TACACS Protocol - NetwaxLab

Breaking

Facebook Popup

BANNER 728X90

Monday, April 13, 2015

TACACS Protocol

Terminal Access Controller Access-Control System (TACACS, usually pronounced like tack-axe) refers to a family of related protocols handling remote authentication and related services for networked access control through a centralized server. The original TACACS protocol, which dates back to 1984, was used for communicating with an authentication server, common in older UNIX networks; it spawned related protocols:

TACACS Implementation
  • Extended TACACS (XTACACS) is a proprietary extension to TACACS introduced by Cisco Systems in 1990 without backwards compatibility to the original protocol. TACACS and XTACACS both allow a remote access server to communicate with an authentication server in order to determine if the user has access to the network.
  • Terminal Access Controller Access-Control System Plus (TACACS+) is a protocol developed by Cisco and released as an open standard beginning in 1993. Although derived from TACACS, TACACS+ is a separate protocol that handles authentication, authorization, and accounting (AAA) services. TACACS+ and other flexible AAA protocols have largely replaced their predecessors.

History

TACACS was originally developed in 1984 by BBN Technologies for administering MILNET, which ran unclassified network traffic for DARPA at the time and would later evolve into the U.S. Department of Defense's NIPRNet. Originally designed as a means to automate authentication – allowing someone who was already logged into one host in the network to connect to another on the same network without needing to re-authenticate – it was first formally described by BBN's Brian Anderson in December 1984 in IETF RFC 927. Cisco Systems began supporting TACACS in its networking products in the late 1980s, eventually adding several extensions to the protocol. In 1990, Cisco's extensions on the top of TACACS became a proprietary protocol called Extended TACACS (XTACACS). Although TACACS and XTACACS are not open standards, Craig Finseth of the University of Minnesota, with Cisco's assistance, published a description of the protocols in 1993 in IETF RFC 1492 for informational purposes.

TACACS+ Need?

TACACS+ simplifies network administration and increases network security. It does this by centralizing management of users on your network and enabling you to set granular access policies by users and groups, command, location, time of day, subnet, or device type. The TACACS+ protocol also gives you a complete log of every user's login and what commands were used. TACACS+ is recommended for compliance with most network security standards for E-Commerce, Health Care, Finance, and Government networks.

TACACS/TACACS+ Security

You can use the security protocol Terminal Access Controller Access Control System (TACACS) or TACACS+ to authenticate the following kinds of access to the ServerIron.
  • Telnet access
  • SSH access
  • Web management access
  • Access to the Privileged EXEC level and CONFIG levels of the CLI

TACACS+ differs from TACACS

TACACS


TACACS is defined in RFC 1492, and uses (either TCP or UDP) port 49 by default. TACACS allows a client to accept a username and password and send a query to a TACACS authentication server, sometimes called a TACACS daemon or simply TACACSD. TACACSD uses TCP and usually runs on port 49. It would determine whether to accept or deny the authentication request and send a response back. The TIP (routing node accepting dial-up line connections, which the user would normally want to log in into) would then allow access or not, based upon the response. In this way, the process of making the decision is "opened up" and the algorithms and data used to make the decision are under the complete control of whomever is running the TACACS daemon.

TACACS+

TACACS+ and RADIUS have generally replaced TACACS and XTACACS in more recently built or updated networks. TACACS+ is an entirely new protocol and is not compatible with its predecessors, TACACS and XTACACS. TACACS+ uses TCP (while RADIUS operates over UDP). Since TACACS+ uses the authentication, authorization, and accounting (AAA) architecture, these separate components of the protocol can be segregated and handled on separate servers.

Since TCP is connection oriented protocol, TACACS+ does not have to implement transmission control. RADIUS, however, does have to detect and correct transmission errors like packet loss, timeout etc. since it rides on UDP which is connectionless. RADIUS encrypts only the users' password as it travels from the RADIUS client to RADIUS server. All other information such as the username, authorization, accounting are transmitted in clear text. Therefore it is vulnerable to different types of attacks. TACACS+ encrypts all the information mentioned above and therefore does not have the vulnerabilities present in the RADIUS protocol.

TACACS is a simple UDP-based access control protocol originally developed by BBN for MILNET. TACACS+ is an enhancement to TACACS and uses TCP to ensure reliable delivery.

TACACS+ is an enhancement to the TACACS security protocol. TACACS+ improves on TACACS by separating the functions of authentication, authorization, and accounting (AAA) and by encrypting all traffic between the ServerIron and the TACACS+ server. TACACS+ allows for arbitrary length and content authentication exchanges, which allow any authentication mechanism to be utilized with the ServerIron. TACACS+ is extensible to provide for site customization and future development features. The protocol allows the ServerIron to request very precise access control and allows the TACACS+ server to respond to each component of that request.

(Note: TACACS+ provides for authentication, authorization, and accounting, but an implementation or configuration is not required to employ all three.)

