TACACS

Terminal Access Controller Access-Control System (TACACS, usually pronounced like tack-axe) refers to a family of related protocols handling remote authentication and related services for networked access control through a centralized server. The original TACACS protocol, which dates back to 1984, was used for communicating with an authentication server, common in older UNIX networks; it spawned related protocols:

Extended TACACS (XTACACS) is a proprietary extension to TACACS introduced by Cisco Systems in 1990 without backwards compatibility to the original protocol. TACACS and XTACACS both allow a remote access server to communicate with an authentication server in order to determine if the user has access to the network.
Terminal Access Controller Access-Control System Plus (TACACS+) is a protocol developed by Cisco and released as an open standard beginning in 1993. Although derived from TACACS, TACACS+ is a separate protocol that handles authentication, authorization, and accounting (AAA) services. TACACS+ and other flexible AAA protocols have largely replaced their predecessors.

History

TACACS was originally developed in 1984 by BBN Technologies for administering MILNET, which ran unclassified network traffic for DARPA at the time and would later evolve into the U.S. Department of Defense's NIPRNet. Originally designed as a means to automate authentication – allowing someone who was already logged into one host in the network to connect to another on the same network without needing to re-authenticate – it was first formally described by BBN's Brian Anderson in December 1984 in IETF RFC 927.^[1]^[2] Cisco Systems began supporting TACACS in its networking products in the late 1980s, eventually adding several extensions to the protocol. In 1990, Cisco's extensions on the top of TACACS became a proprietary protocol called Extended TACACS (XTACACS). Although TACACS and XTACACS are not open standards, Craig Finseth of the University of Minnesota, with Cisco's assistance, published a description of the protocols in 1993 in IETF RFC 1492 for informational purposes.^[1]^[3]^[4]

Technical descriptions

TACACS

TACACS is defined in RFC 1492, and uses (either TCP or UDP) port 49 by default. TACACS allows a client to accept a username and password and send a query to a TACACS authentication server, sometimes called a TACACS daemon or simply TACACSD. TACACSD uses TCP and usually runs on port 49. It would determine whether to accept or deny the authentication request and send a response back. The TIP (routing node accepting dial-up line connections, which the user would normally want to log in into) would then allow access or not, based upon the response. In this way, the process of making the decision is "opened up" and the algorithms and data used to make the decision are under the complete control of whomever is running the TACACS daemon.

TACACS+

TACACS+ and RADIUS have generally replaced TACACS and XTACACS in more recently built or updated networks. TACACS+ is an entirely new protocol and is not compatible with its predecessors, TACACS and XTACACS. TACACS+ uses TCP (while RADIUS operates over UDP). Since TACACS+ uses the authentication, authorization, and accounting (AAA) architecture, these separate components of the protocol can be segregated and handled on separate servers.^[5]

Since TCP is a connection oriented protocol, TACACS+ does not have to implement transmission control. RADIUS, however, does have to detect and correct transmission errors like packet loss, timeout etc. since it rides on UDP which is connectionless. RADIUS encrypts only the users' password as it travels from the RADIUS client to RADIUS server. All other information such as the username, authorization, accounting are transmitted in clear text. Therefore, it is vulnerable to different types of attacks. TACACS+ encrypts all the information mentioned above and therefore does not have the vulnerabilities present in the RADIUS protocol.

TACACS+ is a CISCO designed extension to TACACS that encrypts the full content of each packet. Moreover, it provides granular control(command by command authorization).

Implementations

TACACS+ client and PAM module
tacacs+ VM, an implementation of tac_plus+webadmin from in a VM (No longer active, based on site that is unreachable)
TACACS.net, a free implementation of TACACS+ for Windows

References

1 2 Dooley, Kevin; Brown, Ian (2003). Cisco Cookbook. O'Reilly Media. p. 137. ISBN 9781449390952.
↑ Anderson, Brian (December 1984). "TACACS User Identification Telnet Option". Internet Engineering Task Force. Retrieved 22 February 2014.
↑ Ballad, Bill; Ballad, Tricia; Banks, Erin (2011). Access Control, Authentication, and Public Key Infrastructure. Jones & Bartlett Learning. pp. 278–280. ISBN 9780763791285.
↑ Finseth, Craig (July 1993). "An Access Control Protocol, Sometimes Called TACACS". Internet Engineering Task Force. Retrieved 22 February 2014.
↑ "TACACS+ and RADIUS Comparison". Cisco. 14 January 2008. Retrieved 9 September 2014.

External links

Overview of AAA Technology
http://www.shrubbery.net/tac_plus/
An Analysis of the TACACS+ Protocol and its Implementations from a security standpoint, by Openwall
http://www.pro-bono-publico.de/projects/tac_plus.html
TACACS+ Benefits and Best Practices

RFC

RFC 927 – TACACS User Identification Telnet Option
RFC 1492 – An Access Control Protocol, Sometimes Called TACACS
Cisco's TACACS+ RFC draft
The IETF's draft is being updated as of 2016. See https://datatracker.ietf.org/doc/draft-ietf-opsawg-tacacs/

Authentication

Authentication APIs	BSD Authentication (BSD Auth) eAuthentication Generic Security Services API (GSSAPI) Java Authentication and Authorization Service (JAAS) OAuth OpenID OpenID Connect (OIDC) Pluggable Authentication Modules (PAM) Simple Authentication and Security Layer (SASL) Security Support Provider Interface (SSPI) XCert Universal Database API (XUDA)

Authentication protocol	ACF2 AKA CAVE-based authentication Challenge-Handshake Authentication Protocol (CHAP) MS-CHAP Central Authentication Service (CAS) CRAM-MD5 Diameter Extensible Authentication Protocol (EAP) Host Identity Protocol (HIP) Kerberos LAN Manager NT LAN Manager (NTLM) Password-authenticated key agreement protocols Password Authentication Protocol (PAP) Protected Extensible Authentication Protocol (PEAP) Remote Access Dial In User Service (RADIUS) Resource Access Control Facility (RACF) Secure Remote Password protocol (SRP) TACACS Woo–Lam

This article is issued from Wikipedia - version of the 9/23/2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.

TACACS

History

Technical descriptions

TACACS

TACACS+

Implementations

See also

References

External links

RFC