Security
7705 SAR OS System Management Guide Page 31
TACACS+ Authentication
Terminal Access Controller Access Control System, commonly referred to as TACACS, is
an authentication protocol that allows a remote access server to forward a user's login
password to an authentication server to determine whether access can be allowed to a given
system. TACACS is an encryption protocol and therefore less secure than the later Terminal
Access Controller Access Control System Plus (TACACS+) and RADIUS protocols.
TACACS+ and RADIUS have largely replaced earlier protocols in the newer or recently
updated networks. TACACS+ uses Transmission Control Protocol (TCP) and RADIUS uses
the User Datagram Protocol (UDP). TACACS+ is popular as TCP is thought to be a more
reliable protocol. RADIUS combines authentication and authorization. TACACS+ separates
these operations.
Authorization
The 7705 SAR supports local, RADIUS, and TACACS+ authorization to control the actions
of specific users by applying a profile based on user name and password configurations once
network access is granted. The profiles are configured locally as well as on the RADIUS
server as VSAs. See Vendor-Specific Attributes (VSAs) on page 37.
Once a user has been authenticated using RADIUS (or another method), the 7705 SAR
router can be configured to perform authorization. The RADIUS server can be used to:
• download the user profile to the 7705 SAR router
• send the profile name that the node should apply to the 7705 SAR router
Profiles consist of a suite of commands that the user is allowed or not allowed to execute.
When a user issues a command, the authorization server looks at the command and the user
information and compares it with the commands in the profile. If the user is authorized to
issue the command, the command is executed. If the user is not authorized to issue the
command, then the command is not executed.
Profiles must be created on each 7705 SAR router and should be identical for consistent
results. If the profile is not present, then access is denied.
Table 3 displays the following scenarios.
• If the user is authenticated locally (on the 7705 SAR router), local authorization is
supported and remote (RADIUS) authorization cannot be performed.
• If the user is authenticated by the RADIUS server, both local authorization and
remote (RADIUS) authorization are supported.
• If the user is TACACS+ authenticated, local authorization is supported and remote
(RADIUS) authorization cannot be performed.
To Next Page
Loading...
