If a single administrator wants to access 100 routers and local database of the device is used for username and password (authentication) then the administrator have to make the same user account different times. Also, if he wants to keep different username and password for the devices then he have to manually change the authentication for the devices. Ofcourse, it’s a hectic task.
To ease this task to some extent, Cisco ACS (Access Control Server) is used. ACS provides a centralised management system in which the database of username and password are kept. Also, authorization (means what the user is authorised to do) can be configured. But for this we have to tell the router to refer to ACS for its decision on authentication and authorization.
Two protocols are used between the ACS server and the client to serve this purpose:
Here we will discuss about TACACS+ only.
TACACS+, stands for Terminal Access Controller Access Control Server, is a security protocol used in AAA framework to provide centralised authentication for users who want to gain access to the network.
Features – Some of the features of TACACS+ are:
- Cisco proprietary protocol for AAA framework i.e it can used between the Cisco device and Cisco ACS server.
- It uses TCP as transmission protocol.
- It uses TCP port number 49.
- If the device and ACS server is using TACACS+ then all the AAA packets exchanged between them are encrypted.
- It separates AAA into distinct elements i.e authentication, authorisation and accounting are separated.
- It provides greater granular control (than RADIUS) as the commands that are authorised to be used by the user can be specified.
- It provides accounting support but less extensive than RADIUS.
The client of the TACACS+ is called Network Access Device (Nad) or Network Access Server (NAS).Network Access Device will contact the TACACS+ server to obtain a username prompt through CONTINUE message . The user then enters a username and the Network Access Device again contact the TACACS+ server to obtain a password prompt (Continue message) displaying the password prompt to the user, the user enters a password, and the password is then sent to the TACACS+ server.
The server can respond with one of the following reply messages:
- If the credentials entered are valid then the TACACS+ server will response with an ACCEPT message.
- If the credentials entered are not valid then the TACACS+ server will response with an REJECT message.
- If the link between the TACACS+ server and NAS or TACACS+ server is not working properly then it will respond with an ERROR message.
- If TACACS+ authorization is required, the TACACS+ server is again contacted and it returns an ACCEPT or REJECT authorization response. If the ACCEPT message is returned, it contains attributes which are used to determine services that a user is allowed to do.
For accounting, the client will send a REQUEST message to the TACACS+ server for which the Server responds with RESPONSE message stating that record is received.
- Provides greater granular control than RADIUS.TACACS+ allows a network administrator to define what commands a user may run.
- All the AAA packets are encrypted rather just passwords (in case of Radius).
- TACACS+ uses TCP instead of UDP. TCP guarantees communication between the client and server.
- As it is Cisco proprietary, therefore it can be used between the Cisco devices only.
- Less extensive support for accounting than RADIUS.