search

What are the characteristics of TACACS+?

1 years ago
Komentar: 0
Dibaca: 66

 

Remote Access Dial In User Service (RADIUS) and Terminal Access Controller Access-Control System Plus (TACACS+) are two common security protocols used to provide centralized access into networks. RADIUS was designed to authenticate and log remote network users, while TACACS+ is most commonly used for administrator access to network devices like routers and switches. Both protocols provide centralized Authentication, Authorization, and Accounting (AAA) management for computers that connect and use a network service.

Show

  • Authentication - Who is allowed to gain access to the network? Traditionally authorized users provide a username and password to verify their identity for both RADIUS and TACACS+.

  • Authorization - What services can a user access once they are authenticated? It is unlikely that you want your finance people to have access to the developer database. Visitors may have access only to the Internet, while only IT staff can access the entire passwords database.

  • Accounting - What services did each user access and for how long? Accounting records record the user's identification, network address, point of attachment and a unique session identifier—these statistics are tracked and added to the user’s record. This is useful when time on the system is billed to individuals or departments.

Remote authentication enables you to keep your username and passwords in one place, on a central server. The advantage to using RADIUS or TACACS+ on this central server is that you don't configure changes on each separate network device when a user is added or deleted, or when a user changes a password. You only make one change to the configuration on the server and then devices continue to access the server for authentication. Although authentication is the most well known function of RADIUS and TACACS+, there are two additional functions provided, authorization and accounting.

Note

Instead of using a flat database on the RADIUS server, you can refer to external sources such as SQL, Kerberos, LDAP, or Active Directory servers to verify user credentials.

Why Not Just Rely on Firewalls and Filters for Access Control?

Routers and firewalls usually control access to services using filters based on source and/or destination IP addresses and ports. This means that restrictions are applied to devices and not to individual clients. For example if I enable traffic from 10.1.0.255 to access a particular web server, then anyone who is sitting at the machine with the address of 10.1.0.255 automatically has access to this server. Using RADIUS or TACACS+, that same person sitting at the machine with the address of 10.1.0.255 also has to provide a username and password to access a service.

What About Using LDAP For Authentication?

Lightweight Directory Access Protocol (LDAP) is a client/server protocol used to access and manage directory information. It reads and edits directories over IP networks and runs directly over TCP/IP using simple string formats for data transfer. Directory servers include information about various entities on your network, such as user names, passwords, rights associated with user names, metadata associated with user names, devices connected to the network, and device configuration.

Use LDAP to obtain directory information, such as email addresses and public keys. If you want to make directory information available over the Internet, this is the way to do it. LDAP works well for captive portal authentication. However, LDAP does not implement 802.1X security easily. 802.1X was essentially designed with RADIUS in mind, so 802.1X challenge/response protocols like MSCHAPv2 work well with RADIUS.

Where Is RADIUS Installed on the Network?

RADIUS includes three components: an authentication server, client protocols, and an accounting server. The RADIUS server portion of the protocol is usually a background process running on a UNIX or Microsoft Windows server.

With RADIUS, the term client refers to a network access device (NAD) that provides the client part of the RADIUS service—wireless access points, a modem pool, a switch, a network firewall, or any other device that needs to authenticate users can be configured as a NAD to recognize and process connection requests from outside the network edge. When a NAD receives a user's connection request, it may perform an initial access negotiation with the user to obtain identity/password information. Then the NAD passes this information to the RADIUS server as part of an authentication/authorization request.

Note

RADIUS requires that each network client device be configured.

How Is TACACS+ Installed on the Network?

TACACS+ logon authentication protocol uses software running on a central server to control access by TACACS-aware devices on the network. The server communicates with switches or other TACACS-aware devices automatically—these devices do not require further configuration if they are TACACS-aware. The TACACS+ protocol is supported by most enterprise and carrier-grade devices.

Install the TACACS+ Service as close as possible to the user database, preferably on the same server. TACACS+ needs to be closely synchronized with your Domain, and any network connection issues, DNS problems, or even time discrepancies can cause a critical service failure. Installing TACACS+ on the same server as the user database can also improve performance.

TACACS+ servers should be deployed in a fully trusted internal network. If you keep your TACACS+ service within your trusted network, you need to open only one port, TCP 49. There should not be any direct access from untrusted or semi-trusted networks.

