Home > AAA TACACS+ and RADIUS Tutorial

AAA TACACS+ and RADIUS Tutorial

October 18th, 2018 Go to comments

Nowadays, security plays an important role in a company. Without any security solution implementation on our network, a user can simply “plug and play” into our network. The user may simple pick up a valid IP address or be assigned one automatically via DHCP. It is convenient, but not a good way if your network contains sensitive data. Worse, this user may have all the rights to your network so he can do dangerous things.

When your company grows bigger and bigger, there is a moment that you need to consider implementing security to your network. There are many ways to secure a network but AAA offers a complete solution. In this tutorial let’s find out about this security feature.

Before diving into AAA, let’s take an example of a user who wants to connect to our network.

AAA_initial_without_AAA.jpg

This process uses a login and password on the access line. Although it is very easy to implement, but there are many disadvantages of using this method:
+ Insecure login method
+ Vulnerable to brute-force attacks
+ No accountability
+ Must be configured on each device manually
+ Store usernames & passwords locally on each device
+ Cannot limit which specific commands are not used

With AAA, now the process of a user connecting to our network is shown below:

AAA_initial_with_AAA.jpg

Every action the users do must be submitted to the AAA server to determine if they are allowed or not. This process has many advantages:
+ Secure login (AAA server is not exposed to users and only some protocols are allowed to be sent initially)
+ Easy management at one or some centralized servers
+ Firewalls or other security devices can be placed before AAA servers to protect them
+ Can accept or reject specific commands
+ Every command typed by users can be logged for later analysis

Disadvantages:
+ Require powerful server (to handle all the traffic and requests)

AAA stands for Authentication, Authorization and Accounting.

+ Authentication: Specify who you are (usually via login username & password)
+ Authorization: Specify what actions you can do, what resource you can access
+ Accounting: Monitor what you do, how long you do it (can be used for billing and auditing)

An example of AAA is shown below:

+ Authentication: “I am a normal user. My username/password is user_tom/learnforever
+ Authorization: “user_tom can access LearnCCNA server via HTTP and FTP
+ Accounting: “user_tom accessed LearnCCNA server for 2 hours“. This user only uses “show” commands.

With AAA, users must authenticate before getting an IP address to access the network. Otherwise, they can only use specific protocols to continue authenticating

For authentication we can do via local database, 802.1x standard (which was developed to provide a method to authenticate devices attempting to access a switchport/LAN) or via remote AAA servers. There are two popular client/server AAA protocols to communicate between remote AAA servers and authenticating devices:

+ RADIUS (Remote Authentication Dial In User Service)
+ TACACS+ (Terminal Access Controller Access-Control System)

The comparison of two protocols is listed below:

  RADIUS TACACS+
Transportation &
Ports
UDP port 1812/1645 (Authentication)
1813/1646 (Accounting)
TCP port 49
Encryption only passwords entire payload of each packet (leaving only the TACACS+ header in cleartext)
Standards Open standard Cisco proprietary (but actually now it is an open standard defined by RFC1492)
Operation Authentication and authorization are combined in one function authentication, authorization and accounting are separated
Logging No command logging Full command logging (commands typed by users can be recorded on the servers)

Note:
+ RADIUS is very old protocol (created around the early 1990s) and it was originally designed for dial-in modem connections. In these old days, security is not a strong concern so RADIUS encrypts only the authentication information (passwords) along the traffic path.
+ TACACS+ is a newer version of TACAS and XTACAS. It is the answer of Cisco to RADIUS.
+ Both RADIUS and TACACS+ support Extensible Authentication Protocol (EAP), which is an authentication framework frequently used in wireless networks and point-to-point connections
+ Both TACACS+ and RADIUS can run on either Windows or Unix/Linux servers
+ TACACS+ separates the authentication, authorization, and accounting steps. This architecture allows for separate authentication solutions while still using TACACS+ for authorization and accounting.
+ Authentication and authorization are not separated in a RADIUS transaction. When the authentication request is sent to a AAA server, the AAA client expects to have the authorization result sent back in reply.
+ TACACS+ supports access-level authorization for commands. That means you can assign privilege levels when a user logins successfully.

