Information Technology Reference
In-Depth Information
TACACS+ and RADIUS Compared
As a CCIE candidate, you need to know the differences between TACACS+ and RADIUS for
the exam. Table 12-4 describes the differences between these protocols.
RADIUS Versus TACACS+
Table 12-4
RADIUS
TACACS+
Transport Protocol
Newer RADIUS implementations use
UDP port 1812. Earlier versions used
UDP port 1645, plus 1646 for accounting.
Uses TCP
Encryption
Encrypts only the password in the access-
request packet and is less secure.
Encrypts the entire body of the packet
and is more secure
AAA
Combines authentication and
authorization.
Uses the AAA architecture, which
separates authentication,
authorization, and accounting
Standard
Industry standard.
Cisco proprietary
Multiprotocol
Support
Does not support AppleTalk Remote
Access, NetBIOS Frame Protocol Control
protocol, Novell NASI, and X.25 PAD
connections.
Offers multiprotocol support
Authorization
support
Does not allow users to control which
commands can be executed on a router.
Provides two ways to control the
authorization of router commands: on
a per-user or per-group basis
Firewalls
Firewalls prevent unauthorized access to resources. Firewalls can be a single specialized device
or a group of devices that filter addresses, ports, and applications.
Demilitarized Zone (DMZ) Architecture
A
firewall
is a system of devices and applications that protect one network from an untrusted
network, such as the Internet. Usually, it is implemented with a three-layered design. On the
outside is a filtering router that implements access lists to permit access to only hosts in the
Isolation local-area network (LAN). In the center, the DMZ is implemented by using special-
ized hosts to permit services such as web server, DNS, FTP servers, e-mail relays, and Telnet.
These hosts are usually referred to as bastion hosts. Most of the time, the DMZ resides on a
third leg (interface) of a firewall.
An inside router permits access from the internal network to the Isolation LAN. There should
be no devices communicating directly from the inside network to the outside router (no
backdoors).
Search WWH ::
Custom Search