Information Technology Reference
In-Depth Information
supported in the Cisco ACS server. TACACS+ is facilitated through AAA and can be enabled
only through AAA commands.
Key TACACS+ features are as follows:
•
TACACS+ separates AAA into three distinct functions (authentication, authorization and
accounting).
•
TACACS+ supports router command authorization integration with advanced
authentication mechanisms, such as Data Encryption Standard (DES) and One-Time
Password (OTP) key.
•
TACACS+ supports 16 different privilege levels (0 to 15).
•
TACACS+ permits the control of services, such as Point-to-Point Protocol (PPP), shell,
standard log in, enable, AppleTalk Remote Access (ARA) protocol, Novell Asynchronous
Services Interface (NASI), remote command (RCMD), and firewall proxy.
•
TACACS+ permits the blocking of services to a specific port, such as a TTY or VTY
interface on a router.
The most common services supported by TACACS+ are PPP for IP and router EXEC shell
access by using console or VTY ports. The EXEC shell allows users to connect to router shells
and select services (such as PPP, Telnet, TN3270) or to manage the router itself.
RADIUS
RADIUS was initially created by Livingston Enterprises and is defined by the draft standard
RFC 2865, “Remote Authentication Dial In User Service (RADIUS),” and RFC 2866,
“RADIUS Accounting.”
Internet service providers (ISPs) often use RADIUS with remote access servers. With RADIUS,
a router or network access server (NAS) operates as a client of RADIUS. The client is respon-
sible for passing user information to the designated RADIUS servers and then acting on the
response, which is returned. RADIUS servers are responsible for receiving user connection
requests, authenticating the user, and then returning all configuration information necessary for
the client to deliver service to the user.
A RADIUS server can act as a proxy client to other RADIUS servers or other kinds of authen-
tication servers. In this function, the router or NAS sends RADIUS requests to the RADIUS-
proxy-server, which, in turn, sends it to another RADIUS server. The response is sent back to
the NAS. Service provider wholesaling services use this method.
Transactions between the client and RADIUS server are authenticated through the use of a
shared secret, which is never sent over the network. Any user passwords are sent encrypted
between the client and RADIUS server to eliminate the possibility that someone snooping on
an unsecured network can determine a user's password.
Search WWH ::
Custom Search