In the next part we will learn how to configure AAA.

Comments (50) Comments
Comment pages
  1. Eddie
    May 15th, 2019

    I’m sitting for the 200-125 next week…any valid dumps?thanks

  2. derere
    May 22nd, 2019

    im not a robot

  3. Aitizaz
    May 25th, 2019

    Hi, Anyone have idea? From where can I get IBM QRadar SIEM C2150-624 dumps for free?

  4. Intan faudi
    May 30th, 2019

    i hope you all has last dump for ccna 200-125 pls send to {email not allowed}

  5. Anonymous
    May 31st, 2019

    please anyone send me latest dump for the 200-125 to primmk (at) gmail (dot) com

  6. MATY FITE
    June 1st, 2019

    I want to be a membership of this site

  7. a2
    June 7th, 2019

    ew

  8. TonyS
    June 9th, 2019

    Please if someone has the latest dumps can you send me to the next :
    joseacpk(dot)gmail(dot)com

  9. Pat
    June 10th, 2019

    Can anyone please assist me with latest dump for ccna.. Taking the exam very soon.. Pls send to my mail pat2mail2000 (at) yahoo (dot) com

  10. Tope
    June 14th, 2019

    Anyone with latest ccna dumps should please help me out.I am writing 200-125 next week. Help me send it to {email not allowed}k you.

  11. Joe
    June 14th, 2019

    Please,help with latest ccna 200-125 dumps. Send to idkan1atyahoodotcom

  12. maheen
    June 22nd, 2019

    please can someone send me 200-125 latest dumbs as soon as possible .my email address is {email not allowed}.

  13. nickojam
    June 23rd, 2019

    please.. i failed in my first ccna 200-125 exam. Exam fee is difficult in my situation.. I will retake exam soon.. please to whom kind hearted, help me with the latest dumps.. {email not allowed}

  14. nickojam
    June 23rd, 2019

    please.. i failed in my first ccna 200-125 exam. Exam fee is difficult in my situation.. I will retake exam soon.. please to whom kind hearted, help me with the latest dumps.. nickojamkoh2914 (at) gmail.com

  15. Sir
    June 28th, 2019

    I have updated dumps after recent exam changes.
    Get at below: pass on first attempt.

    blnk.in/k3k45e

  16. Shukran
    June 29th, 2019

    Please send me actual dumps> shukran68346 @ gmail . com <thank you for all

  17. pankos
    July 15th, 2019

    Hello, can anyone send me latest dumps? kosioka(at)gmail.com Thank You.

  18. Jawaid
    July 18th, 2019

    Hi, can anyone send me CCNA 200-125 latest dumps at m.jawaid(at)outlook.com Thank You.

  19. Anonymous
    July 20th, 2019

    can someone pls send the recent CCNA 210-260 dumps osuntobs (at) gmail. com

  20. Ashraf
    July 22nd, 2019

    Hi, can anyone have the recent CCNA 200-125 dump send it to my email ashraffarizal at gmail. Wishing you a good life in your career. Thank you.

  21. Anonymous
    July 22nd, 2019

    hi everyone pls am in dear need of recent dumps for CCNA 210-260 exams is in less than 2 weeks osuntobs (at) gmail , would be extremely happy and gratefull to have this.

  22. chabar
    July 26th, 2019

    please anyone with the link to the latest ccna 200-125 dumps email {email not allowed}

  23. chabar
    July 26th, 2019

    please link to latest ccna 200-125 dump to rabachdd (at) gmail.

  24. KG
    July 29th, 2019

    Please i need a help, i need a dump for ccna my e-mail kelsong87 @ hotmail . com

  25. CM
    July 29th, 2019

    I’m studying for the CCNA exam and a dump to study from would be great. email macejicm @ gmail . com

  26. kamran
    August 7th, 2019

    Hi, has anyone learned new dumps?
    the same as the exam questions?

