Home > AAA TACACS+ and RADIUS Tutorial

AAA TACACS+ and RADIUS Tutorial

October 18th, 2018 Go to comments

Nowadays, security plays an important role in a company. Without any security solution implementation on our network, a user can simply “plug and play” into our network. The user may simple pick up a valid IP address or be assigned one automatically via DHCP. It is convenient, but not a good way if your network contains sensitive data. Worse, this user may have all the rights to your network so he can do dangerous things.

When your company grows bigger and bigger, there is a moment that you need to consider implementing security to your network. There are many ways to secure a network but AAA offers a complete solution. In this tutorial let’s find out about this security feature.

Before diving into AAA, let’s take an example of a user who wants to connect to our network.

AAA_initial_without_AAA.jpg

This process uses a login and password on the access line. Although it is very easy to implement, but there are many disadvantages of using this method:
+ Insecure login method
+ Vulnerable to brute-force attacks
+ No accountability
+ Must be configured on each device manually
+ Store usernames & passwords locally on each device
+ Cannot limit which specific commands are not used

With AAA, now the process of a user connecting to our network is shown below:

AAA_initial_with_AAA.jpg

Every action the users do must be submitted to the AAA server to determine if they are allowed or not. This process has many advantages:
+ Secure login (AAA server is not exposed to users and only some protocols are allowed to be sent initially)
+ Easy management at one or some centralized servers
+ Firewalls or other security devices can be placed before AAA servers to protect them
+ Can accept or reject specific commands
+ Every command typed by users can be logged for later analysis

Disadvantages:
+ Require powerful server (to handle all the traffic and requests)

AAA stands for Authentication, Authorization and Accounting.

+ Authentication: Specify who you are (usually via login username & password)
+ Authorization: Specify what actions you can do, what resource you can access
+ Accounting: Monitor what you do, how long you do it (can be used for billing and auditing)

An example of AAA is shown below:

+ Authentication: “I am a normal user. My username/password is user_tom/learnforever
+ Authorization: “user_tom can access LearnCCNA server via HTTP and FTP
+ Accounting: “user_tom accessed LearnCCNA server for 2 hours“. This user only uses “show” commands.

With AAA, users must authenticate before getting an IP address to access the network. Otherwise, they can only use specific protocols to continue authenticating

For authentication we can do via local database, 802.1x standard (which was developed to provide a method to authenticate devices attempting to access a switchport/LAN) or via remote AAA servers. There are two popular client/server AAA protocols to communicate between remote AAA servers and authenticating devices:

+ RADIUS (Remote Authentication Dial In User Service)
+ TACACS+ (Terminal Access Controller Access-Control System)

The comparison of two protocols is listed below:

  RADIUS TACACS+
Transportation &
Ports
UDP port 1812/1645 (Authentication)
1813/1646 (Accounting)
TCP port 49
Encryption only passwords entire payload of each packet (leaving only the TACACS+ header in cleartext)
Standards Open standard Cisco proprietary (but actually now it is an open standard defined by RFC1492)
Operation Authentication and authorization are combined in one function authentication, authorization and accounting are separated
Logging No command logging Full command logging (commands typed by users can be recorded on the servers)

Note:
+ RADIUS is very old protocol (created around the early 1990s) and it was originally designed for dial-in modem connections. In these old days, security is not a strong concern so RADIUS encrypts only the authentication information (passwords) along the traffic path.
+ TACACS+ is a newer version of TACAS and XTACAS. It is the answer of Cisco to RADIUS.
+ Both RADIUS and TACACS+ support Extensible Authentication Protocol (EAP), which is an authentication framework frequently used in wireless networks and point-to-point connections
+ Both TACACS+ and RADIUS can run on either Windows or Unix/Linux servers
+ TACACS+ separates the authentication, authorization, and accounting steps. This architecture allows for separate authentication solutions while still using TACACS+ for authorization and accounting.
+ Authentication and authorization are not separated in a RADIUS transaction. When the authentication request is sent to a AAA server, the AAA client expects to have the authorization result sent back in reply.
+ TACACS+ supports access-level authorization for commands. That means you can assign privilege levels when a user logins successfully.

In the next part we will learn how to configure AAA.

Comments (50) Comments
Comment pages
1 2 3 4228
  1. negasi
    October 18th, 2018

    Thank you so much..very helpful

  2. Neil Araza
    October 19th, 2018

    Nice Tut

  3. Anonymous
    October 21st, 2018

    Excelent Tutorial.

