8. TACACS+ Server

Question 1

What is an Access Control Server (ACS)?

Answer 1

An ACS (Access Control Server) is a central database of usernames and passwords.

On an enterprise network we have hundreds or thousands of users who need to access multiple systems. Creating a separate user name and PW can be unmanageable., so we can use a ACS. Must inform the router that it needs to access the ACS for authentication and autherrisation.

Question 2

Whar are RADIUS and TACACS+

Answer 2

There is always one of two protocols sitting between the client and the ACS (Access Control Centre). This is either RADIUM or TACACS+

Question 3

What is AUTHENTICATION?

Answer 3

Authentication determines the identity of the client. Can be done with use of username and password.

Question 4

What is AUTHORISATION?

Answer 4

Authorisation occurs after authentication & involves the assignment of privileges. E.g. the resources you can access, the tasks you can perform and how long you have access.

Question 5

What is ACCOUNTING?

Answer 5

This is the logging of user activity, what they access and when / how long for.

Question 6

What is AAA?

Answer 6

AAA means Authentication Authorisation and Accounting - the fundementals of accessing a network

Question 7

What is TACACS+?

Answer 7

TACACS+ is Terminal Access Control System Plus. It is developed by Cisco

It uses a client server model.
The Network Access Server (NAS) acts in the CLIENT role.

Performs AAA over a secure TCP connections on Port 49.

The TACACS+ device performs server tasks.

While the RADIUS commbines the authentication and authorising oricesses, the TACACS+ seperates them.

The NAS or NAD communicates with the TACACS+ server to obtain the username by using the CONTINUE message

The NAD then contacts the TACS+ server to obtain the PW.
The TACACS will respond with an ACCEPT message if the credentials are valid, or a REJECT message if they are invalid.
If the server is not working properly then an ERROR message is sent.

In terms of accounting, the client will send a REQUEST message and the TACACS+ serverr replies with an ACCEPT message

Question 8

What are the advantages of TACACS+ over RADIUS?

Answer 8

• More control than RADIUS
• all AAA packets are encrypted (rather than RADIUS where only the PW packets are encrypted)
• Uses TCP rather than UDP for communication

Question 9

What are the disadvantages of TACACS+?

Answer 9

• It is proprietry to Cisco so can only use with Cisco equipment
• Less accounting support than RADIUS

Question 10

What is the only TACACS+ packet that is not encrypted?

Answer 10

Packets are encrypted except for the TACACS+ header

Question 11

What does the TACS header contain?

Answer 11

The header includes:
- the version number

• the sequence number
• the session ID.