|
In preparation of your CCNA Security 640-553 exam, we want to make sure we cover topics that you are very likely to encounter on your Cisco CCNA exam. So to assist you, below we will discuss the features of TACACS+ and RADIUS AAA protocols.
Describe the features of TACACS+ and RADIUS AAA protocols
TACACS+
Cisco IOS supports
three versions of TACACS: TACACS, extended TACACS, and TACACS+. All three
methods authenticate users and deny access to users who do not have a valid
username and password pairing. This section covers only TACACS+ (also referred
to as "TACACS plus").
|
Summary of
TACACS+ Protocol
|
|
Features
|
Meaning
|
|
TCP
|
Packets sent
between client and server is TCP.
|
|
TCP destination PORT
|
Port 49.
|
|
Attributes
|
Packet types are
defined in TACACS+ frame format as:
Authentication
0x01
Authorization
0x02
Accounting 0x03
|
|
SEQ_NO
|
The sequence
number of the current packet flow for the current session. The SEQ_NO starts
with 1, and each subsequent packet increments by
one. The client sends only odd numbers. The TACACS+ server sends only even
numbers.
|
|
Encryption
method
|
Entire packets
are encrypted. Data is encrypted using MD5 and a secret key that matches on both the NAS (for example, a Cisco IOS router) and the
TACACS+ server.
|
TACACS+ accounting
provides an audit record of what commands were completed. When NAS sends a
record of commands, the TACACS+ server sends a response acknowledging the
accounting record.
RADIUS
RADIUS is a client-server based system that
secures a network. RADIUS is a protocol that is implemented in all Cisco
devices that send authentication requests to a RADIUS server. RADIUS is defined
in RFC 2138/2139.
A RADIUS server is a device that has the
RADIUS daemon or application installed. RADIUS must be used with AAA to enable
the authentication, authorization, and accounting of remote users when using
Cisco devices (routers, switches, Routers, or concentrators).
|
Summary of RADIUS Protocol
|
|
Features
|
Meaning
|
|
UDP
|
Packets sent between client and server use the User Datagram Protocol (UDP) primarily
because the overhead of the Transmission Control Protocol (TCP) does not
allow for significant advantages. Typically, the user can wait for a username
and password prompt.
|
|
UDP destination PORT
|
RADIUS uses two sets of ports. The
pre-RFC ports of 1645 and 1646 are widely used. Ports 1812 and 1813 are
defined in RFC 2138.
|
|
Attributes
|
Attributes are used to exchange
information between the NAS and the client.
|
|
Model
|
Client/server-based model, in which
packets are exchanged in a unidirectional manner.
|
|
Encryption method
|
Password is encrypted using MD5; the
username is not. RADIUS encrypts only the password in the access-request
packet, from the client to the server. The remainder of the packet is
transmitted in clear text. A third party can capture other information such
as username, authorized services, and accounting.
|
|
Multiprotocol support
|
Does not support protocols such as
AppleTalk, NetBIOS, or IPX. IP only is supported.
|
TACACS+
versus RADIUS
|
TACACS+/RADIUS Comparison
|
|
|
RADIUS
|
TACACS+
|
|
Packet Delivery
|
UDP
|
TCP
|
|
Packet Encryption
|
RADIUS encrypts only the password in the
access-request packet from the client to the server.
|
TACACS+ encrypts the entire body of the
packet but leaves a standard TACACS+ header.
|
|
AAA Support
|
RADIUS combines authentication and
authorization. RADIUS has strong accounting capabilities.
|
TACACS+ uses the AAA architecture, which
separates authentication, authorization, and accounting.
|
|
Multiprotocol Support
|
None.
|
Supports other protocols such as
AppleTalk, NetBIOS, and Internet Packet Exchange (IPX).
|
|
Router Management
|
RADIUS does not allow users to control
which commands can be executed on a router.
|
TACACS+ allows network administrators
control over which commands can be executed on a router.
|
TACACS+
Traffic Example
This example
assumes login authentication, exec authorization, command authorization,
start-stop exec accounting, and command accounting is implemented with TACACS+
when a user Telnets to a router, performs a command, and exits the router:
RADIUS Traffic Example
This example
assumes login authentication, exec authorization, and start-stop exec
accounting is implemented with RADIUS when a user Telnets to a router, performs
a command, and exits the router (other management services are not available):
3.3 Configure
AAA authentication
The AAA model can be enabled on a Cisco router using the aaa new-model command.
You can use
the aaa authentication
login command to authenticate users who want exec access into the access
server (tty, vty, console
and aux).
Example 1: Exec Access using
Radius then Local
Configure:
aaa authentication login default group radius local
All users are
authenticated using the Radius server (the first method). If the Radius server
doesn't respond, then the router's local database is used (the second method).
For local
authentication, define the username name and password:
Configure:
username xxx password yyy
Because we are
using the list default in the aaa
authentication login command, login authentication is automatically
applied for all login connections (such as tty, vty, console and aux).
Using the example
above, if we do not include the local keyword, we have:
aaa authentication login default group radius
If the AAA server
does not reply to the authentication request, the authentication will fail
(since the router does not have an alternate method to try).
The group keyword
provides a way to group existing server hosts. The feature allows the user to
select a subset of the configured server hosts and use them for a particular
service.
Example 2: Console Access
Using Line Password
Let's expand the
configuration from Example 1 so that console login is only authenticated by the
password set on line con 0.
The named list is
CONSOLE. there is only one authentication method
(line).
Configure:
aaa authentication login CONSOLE line
Once a named list
(in this example, CONSOLE) is created, it must be applied to a line or
interface for it to come into effect. This is done using the login
authentication list_name command:
Configure:
line con 0
exec-timeout 0 0
password cisco
login authentication CONSOLE
The CONSOLE list
overrides the default method list default on line con 0. You need to enter the
password "cisco" (configured on line con 0)
to get console access. The default list is still used on tty, vty and aux.
To have console
access authenticated by a local username and password, use:
Configure:
aaa authentication login CONSOLE local
In this case, a
username and password have to be configured in the local database of the
router. The list must also be applied to the line or interface.
To have no
authentication, use
Configure:
aaa authentication login CONSOLE none
In this case,
there is no authentication to get to the console access. The list must also be
applied to the line or interface.
Example 3: Enable Mode Access
Using External AAA Server
You can issue
authentication to get to enable mode (privilege 15).
Configure:
aaa authentication enable default group radius enable
Only the password
will be requested, the username is $enab15$. Hence the username $enab15$ must
be defined on the AAA server.
If the Radius
server doesn't reply, the enable password configured locally on the router will
have to be entered.
I hope you found this article to be of use and it helps you prepare for your Cisco CCNA Security 640-553 certification exam. I am sure you will quickly find out that hands-on real world experience that our CCNA lab kits offer is the best way to cement the CCNA concepts in your head to help you pass your CCNA test!
|
Lab Certification Kits
