Describe management access connections (Telnet, SSH, HTTP, HTTPS, console, and TACACS+/RADIUS) | Practonet

Describe management access connections - AAA, TACACS+/RADIUS

AAA

AAA Authentication, Authorization, Accounting

Access control is the way you control who is allowed access to the network device and what services they are allowed to use once they have access

Authentication, authorization, and accounting (AAA) network security services provide the primary framework through which you set up access control on your router or access server

Authenticationā€”Provides the method of identifying users, including login and password dialog, challenge and response, messaging support, and, depending on the security protocol you select, encryption

Authorizationā€”Provides the method for remote access control, including one-time authorization or authorization for each service, per-user account list and profile, user group support, and support of IP, IPX, ARA (AppleTalk), and Telnet

Accountingā€”Provides the method for collecting and sending security server information used for billing, auditing, and reporting, such as user identities, start and stop times, executed commands (such as PPP), number of packets, and number of bytes

In many circumstances, AAA uses protocols such as RADIUS, TACACS+, or Kerberos to administer its security functions

If your router or access server is acting as a network access server, AAA is the means through which you establish communication between your network access server and your RADIUS, TACACS+, or Kerberos security server

TACACS+

TACACS+ Terminal Access Controller Access Control Service Plus

TACACS+ is a security application that provides centralized validation of users attempting to gain access to a router or network access server

TACACS+ services are maintained in a database on a TACACS+ daemon running, typically, on a UNIX or Windows NT workstation

You must have access to and must configure a TACACS+ server before the configured TACACS+ features on your network access server are available

TACACS+ provides for separate and modular authentication, authorization, and accounting facilities

TACACS+ allows for a single access control server (the TACACS+ daemon) to provide each serviceā€”authentication, authorization, and accountingā€”independently

Each service can be tied into its own database to take advantage of other services available on that server or on the network, depending on the capabilities of the domain

The goal of TACACS+ is to provide a methodology for managing multiple network access points from a single management service

The Cisco family of access servers and routers and the Cisco IOS user interface (for both routers and access servers) can be network access servers

RADIUS

RADIUS Remote Access Dial-In User Service

RADIUS is a fully open protocol, distributed in source code format, that can be modified to work with any security system currently available on the market

RADIUS is a distributed client/server system that secures networks against unauthorized access

In the Cisco implementation, RADIUS clients run on Cisco routers and send authentication requests to a central RADIUS server that contains all user authentication and network service access information

Cisco supports RADIUS under its AAA security paradigm

RADIUS can be used with other AAA security protocols, such as TACACS+, Kerberos, and local username lookup

RADIUS is supported on all Cisco platforms, but some RADIUS-supported features run only on specified platforms

TACACS+ vs RADIUS

The primary functional difference between RADIUS and TACACS+ is that TACACS+ separates out the Authorization functionality, where RADIUS combines both Authentication and Authorization

When a RADIUS Authentication request is sent to the AAA server, the AAA client expects to receive a reply containing the Authorization result