Management Access Connections (AAA, TACACS, RADIUS)

Management Access Connections (AAA, TACACS, RADIUS)

To access a network device there are various methods. These network access methods are also used to access wireless components. So, here, we will talk about these access methods.


AAA Authentication, Authorization, Accounting

Access control is the way you control who is allowed access to the network device and what services they are allowed to use once they have access
Authentication, authorization, and accounting (AAA) network security services provide the primary framework through which you set up access control on your router or access server

Authentication—Provides the method of identifying users, including login and password dialog, challenge and response, messaging support, and, depending on the security protocol you select, encryption

Authorization—Provides the method for remote access control, including one-time authorization or authorization for each service, per-user account list and profile, user group support, and support of IP, IPX, ARA (AppleTalk), and Telnet

Accounting—Provides the method for collecting and sending security server information used for billing, auditing, and reporting, such as user identities, start and stop times, executed commands (such as PPP), number of packets, and number of bytes

In many circumstances, AAA uses protocols such as RADIUS, TACACS+, or Kerberos to administer its security functions

If your router or access server is acting as a network access server, AAA is the means through which you establish communication between your network access server and your RADIUS, TACACS+, or Kerberos security server


TACACS+ Terminal Access Controller Access Control Service Plus

TACACS+ is a security application that provides centralized validation of users attempting to gain access to a router or network access server

TACACS+ services are maintained in a database on a TACACS+ daemon running, typically, on a UNIX or Windows NT workstation

You must have access to and must configure a TACACS+ server before the configured TACACS+ features on your network access server are available

TACACS+ provides for separate and modular authentication, authorization, and accounting facilities

TACACS+ allows for a single access control server (the TACACS+ daemon) to provide each service—authentication, authorization, and accounting—independently

Each service can be tied into its own database to take advantage of other services available on that server or on the network, depending on the capabilities of the domain

The goal of TACACS+ is to provide a methodology for managing multiple network access points from a single management service

The Cisco family of access servers and routers and the Cisco IOS user interface (for both routers and access servers) can be network access servers


RADIUS Remote Access Dial-In User Service

RADIUS is a fully open protocol, distributed in source code format, that can be modified to work with any security system currently available on the market.

RADIUS is a distributed client/server system that secures networks against unauthorized access.

In the Cisco implementation, RADIUS clients run on Cisco routers and send authentication requests to a central RADIUS server that contains all user authentication and network service access information.

Cisco supports RADIUS under its AAA security paradigm.

RADIUS can be used with other AAA security protocols, such as TACACS+, Kerberos, and local username lookup.

RADIUS is supported on all Cisco platforms, but some RADIUS-supported features run only on specified platforms.


The primary functional difference between RADIUS and TACACS+ is that TACACS+ separates out the Authorization functionality, where RADIUS combines both Authentication and Authorization.

When a RADIUS Authentication request is sent to the AAA server, the AAA client expects to receive a reply containing the Authorization result.

Leave a Reply
Your email address will not be published. *

This site uses Akismet to reduce spam. Learn how your comment data is processed.