the server is not working properly then an ERROR message is sent.
In terms of accounting, the client will send a REQUEST message and the TACACS+ serverr replies with an ACCEPT message
What are the advantages of TACACS+ over RADIUS?
- More control than RADIUS
- all AAA packets are encrypted (rather than RADIUS where only the PW packets are encrypted)
- Uses TCP rather than UDP for communication
What are the disadvantages of TACACS+?
- It is proprietry to Cisco so can only use with Cisco equipment
- Less accounting support than RADIUS
What is the only TACACS+ packet that is not encrypted?
Packets are encrypted except for the TACACS+ header
What does the TACS header contain?
The header includes:
- the version number
- the sequence number
- the session ID.