Home > Articles > Cisco > CCIE

This chapter is from the book

Terminal Access Controller Access Control System Plus

Cisco IOS supports three versions of TACACS—TACACS, extended TACACS, and TACACS+. All three methods authenticate users and deny access to users who do not have a valid username/password pairing. TACACS+ is Cisco proprietary, whereas RADIUS is an open standard originally created by Livingston Enterprises.

Cisco has also developed Cisco Secure Access Control Server (ACS), a flexible family of security servers that supports both RADIUS and TACACS+. You can even run debugging commands on the Cisco Secure ACS software. In UNIX, you can modify files, such as syslog.conf and csu.cfg, to change the output to your screen. For more details on how to debug on a UNIX server, see http://www.cisco.com/warp/public/480/cssample2x.html#debug.

TACACS+ has the following features:

  • TCP packets (port 49) ensure that data is sent reliably across the IP network.
  • Supports AAA architectures and, in fact, separates each of the three AAA mechanisms.
  • The data between the NAS and server is encrypted.
  • Supports both PAP/CHAP and multiprotocols such as IPX and X.25.
  • Access control lists (ACL) can be defined on a per-user basis. (RADIUS can also define ACLs on a per-user basis.)

Figure 4-3 displays a typical TACACS+ connection request (authentication).

04fig03.gif

Figure 4-3 TACACS+ Authentication Example Sequence

When a TACACS+ server authenticates a remote user, the following events occur:

  1. When the connection is established, the NAS contacts the TACACS+ daemon to obtain a username prompt, which is then displayed to the user. The user enters a username and the NAS and communicates to the TACACS+ server to obtain a password prompt. The NAS displays the password prompt to the user, the user enters a password, and the password is sent to the TACACS+ daemon.

  2. The NAS eventually receives one of the following responses from the TACACS+ daemon:

    • ACCEPT— The user is authenticated and service can begin. If the NAS is configured to require authorization, authorization begins at this time.
    • REJECT— The user has failed to authenticate. The user may be denied further access or may be prompted to retry the login sequence, depending on the TACACS+ daemon.
    • ERROR— An error occurred at some time during authentication. This can be either at the daemon or in the network connection between the daemon and the NAS. If an ERROR response is received, the NAS typically tries to use an alternative method for authenticating the user.
    • CONTINUE— The user is prompted for additional authentication information.
  3. A PAP login is similar to an ASCII login, except that the username and password arrive at the NAS in a PAP protocol packet instead of being typed in by the user, so the user is not prompted. PPP CHAP logins are also similar, in principle.

  4. Following authentication, the user is required to undergo an additional authorization phase, if authorization has been enabled on the NAS. Users must first successfully complete TACACS+ authentication before proceeding to TACACS+ authorization.

  5. If TACACS+ authorization is required, the TACACS+ daemon is again contacted and it returns an ACCEPT or REJECT authorization response. If an ACCEPT response is returned, the response contains data in the form of attributes used to direct the EXEC or NETWORK session for that user, determining services that the user can access.

Services include the following:

  • Telnet, rlogin, PPP, SLIP, or EXEC services
  • Connection parameters, including the host or client IP address, ACL, and user timeouts

The TACACS+ authorization process is defined as the packet flow between the NAS and the TACACS+ server. The packets exchanged between the NAS and server contain AV pairs. The NAS sends Start packets and the TACACS+ server responds with Response packets. The server can permit, deny, or modify commands requested by the end user. The data (that contains the full list of all username/password pairs) is stored on a local file defining what commands are permitted by the end user, for example.

TACACS+ accounting provides an audit record of what commands were completed. The NAS sends a record of any commands, and the TACACS+ server sends a response acknowledging the accounting record.

Table 4-3 summarizes the main features of TACACS+.

Table 4-3. Summary of TACACS+ Protocol

 

Feature

TCP

Packets sent between client and server are TCP.

TCP destination port

Port 49.

Attributes

Packet types are defined in TACACS+ frame format as follows:

Authentication 0x01

Authorization 0x02

Accounting 0x03

Seq_no

The sequence number of the current packet flow for the current session. The Seq_no starts with 1, and each subsequent packet increments by one. The client sends only odd numbers. The TACACS+ server sends only even numbers.

Encryption method

The entire packet is encrypted. Data is encrypted using MD5 and a secret key that matches both on the NAS (for example, a Cisco IOS router) and the TACACS+ server.

Multiprotocol support

Multiprotocol Support indicates the following are fully supported in non IP networks, multiprotocols such as AppleTalk, NetBIOS, or IPX, along with IP.