    Thanks 9tut

  4. RoChCa
    October 28th, 2018

    + The ‘default’ means we want to apply for all login connections (such as tty, vty, console and aux). If we use this keyword, we don’t need to configure anything else under tty, vty and aux lines. If we don’t use this keyword then we have to specify which line(s) we want to apply the authentication feature. An example of not using the ‘default’ keyword is: ????

    Hi 9tut. Please provide that other feature aside from ‘default’ keyword.. Thanks.

  5. 9tut
    October 29th, 2018

    @RoChCa: Thanks for your detection, we have just updated it. You can find an example of not using “default” method list in step 4:
    Switch(config)#aaa authentication login MY_AUTHEN_GROUP group radius local

  6. Ali
    October 31st, 2018

    if any have valid dumps please share

  7. Anonymous
    November 2nd, 2018

    That is very nice Tutorial.
    Many Thank 9Tut

  8. RoChCa
    November 4th, 2018

    Hi 9tut,

    Thanks for the update. Cheers!

  9. Anonymous
    November 6th, 2018

    Hey Guys, here i’ve shared 357 packet tracers labs:

    http://www.cafecomredes.com.br/2017/01/357-labs-no-packet-tracer.html

    Regards

  10. Ferdi MFS
    November 11th, 2018

    Dear All,

    I will take my exam next week, anybody can help me to send ccna exam 200-125 dump

    my email : ferdi.santoso @ gmail.com

    thank for your help.

  11. Anonymous
    November 11th, 2018

    Dear All,
    I have an exam next week can any 1 help me by sending CCENT 100-125 dumps, i be very thankful to you.

    my email : junaidmohmmed @ gmail . com

    May God bless you

  12. Mahlatsi
    November 14th, 2018

    Dear all

    M gonna have exam on 28 November please some1 send me the dump of 200-125
    My email : {email not allowed}

    God bless in advance

  13. Anonymous
    November 15th, 2018

    c’est vrai cool les gars
    je veux passer un examen en cisco mais j’ai bessoin de l’aide de tout le monde pour m’aider à un examen ccna 200-125

  14. Anonymous
    November 15th, 2018

    c’est vrai cool les gars
    je veux passer un examen en cisco mais j’ai bessoin de l’aide de tout le monde pour m’aider à m’envoyer un examen ccna 200-125
    mon email: {email not allowed}

  15. Maboumba
    November 24th, 2018

    vous etes au Gabon si oui contactez moiau 04.76.34.78

  16. Anonymous
    November 28th, 2018

    I will take my exam next week, anybody can help me to send ccna exam 200-125

    my email : ferdykablan@ yahoo.fr

    thank for your help.

  17. dorasher
    November 28th, 2018

    Dear All,

    I will take my exam next week, anybody can help me to send ccna exam 200-125 dump

    my email: {email not allowed}
    god bless you

  18. Phantom
    November 29th, 2018

    Someone send me the latest dumps please. ‘fvgnazareno17@gmaildotcom’

  19. Kev
    November 29th, 2018

    Hi All,

    Please send me the latest dumps for 200-125, it would be greatly appreciated.

    kevin.peters234 (at) gmail (dot) com

    Thanks in advance :)

  20. Ciscology
    December 6th, 2018

    Nice information

  21. Olaba
    December 20th, 2018

    Hello House! Pls. I need latest dumps please.

    Ramonarimi at gmail dot com

  22. Norld
    December 24th, 2018

    Hello!
    Please send me latest dumps =)
    zverruga at gmail dot com

  23. workerbee
    December 27th, 2018

    please send latest dumps taylor.soderstrom (at) gmail (dot) com

    Thank you :-)

  24. Norld
    January 2nd, 2019

    Clear my Test with Excellent marks.

    config labs : ospfv3 and vlan
    trouble shoot lab : dhcp, rip , eigrp gre
    drag and drop BGP , tcp udp protocols
    SIM:IPv6 OSPF, DHCP, VLAN, EIGRP

  25. Norld
    January 2nd, 2019

    Clear my Test with Excellent marks.

    config labs : ospfv3 and vlan
    trouble shoot lab : dhcp, rip , eigrp gre
    drag and drop BGP , tcp udp protocols
    SIM:IPv6 OSPF, DHCP, VLAN, EIGRP

