Chapter 7 - AAA and ACS Server

Question 1

What does TACACS+ stand for?

Answer 1

Terminal Access Control Access Control Server

Question 2

What does RADIUS stand for?

Answer 2

Remote Authentication Dial-In User Service

Question 3

What are some key differences between the way TACACS+ and RADIUS operate in regard to AAA?

Answer 3

• TACACS separates all AAA functions into different elements. Radius combines authentication and authorization together.
• TACACS is Cisco proprietary, RADIUS is an open standard
• TACACS operates over Layer 4 via TCP, RADIUS uses UDP
• TACACS encrypts all packets between the ACS server and router. RADIUS only encrypts passwords.
• TACACS has granular control over command authorization (which commands can be executed). RADIUS does not.
• TACACS has basic accounting support, RADIUS has more extensive accounting capability.

Question 4

When setting up AAA via an ACS server, what step should you always to do avoid getting locked out of a router?

Answer 4

Be sure to always configure a local user in case the ACS server becomes unreachable or is not yet configured.

(config)# username admin privilege 15 secret cisco

Question 5

What command would tell a router to check an ACS server for authentication before trying the local database?

Answer 5

(config)# aaa authentication login AUTH_via_tacacs group tacacs+ local

• (AUTH_via_tacacs is the method list name)
• “group” indicates that authentication will try tacacs first, then the local database.

Question 6

What command configures a router to authentication / authorize with an ACS server?

Answer 6

(config)# tacacs-server host 192.168.1.251 key password123

Question 7

What is the maximum amount of ways a user can be authenticated using method list?

Answer 7

Four

Question 8

What command must be issued on a router before any ACS functions can be used?

Answer 8

(confg)# aaa new-model