Now, examine the TACACS+ configuration tasks required when enabling TACACS+ on a Cisco IOS router.

TACACS+ Configuration Task List

To configure your router to support TACACS+, you must perform the following tasks:

Step 1.

Use the aaa new-model global configuration command to enable AAA, which must be configured if you plan to use TACACS+. For more information about using the aaa new-model command, refer to http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt1/scdaaa.htm.

Step 2.

Use the tacacs-server host command to specify the IP address of one or more TACACS+ daemons:


         tacacs-server host 
         hostname [single-connection] [port integer] [timeout
integer] [key string]
Step 3. Use the tacacs-server key command to specify an encryption key to encrypt all exchanges between the NAS and the TACACS+ daemon. This same key must also be configured on the TACACS+ daemon. The actual command is as follows:


         tacacs-server key 
         key

      

The key should match the one used on the TACACS+ daemon.

Step 4.

Use the aaa authentication global configuration command to define method lists that use TACACS+ for authentication.

Step 5.

Use line and interface commands to apply the defined method lists to various interfaces.

Step 6.

To enable authorization, use the aaa authorization global command to configure authorization for the NAS. Unlike authentication, which can be configured per line or per interface, authorization is configured globally for the entire NAS.

Step 7.

To enable accounting for TACACS+ connections, use the aaa accounting command. Optional commands include the following:

  • Configuring AAA server groups (Optional)
  • Configuring AAA server group selection based on Dialed Number Identification Service (DNIS) (Optional)
  • Specifying TACACS+ authentication (Required)
  • Specifying TACACS+ authorization (Optional)
  • Specifying TACACS+ accounting (Optional)

Example 4-5 displays a sample configuration of a Cisco router with TACACS+ authentication for PPP.

Example 4-5. TACACS+ Authentication for PPP Example


   
      aaa new-model                                                              
aaa authentication ppp CCIE group tacacs+ local
tacacs-server host 10.1.2.3
tacacs-server key cciesarecool
interface serial 0
 ppp authentication chap pap CCIE

The configuration lines in Example 4-5 are defined as follows:

  • The aaa new-model command enables the AAA security services.
  • The aaa authentication command defines a method list, CCIE, to be used on serial interfaces running PPP. The keyword group tacacs+ means that authentication is done through TACACS+. If TACACS+ returns an ERROR during authentication, the keyword local indicates that authentication will be attempted using the local database on the NAS. Note that the local database is not used if a REJECT response is received from the security server.
  • The tacacs-server host command identifies the TACACS+ daemon as having an IP address of 10.1.2.3. The tacacs-server key command defines the shared encryption key as cciesarecool.
  • The interface command selects the line, and the ppp authentication command applies the CCIE method list to this line.

Example 4-6 shows how to configure TACACS+ as the security protocol for PPP authentication using the default method list; it also shows how to configure network authorization through TACACS+.

Example 4-6. Authorization and TACACS+ Example


   
      aaa new-model
aaa authentication ppp default if-needed group tacacs+ local
aaa authorization network default group tacacs+                            
tacacs-server host 3.3.3.3
tacacs-server key simoniscool
interface serial 0
ppp authentication default

The lines in the preceding sample configuration are defined as follows:

  • The aaa new-model command enables the AAA security services.
  • The aaa authentication command defines a method list, default, to be used on serial interfaces running PPP. The keyword default means that PPP authentication is applied by default to all interfaces. The if-needed keyword means that if the user has already authenticated by going through the ASCII login procedure, PPP authentication is not necessary and can be skipped. If authentication is needed, the keyword group tacacs+ means that authentication is done through TACACS+. If TACACS+ returns an ERROR during authentication, the keyword local indicates that authentication will be attempted using the local database on the NAS.
  • The aaa authorization command configures network authorization via TACACS+.
  • The tacacs-server host command identifies the TACACS+ daemon as having an IP address of 3.3.3.3.
  • The tacacs-server key command defines the shared encryption key as simoniscool.
  • The interface command selects the line, and the ppp authentication command applies the default method list to this line.

The source interface used by TACACS+ or RADIUS can be defined when required as follows:


   ip tacacs source-interface 
   subinterface-name

   ip radius source-interface 
   subinterface-name

The source-interface commands force the security protocol to use a specific interface as the source IP address. For example, it may be a loopback address (remember, it is always active, unlike a physical interface, which may fail or be down) for redundancy purposes in case of a physical interface failure.

Example 4-7 displays a sample configuration where accounting is also enabled.

