Introduction to TACACS+
Introduction to TACACS+
Cisco designed the AAA protocol TACACS+ (Terminal Access Controller Access-Control System). The primary function of TACACS+ is device administration. It can also be used for Internet access. This AAA Protocol authenticates network administrators to log in to network devices such as routers, switches, and firewalls.
AAA Protocols can encrypt the entire packet or just the passwords. TACACS+ offers full packet encryption. It encrypts the entire package. But RADIUS does not encrypt the entire transmission. It encrypts only the passwords, not the entire packet. As a result, the AAA Protocol is more secure than the RADIUS Protocol for Terminal Access Controllers.
How TACACS+ Works ?
The Network Access Device will utilize the CONTINUE message to communicate with the TACACS+ server and acquire a username prompt. The user then inputs a username, and the Network Access Device contacts the TACACS+ server once more to acquire a password prompt (Continue message). The password prompt is displayed to the user, and the password is then submitted to the TACACS+ server.
Fig 1.1- TACACS+ Authentication
The server can respond with one of the following reply messages:
- If the credentials entered are valid then the TACACS+ server will respond with an ACCEPT message.
- If the credentials entered are not valid then the TACACS+ server will respond with a REJECT message.
- If the link between the TACACS+ server and NAS or TACACS+ server is not working properly then it will respond with an ERROR message.
- If TACACS+ authorization is required, the TACACS+ server is again contacted and it returns an ACCEPT or REJECT authorization response. If the ACCEPT message is returned, it contains attributes that are used to determine services that a user is allowed to do.
Features of TACACS+
- Cisco created a protocol for the AAA framework, which may be utilized between Cisco devices and the Cisco ACS server.
- It employs TCP as a communications protocol.
- It utilizes TCP port 49.
- If the device and ACS server use TACACS+, all AAA packets sent between them are encrypted.
- It splits AAA into independent pieces, namely authentication, authorization, and accounting.
- It provides more granular control (than RADIUS) by allowing users to choose which commands they are authorized to use.
- It has accounting support, but is less comprehensive than RADIUS.
Benefits of TACACS+ over RADIUS
- Provides more granular control than RADIUS.TACACS+ allows a network administrator to specify which commands a user may execute.
- Unlike Radius, all AAA packets are encrypted.
- TACACS+ uses TCP rather than UDP. TCP ensures communication between the client and the server.
- The Battle of the Data Transports: Ethernet vs MPLS
- Decoding VRF Vs VRF Lite
- MPLS LDP Basic Concepts
- MPLS LDP Loop Detection
- TTL Processing in MPLS
- Basics: How to configure MPLS and MPLS Traffic Engineering
- Do you know about VRF lite in MPLS networks ?
- Introduction to VRF(Virtual Routing forwarding)
- Part 4: MPLS Forwarding Operations (LDP Vs RSVP)
- A brief about MPLS Header & Label