tacacs protocol
TRANSCRIPT
TACACS Protocol
Terminal Access Controller Access-Control System (TACACS, usually pronounced like tack-axe) refers to a
family of related protocols handling remote authentication and related services for networked access
control through a centralized server. The original TACACS protocol, which dates back to 1984, was used
for communicating with an authentication server, common in older UNIX networks; it spawned related
protocols:
Extended TACACS (XTACACS) is a proprietary extension to TACACS introduced by Cisco Systems
in 1990 without backwards compatibility to the original protocol. TACACS and XTACACS both
allow a remote access server to communicate with an authentication server in order to
determine if the user has access to the network.
Terminal Access Controller Access-Control System Plus (TACACS+) is a protocol developed by
Cisco and released as an open standard beginning in 1993. Although derived from TACACS,
TACACS+ is a separate protocol that handles authentication, authorization, and accounting (AAA)
services. TACACS+ and other flexible AAA protocols have largely replaced their predecessors.
History
TACACS was originally developed in 1984 by BBN Technologies for administering MILNET, which ran
unclassified network traffic for DARPA at the time and would later evolve into the U.S. Department of
Defense's NIPRNet. Originally designed as a means to automate authentication – allowing someone who
was already logged into one host in the network to connect to another on the same network without
needing to re-authenticate – it was first formally described by BBN's Brian Anderson in December 1984
in IETF RFC 927. Cisco Systems began supporting TACACS in its networking products in the late 1980s,
eventually adding several extensions to the protocol. In 1990, Cisco's extensions on the top of TACACS
became a proprietary protocol called Extended TACACS (XTACACS). Although TACACS and XTACACS are
not open standards, Craig Finseth of the University of Minnesota, with Cisco's assistance, published a
description of the protocols in 1993 in IETF RFC 1492 for informational purposes.
TACACS+ Need?
TACACS+ simplifies network administration and increases network security. It does this by centralizing
management of users on your network and enabling you to set granular access policies by users and
Figure 1 TACACS Implementation
TACACS Protocol
groups, command, location, time of day, subnet, or device type. The TACACS+ protocol also gives you a
complete log of every user's login and what commands were used. TACACS+ is recommended for
compliance with most network security standards for E-Commerce, Health Care, Finance, and
Government networks.
TACACS/TACACS+ Security
You can use the security protocol Terminal Access Controller Access Control System (TACACS) or
TACACS+ to authenticate the following kinds of access to the ServerIron.
Telnet access
SSH access
Web management access
Access to the Privileged EXEC level and CONFIG levels of the CLI
TACACS+ differs from TACACS
TACACS
TACACS is defined in RFC 1492, and uses (either TCP or UDP) port 49 by default. TACACS allows a
client to accept a username and password and send a query to a TACACS authentication server,
sometimes called a TACACS daemon or simply TACACSD. TACACSD uses TCP and usually runs on
port 49. It would determine whether to accept or deny the authentication request and send a
response back. The TIP (routing node accepting dial-up line connections, which the user would
normally want to log in into) would then allow access or not, based upon the response. In this
way, the process of making the decision is "opened up" and the algorithms and data used to
make the decision are under the complete control of whomever is running the TACACS daemon.
TACACS+
TACACS+ and RADIUS have generally replaced TACACS and XTACACS in more recently built or
updated networks. TACACS+ is an entirely new protocol and is not compatible with its
predecessors, TACACS and XTACACS. TACACS+ uses TCP (while RADIUS operates over UDP). Since
TACACS+ uses the authentication, authorization, and accounting (AAA) architecture, these
separate components of the protocol can be segregated and handled on separate servers.
Since TCP is connection oriented protocol, TACACS+ does not have to implement transmission
control. RADIUS, however, does have to detect and correct transmission errors like packet loss,
timeout etc. since it rides on UDP which is connectionless. RADIUS encrypts only the users'
password as it travels from the RADIUS client to RADIUS server. All other information such as the
username, authorization, accounting are transmitted in clear text. Therefore it is vulnerable to
TACACS Protocol
different types of attacks. TACACS+ encrypts all the information mentioned above and therefore
does not have the vulnerabilities present in the RADIUS protocol.
TACACS is a simple UDP-based access control protocol originally developed by BBN for MILNET.
TACACS+ is an enhancement to TACACS and uses TCP to ensure reliable delivery.
TACACS+ is an enhancement to the TACACS security protocol. TACACS+ improves on TACACS by
separating the functions of authentication, authorization, and accounting (AAA) and by encrypting all
traffic between the ServerIron and the TACACS+ server. TACACS+ allows for arbitrary length and content
authentication exchanges, which allow any authentication mechanism to be utilized with the ServerIron.
TACACS+ is extensible to provide for site customization and future development features. The protocol
allows the ServerIron to request very precise access control and allows the TACACS+ server to respond
to each component of that request.
(Note: TACACS+ provides for authentication, authorization, and accounting, but an implementation or
configuration is not required to employ all three.)