Example 4-7. Accounting Example


   
      aaa new-model
aaa authentication ppp default if-needed group tacacs+ local
aaa accounting network default stop-only group tacacs+                     
tacacs-server host 3.3.3.3
tacacs-server key andrewiscool
interface serial 0
ppp authentication default

The lines in the Example 4-7 configuration are defined as follows:

  • The aaa new-model command enables the AAA security services.
  • The aaa authentication command defines a method list, default, to be used on serial interfaces running PPP. The keyword default means that PPP authentication is applied by default to all interfaces. The if-needed keyword means that if the user has already authenticated through the ASCII login procedure, PPP authentication is not necessary. If authentication is needed, the keyword group tacacs+ means that authentication is done through TACACS+. If TACACS+ returns an ERROR during authentication, the keyword local indicates that authentication will be attempted using the local database on the NAS.
  • The aaa accounting command configures network accounting through TACACS+. In this example, accounting records stop-only, meaning that the session that just terminated will be sent to the TACACS+ daemon whenever a network connection terminates.
  • The interface command selects the line, and the ppp authentication command applies the default method list to this line.

TACACS+ Versus RADIUS

Table 4-4 compares the main differences between TACACS+ and RADIUS.

Table 4-4. TACACS+/RADIUS Comparison

 

RADIUS

TACACS+

Packet delivery

UDP.

TCP.

Packet encryption

Encrypts only the password in the access-request packet from the client to the server.

Encrypts the entire body of the packet but leaves a standard TCP header.

AAA support

Combines authentication and authorization.

Uses the AAA architecture, separating authentication, authorization, and accounting.

Multiprotocol support

None.

Supports other protocols, such as AppleTalk, NetBIOS, and IPX.

Router management

Can pass a privilege level down to the router, which can then be used locally for command authorization.

Enables network administrators to control which commands can be executed on a router.

Responses

Uses single-challenge response. Combines authentication and authorization.

Uses multiple-challenge response for each of the AAA processes. Uses the AAA architecture and separates each process.

The AAA configuration options are numerous, and those presented in this guide are only a small subset of a larger set that you can view online at Cisco.com. Visit the following URL for more quality examples of how AAA, along with RADIUS or TACACS, can be implemented on Cisco IOS routers:

http://www.cisco.com/pcgi-bin/Support/browse/index.pl?i=Technologies&f=774

The IOS debug command set for RADIUS and TACACS is extensive. Presented here are some common RADIUS and TACACS debug outputs found in real networks.

Example 4-8 displays a sample output from the debug aaa authentication command for a RADIUS login attempt that failed. The information indicates that TACACS is the authentication method used.

Example 4-8. debug aaa authentication Command

R1# debug aaa authentication
14:02:55: AAA/AUTHEN (164826761): Method=RADIUS
14:02:55: AAA/AUTHEN (164826761): status = GETPASS
14:03:01: AAA/AUTHEN/CONT (164826761): continue_login
14:03:01: AAA/AUTHEN (164826761): status = GETPASS
14:03:04: AAA/AUTHEN (164826761): status = FAIL

Example 4-9 displays a sample output from the debug radius command that shows a successful login attempt (note that newer versions of IOS code may display some differences), as indicated by an Access-Accept message.

Example 4-9. debug radius Command

R1# debug radius
 13:59:02: Radius: IPC Send 0.0.0.0:1645, Access-Request, id 0xB, len 56
13:59:02:         Attribute 4 6 AC150E5A
13:59:02:         Attribute 5 6 0000000A
13:59:02:         Attribute 1 6 62696C6C
13:59:02:         Attribute 2 18 0531FEA3
13:59:04: Radius: Received from 131.108.1.1:1645, Access-Accept, id 0xB, len 26
13:59:04:         Attribute 6 6 00000001

Example 4-10 displays a sample output from the debug radius command that shows an unsuccessful login attempt, as indicated by an Access-Reject message.

Example 4-10. debug radius Command

R1# debug radius
13:57:56: Radius: IPC Send 0.0.0.0:1645, Access-Request, id 0xA, len 57
13:57:56:         Attribute 4 6 AC150E5A
13:57:56:         Attribute 5 6 0000000A
13:57:56:         Attribute 1 7 62696C6C
13:57:56:         Attribute 2 18 49C28F6C
13:57:59: Radius: Received from 171.69.1.152:1645, Access-Reject, id 0xA, len 20

Pearson IT Certification Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Pearson IT Certification and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Pearson IT Certification products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by Adobe Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.pearsonitcertification.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020