If a single administrator wants to access 100 routers and the local database of the device is used for username and password (authentication) then the administrator has to make the same user account at different times. Also, if he wants to keep a different username and password for the devices then he has to manually change the authentication for the devices. Of course, it’s a hectic task.
To ease this task to some extent, Cisco ACS (Access Control Server) is used. ACS provides a centralized management system in which the database of username and password are kept. Also, authorization (means what the user is authorized to do) can be configured. But for this, we have to tell the router to refer to ACS for its decision on authentication and authorization.
Two protocols are used between the ACS server and the client to serve this purpose:
Here we will discuss TACACS+ only.
TACACS+ which stands for Terminal Access Controller Access Control Server is a security protocol used in the AAA framework to provide centralized authentication for users who want to gain access to the network.
Features – Some of the features of TACACS+ are:
- Cisco developed protocol for AAA framework i.e it can be used between the Cisco device and Cisco ACS server.
- It uses TCP as a transmission protocol.
- It uses TCP port number 49.
- If the device and ACS server are using TACACS+ then all the AAA packets exchanged between them are encrypted.
- It separates AAA into distinct elements i.e authentication, authorization, and accounting are separated.
- It provides greater granular control (than RADIUS) as the commands that are authorized to be used by the user can be specified.
- It provides accounting support but is less extensive than RADIUS.
The client of the TACACS+ is called Network Access Device (Nad) or Network Access Server (NAS). Network Access Device will contact the TACACS+ server to obtain a username prompt through CONTINUE message. The user then enters a username and the Network Access Device again contacts the TACACS+ server to obtain a password prompt (Continue message) displaying the password prompt to the user, the user enters a password, and the password is then sent to the TACACS+ server.
The server can respond with one of the following reply messages:
- If the credentials entered are valid then the TACACS+ server will respond with an ACCEPT message.
- If the credentials entered are not valid then the TACACS+ server will respond with a REJECT message.
- If the link between the TACACS+ server and NAS or TACACS+ server is not working properly then it will respond with an ERROR message.
- If TACACS+ authorization is required, the TACACS+ server is again contacted and it returns an ACCEPT or REJECT authorization response. If the ACCEPT message is returned, it contains attributes that are used to determine services that a user is allowed to do.
For accounting, the client will send a REQUEST message to the TACACS+ server for which the server responds with a RESPONSE message stating that the record is received.
- Provides greater granular control than RADIUS.TACACS+ allows a network administrator to define what commands a user may run.
- All the AAA packets are encrypted rather than just passwords (in the case of Radius).
- TACACS+ uses TCP instead of UDP. TCP guarantees communication between the client and server.
- As it is Cisco proprietary, therefore it can be used between the Cisco devices only. TACAS+ is an open standard RFC8907
- Less extensive support for accounting than RADIUS.
Share your thoughts in the comments
Please Login to comment...