Note

RADIUS is typically deployed in a semi-trusted network, and TACACS+ uses internal administrative logins, so combining these services on the same server could potentially compromise your network security.

A Comparison of RADIUS and TACACS+

Table 1: RADIUS and TACACS+

 

RADIUS

TACACS+

Primary Use

Authenticate and log remote network users

Provide administrator access to network devices like routers and switches

Authentication and Authorization

Authentication and Authorization checking are bundled together. When the client device requests authentication from the server, the server replies with both authentication attributes and authorization attributes. These functions can not be performed separately.

All three AAA functions (authentication, authorization, and accounting) can be used independently. Therefore, one method such as kerberos can be used for authentication, and a separate method such as TACACS+ can be used for authorization.

Accounting

The accounting features of the RADIUS protocol can be used independently of RADIUS authentication or authorization.

Protocol

User Datagram Protocol (UDP)/IP with best-effort is used for delivery on ports 1645/1646, 1812/1813

TCP used for delivery on port 49. Also has multiprotocol support for AppleTalk Remote Access (ARA) protocol, NetBIOS Frame Protocol Control protocol, Novell Asynchronous Services Interface (NASI), and X.25 PAD connection.

Encryption applied to

Password

Username and password

802.1X Security

If you want to use 802.1x port-based network access control, you have to use the RADIUS client because the TACACS+ client does not support that feature.

Model

client/server

 

Recommended Environment

semi-trusted

trusted

 

14. Access Control Administration

  • Here one entity (dept or an individual) is responsible for overseeing access to all corporate resources.
  • This type of administration provides a consistent and uniform method of controlling the users' access rights.
  • Example: RADIUS, TACACS, and Diameter
RADIUS
  • It is a c/s authentication protocol that authenticates and authorizes remote users.
  • The access server houses the user's credentials
  • It is an open standard protocol developed by Livingston enterprises.
TACACS
  • TACACS has been through three generations: TACACS, Extended TACACS (XTACACS), and TACACS+.
    • TACACS combines its authentication and authorization processes,
    • XTACACS separates authentication, authorization, and auditing processes and
    • TACACS+ is XTACACS with extended two-factor user authentication.
  • TACACS uses fixed passwords for authentication and TACACS+ allows users to use dynamic (one-time) passwords, which provides more protection.
  • TACACS+ provides basically the same functionality as RADIUS with a few differences in some of its characteristics.
    • TACACS+ uses TCP as its transport protocol, while RADIUS uses UDP.
    • RADIUS encrypts the user’s password only as it is being transmitted from the RADIUS client to the RADIUS server. Other information, as in the username, accounting, and authorized services, is passed in clear text. This is an open invitation for attackers to capture session information for replay attacks. TACACS+ encrypts all of this data and thus does not have the vulnerabilities that are inherent in the RADIUS protocol
    • The RADIUS protocol combines the authentication and authorization functionality whereas TACACS+ uses a true AAA architecture, which separates the authentication, authorization, and accounting functionalities thus giving the ability to authenticate remote users. TACACS+ also enables to define more granular user profiles, which can control the actual commands that users can carry out

Note: RADIUS is the appropriate protocol when simplistic username/password authentication can take place and users only need an Accept or Deny for obtaining access, as in ISPs. TACACS+ is the better choice for environments that require more sophisticated authentication steps and tighter control over more complex authorization activities, as in corporate networks

