All Cisco-Network Study Notes: TACACS+

TACACS+

Another aegis agreement that is accessible is Terminal Admission Controller Access

Control System Plus (TACACS+).This should not be abashed with TACACS

and XTACACS, both of which are accessible accepted protocols accurate in RFC

1492 and no best used. Despite the agnate names,TACACS and XTACACS

are not accordant with TACACS+.TACACS+ provides a adjustment to validate

users attempting to accretion admission to a account through a router or NAS. Agnate to

RADIUS, a centralized server active TACACS+ software responds to client

requests in adjustment to accomplish AAA.

NOTE

Although the blueprint for TACACS+ was never appear as a final

standards document, a abstract of the blueprint is accessible at

ftp://ftpeng.cisco.com/pub/tacacs/tac-rfc.1.78.txt.

TACACS+ packets await on TCP as the carriage protocol, authoritative the

connection reliable.TACACS+ can additionally encrypt the anatomy of cartage travelling

www.syngress.com

226 Chapter 5 • Authentication, Authorization, and Accounting

between the TACACS+ server and client. Only the packet attack is larboard unencrypted.

TACACS+ allows an ambassador to abstracted the authentication, authorization,

and accounting mechanisms, thereby accouterment the adeptness to implement

each account independently. Each of the AAA mechanisms can be angry into separate

databases.TACACS+ uses TCP anchorage 49 for communication.

Figure 5.3 illustrates the action that occurs aback a user attempts to log in by

authentication to a NAS application TACACS+:

1. Aback the affiliation is established, the NAS contacts the TACACS+

server to admission an affidavit prompt, which is again displayed to the

user.The user enters his or her username, and the NAS again contacts

the TACACS+ server to admission a countersign prompt.The NAS displays

the countersign alert to the user.

2. The user enters his or her password, and these accreditation are again sent

to the TACACS+ apparition active on a server.

3. The TACACS+ server queries the user database and compares Applicant A’s

credentials with those stored in the database server.

4. The NAS will eventually accept one of the afterward responses from

the TACACS+ daemon:

www.syngress.com

Figure 5.3 Acceptance with TACACS+

Database

Server

Client A Modem

Network

Access

Server

TACACS+

Server

Server Farm

1. Applicant A dials into the NAS and is

prompted for login and password.

Remote Access

Client

2. The NAS queries the

TACACS+ server to

authenticate Applicant A.

3. The TACACS+ server

queries the database

where user account

definitions are stored.

4. Accreditation are validated,

an ACCEPT bulletin is

sent aback to the NAS, and

access is granted.

PSTN

Authentication, Authorization, and Accounting • Chapter 5 227

ACCEPT The user is accurate and the account can begin.

REJECT The user bootless authentication. Depending on the

TACACS+ daemon, the user may be denied added admission or

prompted to retry the login sequence.

ERROR An absurdity occurred at some point during the authentication

process.This can be either at the apparition or in the network

connection amid the apparition and the NAS. If an ERROR

response is received, the NAS will about try to use an alternative

method for acceptance the user.

CONTINUE The user is prompted for added authentication

information.