RADIUS and TACACS+ Flashcards
Enterprise Access on a Network
Hundreds/Thousands of users on a network
CISCO ACS (Access Control Server) - Central database of usernames and passwords
RADIUS and TACACS+ = One of 2 protocols sitting between a client and AP
Security for Access Network
AAA - Authentication, Authorisation and Accounting (Basic fundamentals for accessing a network)
- Authentication determined identity of client (Achieved using user name and password
- Authorisation (Involved assignment of privileges - resources like service you may access. Also includes tasks you can perform and for how long you have access
-Accounting - Logging user activity - What the user accesses and for how long
Authentication
WPA/WPA2 - Pre Shared Key (PSK)
WiFi Protected Setup (WPS)
-AKA WiFi simple config
-2006 - WiFi Alliance
WPA/WPA2 Enterprise
-Individual Login and Password
- RADIUS (Remote Authentication Dial In User Service) Server
Found in large orgs where you may have users connecting on a wireless network.
No regular key exchanges as each user is authenticated based on his/her username or password
A master key is then exchanged which allows network admins to have control of who has access to wireless network
Again, every user has a different password and credentials and removing a user from a network is not that difficult
Look up WPA Enterprise Diagram
Please explain Diagram
Remote users wishing to connect to Network Access Server (NAS)
Using RADIUS protocol - Access request is sent to remote user database which authenticates user and and access accept or reject is sent from RADIUS server -> NAS -> Remote User
The NAS allows connected customers to have access to internet.
Provides interface to both local telecomm service providers like phone company but also to the www
NAS = Media gateway or remote access server (RAS) - And may include its own authentication services or else on a separate authentication server
In this case there is an AV authentication server (Radius Server)
Explain TACACS+
Terminal Access Controller Access Control System Plus
Developed by CISCO
AAA (Authentication, Authorisation and Accounting) over secure TCP connection on port 49.
RADIUS combines Authentication and Authorisation - TACACS+ Separates these functions
Network Access Server (NAS) Acts in client role
TACACS+ uses a client server model in which a network access device (server) acts in a client role and a TACACS+ equiped device performs sever tasks
TACACS+ cont’d
Network Access Device (NAD) Communicates with TACACS+ Server
- To obtain username prompt by using cont msg, the nad will then contact the TACACS+ server to obtain password -> TACACS+ server will respond with accept or reject message
ADV:
More control than RADIUS
AAA Packets Encrypted
TCP
DISADV:
Only used with Cisco equipment - since protocol is proprietary to Cisco
Less accounting support than RADIUS server
Packets are encrypted except for TACACS+ header
Header
-Version no.
-Sequence no.
-Session ID
TACACS protocol - see IETF (Internet Engineering Task Force)