TACACS/TACACS+ Authentication, Authorization and Accounting
Figure 2 Shows the Interaction b/w a Dial-in User & the TACACS+ Client & Server.
TACACS Protocol
TACACS Authentication
When TACACS authentication takes place, the following events occur:
1. A user attempts to gain access to the ServerIron by doing one of the following:
o Logging into the device using Telnet, SSH, or the Web management interface.
o Entering the Privileged EXEC level or CONFIG level of the CLI.
2. The user is prompted for a username and password.
3. The user enters a username and password.
4. The ServerIron sends a request containing the username and password to the TACACS server.
5. The username and password are validated in the TACACS server’s database.
6. If the password is valid, the user is authenticated.
TACACS+ Authentication
When TACACS+ authentication takes place, the following events occur:
1. A user attempts to gain access to the ServerIron by doing one of the following:
o Logging into the device using Telnet, SSH, or the Web management interface.
o Entering the Privileged EXEC level or CONFIG level of the CLI.
2. The user is prompted for a username.
3. The user enters a username.
4. The ServerIron obtains a password prompt from a TACACS+ server.
5. The user is prompted for a password.
6. The user enters a password.
7. The ServerIron sends the password to the TACACS+ server.
8. The password is validated in the TACACS+ server’s database.
9. 9.If the password is valid, the user is authenticated.
TACACS+ Authorization
ServerIrons support two kinds of TACACS+ authorization:
o Exec authorization determines a user’s privilege level when they are authenticated
o Command authorization consults a TACACS+ server to get authorization for commands entered
by the user
When TACACS+ exec authorization takes place, the following events occur:
1. A user logs into the ServerIron using Telnet, SSH, or the Web management interface
2. The user is authenticated.
3. The ServerIron consults the TACACS+ server to determine the privilege level of the user.
TACACS Protocol
4. The TACACS+ server sends back a response containing an A-V (Attribute-Value) pair with the
privilege level of the user.
5. The user is granted the specified privilege level.
When TACACS+ command authorization takes place, the following events occur:
1. A Telnet, SSH, or Web management interface user previously authenticated by a TACACS+ server
enters a command on the ServerIron.
2. The ServerIron looks at its configuration to see if the command is at a privilege level that
requires TACACS+ command authorization.
3. If the command belongs to a privilege level that requires authorization, the ServerIron consults
the TACACS+ server to see if the user is authorized to use the command.
4. If the user is authorized to use the command, the command is executed.
TACACS+ Accounting
TACACS+ accounting works as follows:
1. One of the following events occur on the ServerIron:
o A user logs into the management interface using Telnet or SSH
o A user enters a command for which accounting has been configured
o A system event occurs, such as a reboot or reloading of the configuration file
2. The ServerIron checks its configuration to see if the event is one for which TACACS+ accounting is
required.
3. If the event requires TACACS+ accounting, the ServerIron sends a TACACS+ Accounting Start
packet to the TACACS+ accounting server, containing information about the event.
4. The TACACS+ accounting server acknowledges the Accounting Start packet.
5. The TACACS+ accounting server records information about the event.
6. When the event is concluded, the ServerIron sends an Accounting Stop packet to the TACACS+
accounting server.
7. The TACACS+ accounting server acknowledges the Accounting Stop packet.
TACACS+ Configuration Task List
To configure your router to support TACACS+, you must perform the following tasks:
Use the aaa new-model global configuration command to enable AAA. AAA must be configured if
you plan to use TACACS+. For more information about using the aaa new-model command, refer
to the chapter "AAA Overview".
Use the tacacs-server host command to specify the IP address of one or more TACACS+
daemons. Use the tacacs-server key command to specify an encryption key that will be used to
TACACS Protocol
encrypt all exchanges between the network access server and the TACACS+ daemon. This same
key must also be configured on the TACACS+ daemon.
Use the aaa authentication global configuration command to define method lists that use
TACACS+ for authentication. For more information about using the aaa authentication
command, refer to the chapter "Configuring Authentication".
Use line and interface commands to apply the defined method lists to various interfaces. For
more information, refer to the chapter "Configuring Authentication".
If needed, use the aaa authorization global command to configure authorization for the network
access server. Unlike authentication, which can be configured per line or per interface,
authorization is configured globally for the entire network access server. For more information
about using the aaa authorization command, refer to the "Configuring Authorization" chapter.
If needed, use the aaa accounting command to enable accounting for TACACS+ connections. For
more information about using the aaa accounting command, refer to the "Configuring
Accounting" chapter.
To configure TACACS+, perform the tasks in the following sections:
Identifying the TACACS+ Server Host (Required)
Setting the TACACS+ Authentication Key (Optional)
Configuring AAA Server Groups (Optional)
Configuring AAA Server Group Selection Based on DNIS (Optional)
Specifying TACACS+ Authentication (Required)
Specifying TACACS+ Authorization (Optional)
Specifying TACACS+ Accounting (Optional)