Diameter
  • Diameter is a protocol that has been developed to build upon the functionality of RADIUS and overcome many of its limitations. The creator of this protocol decided to call it Diameter as a play on the term RADIUS, as in the diameter is twice the radius.
  • Diameter is another AAA protocol that provides the same type of functionality as RADIUS and TACACS+ but also provides more flexibility and capabilities to meet the new demands of today’s complex and diverse networks where we want our wireless devices and smartphones to be able to authenticate themselves to our networks and we use roaming protocols, Mobile IP, PPPoE and etc.
  • Diameter provides a base protocol, which defines header formats, security options, commands, and AVPs (Attribute Value Pairs). This base protocol allows for extensions to tie in other services, such as VoIP, FoIP, Mobile IP, wireless, and cell phone authentication. So Diameter can be used as an AAA protocol for all of these different uses.
  • RADIUS and TACACS+ are client/server protocols, which mean that the server portion cannot send unsolicited commands to the client portion. The server portion can only speak when spoken to. Diameter is a peer-based protocol that allows either end to initiate communication.
    • This functionality allows the Diameter server to send a message to the access server to request the user to provide another authentication credential if she is attempting to access a secure resource.
    • This functionality also allows the Diameter server to disconnect the user if necessary for one reason or another.
  • Diameter is backward compatible with RADIUS, uses UDP and AVPs, and provides proxy server support.
  • It has better error detection and correction functionality and failover properties than RADIUS, thus provides better network resilience.
  • Diameter also provides end-to-end security through the use of IPSec or TLS, which is not available in RADIUS.
  • Diameter has the functionality and ability to provide the AAA functionality for other protocols and services because it has a large AVP set. RADIUS has 28 (256) AVPs, and Diameter has 232. So, more AVPs allow for more functionality and services to exist and communicate between systems.
  • Diameter provides the following AAA function
    • Authentication
      • PAP, CHAP, EAP
      • End-to-end protection of authentication information
      • Replay attack protection
    • Authorization
      • Redirects, secure proxies, relays, and brokers
      • State reconciliation
      • Unsolicited disconnect
      • Reauthorization on demand
    • Accounting
      • Reporting, ROAMOPS accounting, event monitoring

Q&A What

Pos Terkait

What will be the length of the hypotenuse of an isosceles triangle whose one side is 4.2 cm?
What will be the length of the hypotenuse of an isosceles triangle whose one side is 4.2 cm?

What technique can overwhelm the content addressable memory tables on layer 2 switches
What technique can overwhelm the content addressable memory tables on layer 2 switches

How to develop processes and procedures
How to develop processes and procedures

Wo ist die pokemon pension
Wo ist die pokemon pension

What is the probability of drawing a white ball from a bag containing 3 black balls and 4 white balls?
What is the probability of drawing a white ball from a bag containing 3 black balls and 4 white balls?

Why is water called universal solvent Brainly?
Why is water called universal solvent Brainly?

What is the angle of refraction if the angle of incidence is 40?
What is the angle of refraction if the angle of incidence is 40?

What is secret key encryption also called?
What is secret key encryption also called?

What pleasure craft are boaters restricted from wearing inflatable personal flotation devices?
What pleasure craft are boaters restricted from wearing inflatable personal flotation devices?

At what rate of simple interest will a sum of money amounts to 6 5 of itself in 2 years 6 months?
At what rate of simple interest will a sum of money amounts to 6 5 of itself in 2 years 6 months?

Periklanan

BERITA TERKINI

PHPRad rest api
1 years ago . by LuridDiversity
Cara screenshot panjang di HP Samsung A10s
1 years ago . by CurlyEmployment
Cara menghilangkan amoniak pada kolam lele
1 years ago . by PortentousOverseer
Cara Live streaming di YouTube lewat HP
1 years ago . by ListeningMeasurement
Google Sheets conditional formatting custom formula Text contains
1 years ago . by PrescribedFunctionality
Bagaimana cara instal TWRP?
1 years ago . by Blue-greenSolicitation
Python x if not None else y
1 years ago . by BedraggledJenny
Where can I download JDK 10?
1 years ago . by Well-establishedEnvoy
Cara membuat playlist lagu
1 years ago . by MischievousComputing
Makanan yang menyebabkan sembelit pada ibu hamil
1 years ago . by PrimDishonesty

Toplist Popular

#1
Top 8 uma substância pura nunca constituirá um sistema heterogêneo 2022
1 years ago
#2
Top 5 wilo fluidcontrol schaltet nicht ab 2022
1 years ago
#3
Top 7 texto de aniversário para melhor amiga chorar 2022
1 years ago
#4
Top 8 warum kein blutspenden nach piercing 2022
1 years ago
#5
Top 4 aponte o nome das penínsulas/países que se localizam em cada península destacadas com letras no mapa 2022
1 years ago
#6
Top 8 o que é pirangagem 2022
1 years ago
#7
Top 8 warum schnappt mein hund nach meiner hand 2022
1 years ago
#8
Top 8 o que é gluten free 2022
1 years ago
#9
Top 7 beko waschmaschine (wmb 71643 pte reset) 2022
1 years ago
#10
Top 8 mondeo mk3 türgriff öffnet nicht 2022
1 years ago

Periklanan

Terpopuler

Periklanan

Tentang Kami

Legal

Dukungan

Social

homeendefrjpkoptzhhiitthtr
Copyright © 2024 ketiadaan Inc.