The Terminal Access Controller Access Control System, or TACACS, is one of the Internet’s oldest AAA protocols.The initial TACACS protocol has evolved into XTACACS and TACACS+, which we use today.TACACS+ was developed and backed by Cisco Systems and was initially designed to provide dialup Point-to-Point Protocol (PPP) and terminal server access. Although efforts have been waged for public versions of TACACS+, it is still Cisco’s proprietary AAA protocol.
VPN-1/FireWall-1 interfaces only with the authentication piece of TACACS+. Authorization and accounting features are not used. The authentication process is very straightforward.The VPN-1/FireWall-1 gateway acts as a NAS client. When the user sends his or her username and password, VPN-1/FireWall-1 relays the information in a hashed packet over TCP port 49 to the TACACS server.This packet is called a start packet. The TACACS+ server responds with reply or continue packets. Since VPN-1/ FireWall-1 does not use extended features of TACACS+, the response packet usually contains "authentication-status-pass" or "authentication-status-fail" messages.
TACACS+ and RADIUS are very similar protocols.The story of both protocols resembles the Beta/VHS market penetration wars in the realm of home videos. RADIUS has wider support from industry, but Cisco Systems claims that TACACS is a better protocol. Lately Cisco Systems AAA servers support both TACACS and RADIUS protocols. Differences can be summarized as follows:
■ TACACS supports Transmission Control Protocol (TCP). RADIUS runs over User Datagram Protocol (UDP). TACACS protocol is reliable.
■ RADIUS encrypts only the password in the access-request packet; TACACS+ encrypts the entire message body.
■ RADIUS has extensions for Internet Protocol Security (IPSec);TACACS+ doesn’t.
■ RADIUS has industry standards;TACACS is still in the draft stage.
Setting Up the Firewall for TACACS+ Authentication
The TACACS+ protocol is included in VPN-1 and VPN-1/FireWall-1 Control Connections, but remember that in NG, Accept VPN-1 and VPN-1/FireWall-1 Control Connections only applies to VPN-1/FireWall-1 installed devices. Here are the basic steps to define TACACS authentication:
1. Define a TACACS server, as shown in Figure 3.81. From your Objects tree, select Servers | TACACS. Enter the host description service and the shared secret. Choose your protocol.TACACS+ is strongly recommended.The shared secret will be used for authentication on the TACACS+ server. In TACACS, you do not have an option to group servers for high-availability purposes.
Figure 3.81 TACACS Server Properties
2. You have two options for defining users.You may either define your users in the firewall’s user database and control authentication from the firewall, or you can use external user profiles. With external profiles, authentication requests are checked not on a per-user basis, but on a per-profile basis. When Match All is chosen, all unknown users will be matched against the Generic* profile, which eliminates the need for redefining each user on FireWall-1 (see Figure 3.82).
Figure 3.82 The Authentication Tab
3. Create a regular user group (see Figure 3.83) for your TACACS users, and then add the TACACS users to this group. If external user profiles are used, profiles should be added to user groups. The Encryption tab should be configured if SecureClients will be used with IKE. Choose the related TACACS from the Authentication tab.. Allow TACACS authentication on the gateway’s Authentication tab. If a policy server is used,TACACS user groups should also be added to the policy server group in the Authentication tab of the gateway.TACACS cannot be used for SmartClient Administrator users’ authentication purposes.
Figure 3.83 Object Tree View for Users
4. For SecureClient access in a simplified policy, add the TACACS user group to participating user groups in Remote Access Community and define your Rule Base, as shown in Figure 3.84.
Figure 3.84 Rule Base for TACACS Authentication
5. On your VPN client, you will get an "Authenticated by TACACS" message if you successfully complete the settings. On SmartView Tracker, you should see the log entries shown in Figure 3.85.
Figure 3.85 SmartView Tracker Entries for TACACS Authentication
Setting Up TACACS+ for FireWall-1 Authentication
Most TACACS+ server solutions support multiple authentication protocols, including Cisco’s.To download the source code for TACACS+ and examine the latest draft from 1998, point your browser to the following FTP URL: ftp://ftp-eng.cisco.com/ pub/tacacs.
We used the best-known TACACS+ server, which is the Cisco Access Control Server (ACS). Installation is straightforward. During the installation, you should create your NAS as the firewall gateway and enter the TACACS secret key, as shown in Figure 3.86. It is possible to modify these values after the configuration. ACS has a simple Web interface.You can create users from the administration interface.
Figure 3.86 CiscoSecure ACS Configuration
Tools & Traps…
How to Back Up the ACS User Database
Backing up the Cisco ACS is very simple. To facilitate backup and restoration of the CiscoSecure ACS configuration data and database, the CSUtil.exe utility is provided in the CiscoSecure ACS UTILS directory:
■ C:\csutil -b Creates a complete backup of all CiscoSecure ACS data.
■ C:\csutil -r Restores a CiscoSecure ACS from the backup file.
To perform a backup of the CiscoSecure ACS user and group data, execute the following instructions from the Windows NT command prompt (a DOS window):
■ C:\Net stop csauth Stop the CSAuth authentication service to allow backup to take place.
■ C:\Csutil -d users_and_groups.txt Back up the users and groups data to a text file called users_and_groups.txt. To back up only the group data, use the command with a -g instead of a -d command switch.
■ C:\Net start csauth Restart the CSAuth authentication service.
The users_and_groups.txt file can then be backed up to tape and stored somewhere safe. To use CSUtil -b to create a backup file, enter the following command:
This command creates the following files in Utils\SysBackups\directory_ name:
■ REGISTRY DAT
■ USER.DAT
■ USER.IDX
■ VARSDB.MDB
The result is a compressed backup file named with the current date and time in the formatyyyymmddhhmm.zip. This file is written to the CiscoSecure ACS\utils\dbcheckpoint directory. Each backup creates a new file that does not overwrite existing files. The data is stored in compressed format and therefore takes up very little space. The system administrator must still perform the necessary file management to maintain adequate disk space.
Suggested Uses of TACACS+ Authentication
There are proven attacks against TACACS+‘ existing encryption deployment, so it should not be used where security is an issue.TACACS+ is a viable alternative when there is an existing TACACS+ deployment.TACACS+ could be very useful when other systems authentication clients (such as access servers) require TACACS+ attributes. If it is possible, TACACS+ server and firewall communication should be tunneled.