  27. CJ
    August 12th, 2019

    Hi, could anyone send latest CCNA 200-125 R&S dumps to sentinelord @ gmail . com ? Much appreciated.

  28. Anonymous
    August 15th, 2019

    Hi, can anyone send the latest CCNA 200-125 dumps to osuntobs (at) gmail . Much appreciated.

  29. Anonymous
    August 19th, 2019

    Hello! Humbly requesting latest CCNA 200-125 dumps please! Email to humzi382 (at) gmail. It would be greatly appreciated.

  30. awsi
    August 21st, 2019

    Hi, can anyone send the latest CCNA 200-125 dumps to awsmyking2 (at)gmail(dot)com

  31. Anonymous
    August 21st, 2019

    Hi, can any one send latest Ccna 2oo-125 dumps to {email not allowed}

  32. jafari
    September 3rd, 2019

    Hi, can anyone send the latest CCNA 200-125 dumps to oracldbasql7 (at)gmail(dot)com

  33. jafari
    September 3rd, 2019

    Hi, can anyone send the latest CCNA 200-125 dumps to oracledbasql7 (at)gmail(dot)com

  34. bayan
    September 4th, 2019

    Hi, can anyone send the latest CCNA 200-125 dumps to wedgeluge78(at)hotmail(dot)com

  35. TIT
    September 7th, 2019

    Hi, kindly anyone with the latest CCNA 200-125 dumps site. pleeeeas

  36. Kim
    September 8th, 2019

    Hi, can anyone send the latest CCNA 200-125 dumps to akeemgee (at) hotmail(d0t)com

  37. roman
    September 10th, 2019

    Hi guys, I need your help. Could you send me the latest CCNA 200-125 dumps to blavess(at)gmail(dot)com. It would be greatly appreciated

  38. Joey
    September 16th, 2019

    Hi guys, can anyone send me the latest CCNA 200-125 dumps to jt (at) adhn (dot) org . I will be taking the test in two weeks. Thanks in advance.

  39. Anonymous
    September 18th, 2019

    Please send me actual dumps> starcvetowars @ gmail . com <thank you for all

  40. Ehtesham Khalid
    September 20th, 2019

    Hey can any one send 200-125 dumps at shamiraja09_gmail.com

  41. Damilola
    September 21st, 2019

    Hi guys, can i get the latest dumbs, please?
    otuyelu_damilola(at)yahoo(dot)com

  42. maoca
    October 7th, 2019

    Kindly would anyone send me 200-125 test dumps to mariolopznet at hotmail.com? thank you in advance

  43. Bahram qaderi
    October 8th, 2019

    hi everyone , i just pass my ccna a month ago the graphic design was very low it was very hard to read that ,but the question was easy if i can help anyone i am kindly to help them out .

  44. Kow Simbely
    October 10th, 2019

    Please can anyone send me 200-125 test dumps – simbely at gmail.com. many thanks.

  45. Kow Simbely
    October 10th, 2019

    Please can anyone send me 200-125 test dumps – simbely (at) gmail (dot) com. many thanks.

  46. abdullah
    October 10th, 2019

    Please, can anyone send me 200-125 test dumps pllllllz my exam after 9 days living in ksa Abdullah.ou @ hotmail.com

  47. Gracia Fatima
    October 14th, 2019

    Please, can anyone send me 200-125 test dumps Please. living in Mozambique {email not allowed}. thank you in advance

  48. Anonymous
    October 14th, 2019

    gracinhafatima91_gmail.com

  49. Gracia Fatima
    October 14th, 2019

    Please, can anyone send me 200-125 test dumps Please. living in Mozambique. gracinhafatima91 at gmail.com . thank you in advance

  50. ehab abdallah
    October 15th, 2019

    Please, can anyone send me 200-125 test dumps Please {email not allowed}

Comment pages
Add a Comment