    Clear my Test with Excellent marks.

    config labs : ospfv3 and vlan
    trouble shoot lab : dhcp, rip , eigrp gre
    drag and drop BGP , tcp udp protocols
    SIM:IPv6 OSPF, DHCP, VLAN, EIGRP

    At web :
    t2m.io/qkhTw5dQ

  26. Teddy1
    January 2nd, 2019

    Hi Guys happy new year. Please may someone share the latest dump boetie.sana (at) gmail dot com

  27. Sam
    January 10th, 2019

    Hi I am looking for lastest dump for CCNA 200-125.
    Could please someone send me at my mail
    syams.firmansyah(@)gmail(.)com

    Thanks guys, its for learning purpose

  28. Fahad
    January 10th, 2019

    Hi Friends,
    I have plan to write CCNA 200-125 exam
    could please someone send to me latest dump

    fahadalabri9696(at)gmail(dot)com

    thank you.

  29. Hayat Khan Hussaini
    January 15th, 2019

    thanks , very useful tortilla

  30. Dineo
    January 16th, 2019

    Hi Friends,
    I’m looking for the latest dumps for CCNA 200-125.
    Could someone please send me at {email not allowed}

    Thank you

  31. Kidlat
    January 18th, 2019

    Can anyone please share vid tuts for latest CCNA and latest dumps.
    CiscoReviewTool(at)gmail(dot)com thank you!

  32. Alejandro
    February 7th, 2019

    ****
    I bought pass4sure and when I went to do the test around 40% of the test was topics that wasn’t included into the pass4sure. I’m studing with 9tut now.
    What do you recommend to do more for this next time?

    thanks!

  33. Sebastian
    February 15th, 2019

    Please share latest dumps @ {email not allowed}

  34. Sebatian
    February 15th, 2019

    Please share latest dumps at kemmi387(at)gmail(dot)com

  35. ammartaha9383@gmail.com
    February 18th, 2019

    hello dears
    kindly i need any valid dump or ccna R&S

  36. Anonymous
    February 19th, 2019

    does anyone has last of VCE exam simulation setup with crack ???? could you send me mail please..

    halilalban at outlook dat com

  37. Bless
    March 5th, 2019

    Hello,

    please send latest dumps {email not allowed}

    Thank you :-)

  38. md.bilaal
    March 5th, 2019

    please share new update dumps for ccna rns 200-125 any one have please share with me : mahamuudhassan202 at the rate of gmail dot com

  39. gfsegfdg
    March 13th, 2019

    have a nice day

  40. hfgfh
    March 15th, 2019

    123

  41. Anonymous
    March 30th, 2019

    Hello,

    please send latest dumps please ccna rns 200-105 thank you email me {email not allowed}

  42. Mohamed Fouard Kanu
    April 12th, 2019

    Please share latest tutorials on latest topics in the new version of CCNA -R&S.

    I am studying to retake my expired CCNA – R&S b4 progressing to CCNA – Security

  43. Mohamed Fouard Kanu
    April 12th, 2019

    google drive account: {email not allowed}

  44. Sneh
    April 17th, 2019

    someone send me a new CCNA dumps, I’ve 1 month to prepare for the exam.

  45. Sneh
    April 17th, 2019

    this is my email: {email not allowed}

  46. sneh
    April 17th, 2019

    sneh26398 at gmail dot com

  47. mynick
    May 1st, 2019

    Hi guys if anybody has last dump for ccna 200-125 pls send to mseymur549 at gmail dot com

  48. Hector
    May 3rd, 2019

    Can you share a valid dump with me at cnhutil at gmail dot com

  49. Veriz
    May 6th, 2019

    HERE YOU GO. Pass examz.
    CCNA EXAM FEE DISCOUNT VOUCHER ALSO AVAILABLE.

    CCNA 200-125
    CCNP ROUTE 300-101
    CCNP SWITCH 300-115
    CCNP TSHOOT 300-135
    CCIE R&S 400-101

    AT BELOW LINK:
    R E M O V E-S P A C E S

    c b . l k / 4 N f J Y

  50. bill
    May 8th, 2019

    passed ICND2 the other week. had crazy question about Tacacs+/AAA

    showed whole page of configuration. Then asked what would the outcome be?
    – user with local account
    -user account configured with radius server?

Comment pages
1 2 3 4228
Add a Comment