A remote security database provides uniform remote-access security policies throughout the enterprise. It centrally manages all remote user profiles. Cisco network devices support the following three primary security server protocols:
■ TACACS+
■ RADIUS
■ Kerberos
NOTE A password for a vty line has to be configured for telnet access to work.
NOTE Passwords display in clear text in your configuration unless you enable the service password-encryption command.
TACACS Overview
Terminal Access Controller Access Control System (TACACS) provides a way to centrally validate all users individually before they can gain access to a router or access server. TACACS was derived from the United States Department of Defense and is described in RFC 1492. TACACS is an open protocol and can be ported to most username or password databases. Figure 6-1 shows a TACACS+
server supporting a dialup client.
Figure 6-1 TACACS+ Server Supporting a Dialup User
The Cisco IOS Software implements TACACS to allow centralized control over who can access routers and access servers. Authentication also can be provided for Cisco IOS administration tasks on the routers’ and access servers’ user interfaces. With TACACS enabled, the router and access server prompts the user for a username and a password. Then the router or access server queries a TACACS server to determine whether the user provided the correct corresponding password.
TACACS was originally designed to run on UNIX workstations but can now run on Windows too.
The three current versions of TACACS security server application are as follows:
■ TACACS—An older access protocol, incompatible with the newer TACACS+ protocol. It provides password checking and authentication and notification of user actions for security and accounting purposes.
■ XTACACS—An extension to the older TACACS protocol, supplying additional functionality to TACACS. Extended TACACS provides information about protocol translator and router use.
This information is used in UNIX auditing trails and accounting files.
■ TACACS+—An improved protocol providing detailed accounting information and flexible administrative control over authentication and authorization processes. TACACS+ is facilitated through AAA and can be enabled only through AAA commands.
The TACACS and XTACACS protocols in Cisco IOS Software are officially considered end-of-maintenance and are no longer maintained by Cisco for bug fixes or enhancement.
TACACS+ provides for separate and modular authentication, authorization, and accounting facili-ties. TACACS+ allows for a single access control server (the TACACS+ daemon) to provide authen-tication, authorization, and accounting services independently. Each service can be tied into its own
Dial-Up Client NAS
TACACS+Server
User Request for Authentication
Authentication 107
database to take advantage of other services available on that server or on the network, depending on the capabilities of the daemon.
The TACACS+ protocol provides authentication between the NAS and the TACACS+ daemon, and it ensures confidentiality because all protocol exchanges between a NAS and a TACACS+ daemon are encrypted, typically using Message Digest 5 (MD5) algorithms. TACACS+ can forward the password types for ARA, SLIP, PAP, CHAP, and standard telnet. Therefore, clients can use the same username password for different protocols. TCP port 49 is reserved for TACACS+.
RADIUS Overview
RADIUS is a distributed client/server protocol that secures networks against unauthorized access.
RADIUS includes two pieces: an authentication server and client protocols. A NAS operates as a client of RADIUS. The client is responsible for passing user information to designated RADIUS servers, and then acting on the response that is returned. RADIUS servers are responsible for receiving user connection requests, authenticating the user, and then returning all configuration information necessary for the client to deliver service to the user. The RADIUS servers can act as proxy clients to other kinds of authentication servers. RADIUS uses UDP as the communication protocol between the client and the server on port UDP 1645. Figure 6-2 shows a RADIUS server supporting a dialup client.
Figure 6-2 Dialup Client Supported by a RADIUS Server
RADIUS encrypts only the password in the access-request packet, from the client to the server. The remainder of the packet is unencrypted. Other information, such as username, authorized services, and accounting, could be captured by a third party.
The RADIUS server supports a variety of methods to authenticate a user. When it is provided with the username and original password given by the user, it can support PPP, PAP, CHAP, UNIX login, and other authentication mechanisms.
RADIUS combines authentication and authorization. The access-accept packets sent by the RADIUS server to the client contain authorization information. This makes it difficult to decouple authenti-cation and authorization. RADIUS does perform accounting separately.
Dial-Up Client NAS
RADIUS Server
When a user attempts to log in and authenticate to an access server using RADIUS, the following steps occur:
1. The user is prompted for and enters a username and password.
2. The username and encrypted password are sent over the network to the RADIUS server.
3. The user receives one of the following responses from the RADIUS server:
• ACCEPT—The user is authenticated.
• REJECT—The user is not authenticated and is prompted to reenter the username and password, or access is denied.
• CHALLENGE—A challenge is issued by the RADIUS server. The challenge col-lects additional data from the user.
• CHANGE PASSWORD—A request is issued by the RADIUS server, asking the user to select a new password.
The ACCEPT or REJECT response is bundled with additional data that is used for EXEC or network authorization. You must first complete RADIUS authentication before using RADIUS authorization Table 6-3 shows a brief comparison between TACACS+ server and RADIUS.
Table 6-3 Features of TACACS+ and RADIUS Protocols
Functionality TACACS+ RADIUS
AAA support Authentication, authorization, and accounting services are separate.
Authentication and authorization are combined, but accounting services are separate.
Transport protocol TCP port 49. UDP Port 1645—Authentication/
Authorization
UDP Port 1646—Accounting Above are the original RFC ports (still supported)
Protocol support Multiproctocol support. No NetBEUI, ARA.