TACACS/TACACS+ Authentication, Authorization and Accounting

Shows the Interaction b/w a Dial-in User & the TACACS+ Client & Server.

TACACS Authentication

When TACACS authentication takes place, the following events occur:
  • A user attempts to gain access to the ServerIron by doing one of the following:

  1. Logging into the device using Telnet, SSH, or the Web management interface
  2. Entering the Privileged EXEC level or CONFIG level of the CLI
  • The user is prompted for a username and password.
  • The user enters a username and password.
  • The ServerIron sends a request containing the username and password to the TACACS server.
  • The username and password are validated in the TACACS server’s database.
  • If the password is valid, the user is authenticated.

TACACS+ Authentication

When TACACS+ authentication takes place, the following events occur:
  • A user attempts to gain access to the ServerIron by doing one of the following:

  1. Logging into the device using Telnet, SSH, or the Web management interface
  2. Entering the Privileged EXEC level or CONFIG level of the CLI

  • The user is prompted for a username.
  • The user enters a username.
  • The ServerIron obtains a password prompt from a TACACS+ server.
  • The user is prompted for a password.
  • The user enters a password.
  • The ServerIron sends the password to the TACACS+ server.
  • The password is validated in the TACACS+ server’s database.
  • If the password is valid, the user is authenticated.

TACACS+ Authorization

ServerIrons support two kinds of TACACS+ authorization:
  • Exec authorization determines a user’s privilege level when they are authenticated
  • Command authorization consults a TACACS+ server to get authorization for commands entered by the user

When TACACS+ exec authorization takes place, the following events occur:
  1. A user logs into the ServerIron using Telnet, SSH, or the Web management interface
  2. The user is authenticated.
  3. The ServerIron consults the TACACS+ server to determine the privilege level of the user.
  4. The TACACS+ server sends back a response containing an A-V (Attribute-Value) pair with the privilege level of the user.
  5. The user is granted the specified privilege level.
When TACACS+ command authorization takes place, the following events occur:
  1. A Telnet, SSH, or Web management interface user previously authenticated by a TACACS+ server enters a command on the ServerIron.
  2. The ServerIron looks at its configuration to see if the command is at a privilege level that requires TACACS+ command authorization.
  3. If the command belongs to a privilege level that requires authorization, the ServerIron consults the TACACS+ server to see if the user is authorized to use the command.
  4. If the user is authorized to use the command, the command is executed.

TACACS+ Accounting

TACACS+ accounting works as follows:
  • One of the following events occur on the ServerIron:

  1. A user logs into the management interface using Telnet or SSH
  2. A user enters a command for which accounting has been configured
  3. A system event occurs, such as a reboot or reloading of the configuration file

  • The ServerIron checks its configuration to see if the event is one for which TACACS+ accounting is required.
  • If the event requires TACACS+ accounting, the ServerIron sends a TACACS+ Accounting Start packet to the TACACS+ accounting server, containing information about the event.
  • The TACACS+ accounting server acknowledges the Accounting Start packet.
  • The TACACS+ accounting server records information about the event.
  • When the event is concluded, the ServerIron sends an Accounting Stop packet to the TACACS+ accounting server.
  • The TACACS+ accounting server acknowledges the Accounting Stop packet.

TACACS+ Configuration Task List

To configure your router to support TACACS+, you must perform the following tasks:
  • Use the aaa new-model global configuration command to enable AAA. AAA must be configured if you plan to use TACACS+. For more information about using the aaa new-model command, refer to the chapter "AAA Overview".
  • Use the tacacs-server host command to specify the IP address of one or more TACACS+ daemons. Use the tacacs-server key command to specify an encryption key that will be used to encrypt all exchanges between the network access server and the TACACS+ daemon. This same key must also be configured on the TACACS+ daemon.
  • Use the aaa authentication global configuration command to define method lists that use TACACS+ for authentication. For more information about using the aaa authentication command, refer to the chapter "Configuring Authentication".
  • Use line and interface commands to apply the defined method lists to various interfaces. For more information, refer to the chapter "Configuring Authentication".
  • If needed, use the aaa authorization global command to configure authorization for the network access server. Unlike authentication, which can be configured per line or per interface, authorization is configured globally for the entire network access server. For more information about using the aaa authorization command, refer to the "Configuring Authorization" chapter.
  • If needed, use the aaa accounting command to enable accounting for TACACS+ connections. For more information about using the aaa accounting command, refer to the "Configuring Accounting" chapter.

To configure TACACS+, perform the tasks in the following sections:
  • Identifying the TACACS+ Server Host (Required)
  • Setting the TACACS+ Authentication Key (Optional)
  • Configuring AAA Server Groups (Optional)
  • Configuring AAA Server Group Selection Based on DNIS (Optional)
  • Specifying TACACS+ Authentication (Required)
  • Specifying TACACS+ Authorization (Optional)
  • Specifying TACACS+ Accounting (Optional)

----
@NetwaxLab

No comments:

Post a Comment