1. Home
  2. Networking
  3. CCSP Cisco Certified Security Professional Certification

TACACS+ Overview

TACACS+ Overview

TACACS+ is an authentication protocol that allows a network access server to communicate with an authentication server to determine if a user has access to the network.

TACACS+ is a new protocol developed by Cisco that replaces two earlier industry standards—TACACS and XTACACS (Extended). TACACS+ is not compatible with the two older protocols. Cisco has submitted TACACS+ protocol specification in a draft RFC to the IETF for development of a standard and for those customers interested in developing their own TACACS+ software.

TACACS+ server services are maintained in a database on a TACACS+ daemon running on a Windows 2000/NT or UNIX host. Cisco’s servers supporting TACACS+ include CiscoSecure ACS for Windows, CiscoSecure UNIX, and Cisco Access Registrar. Cisco Access Servers (Cisco Secure ACS) can implement both TACACS+ and RADIUS. The underlying architecture of TACACS+ protocol complements the AAA architecture.

TACACS+ fully supports the AAA architecture by separating the authentication, authorization, and accounting. This allows the flexibility of using another service, such as Kerberos, for authentication, while still using TACACS+ for authorization and/or accounting.

TACACS+ uses TCP for connection-oriented transport between clients and servers. TCP port 49 is reserved for TACACS+. The acknowledgments (TCP ACK) provide indications that a request has been received. This same TCP process uses RST packets to provide immediate indication of a failed (or offline) authentication server. TCP keepalives can be used to watch for failed servers and to facilitate rapid failover between multiple connected authentication servers. TCP scales better and adapts better to growing and/or congested networks.

TACACS+ supports bidirectional challenge/response, like CHAP, between the two network access servers.

In addition to supporting SLIP and PPP encapsulation protocols, TACACS+ supports the following protocols:

  • Novell Asynchronous Services Interface (NASI)

  • X.25 PAD connection

  • Net BIOS Frame Protocol Control protocol

  • AppleTalk Remote Access protocol (ARAP)

Packet Encryption

TACACS+ encrypts the entire data payload of the packet, leaving only the standard TACACS+ header in cleartext. While it’s possible for debugging purposes to leave the body of the packets unencrypted, normal operation will fully encrypt the body for more secure communications. A field in the header indicates whether the body is encrypted.

  • TACACS+ supports two methods for controlling the authorization of router commands on either a per-user or per-group basis.

  • Assign commands to privilege levels and have the router use TACACS+ to verify that the user is authorized at the specified privilege level.

Explicitly define on the TACACS+ server the commands allowed on a per-user or per-group basis.




BackCover
CCSP - Cisco Certified Security Professional Certification All-in-One Exam Guide
Introduction
Part I: Introduction to Network Security
Part II: Securing the Network Perimeter
Chapter 3: Cisco AAA Security Technology
Chapter 4: Cisco Secure ACS and TACACS+/RADIUS Technologies
Describe Cisco Secure ACS
Features and Architecture of Cisco Secure ACS for Windows
Features of CiscoSecure ACS for UNIX
Installing Cisco Secure ACS 3.0 for Windows
Administering and Troubleshooting Cisco Secure ACS for Windows
TACACS+ Overview
Configuring Cisco Secure ACS and TACACS+
Verifying TACACS+
Chapter Review
Chapter 5: Securing Cisco Perimeter Routers
Chapter 6: IOS Firewall Feature Set - CBAC
Chapter 7: IOS Firewall - Intrusion Detection System
Chapter 8: IOS Firewall - Authentication Proxy
Part III: Virtual Private Networks (VPNs)
Part IV: PIX Firewalls
Part V: Intrusion Detection Systems (IDS)
Part VI: Cisco SAFE Implementation
Appendix A: Access Control Lists
Appendix B: About the CD
List of Figures
List of Tables
List of Sidebars