Tacacs Versus RADIUS

Table 4-4 compares the main differences between TACACS+ and RADIUS. Table 4-4 TACACS+/RADIUS Comparison

RADIUS

TACACS+

Packet delivery

UDP.

TCP.

Packet encryption

Encrypts only the password in the access-request packet from the client to the server.

Encrypts the entire body of the packet but leaves a standard TCP header.

AAA support

Combines authentication and authorization.

Uses the AAA architecture, separating authentication, authorization, and accounting.

Multiprotocol support

None.

Supports other protocols, such as AppleTalk, NetBIOS, and IPX.

Router management

Can pass a privilege level down to the router, which can then be used locally for command authorization.

Enables network administrators to control which commands can be executed on a router.

Responses

Uses single-challenge response. Combines authentication and authorization.

Uses multiple-challenge response for each of the AAA processes. Uses the AAA architecture and separates each process.

NOTE You can configure both RADIUS and TACACS+ concurrently on a Cisco router provided that you have defined different list names and applied the list to different interfaces.

NOTE You can download and install a trial copy of Cisco Secure ACS for Windows NT/2000 or UNIX. This comes with a built-in RADIUS and TACACS+ server. You also need a Cisco router with Cisco IOS 12.X with one working Ethernet port. This will reinforce your understanding of the AAA concept. For more information, visit the Cisco Secure Software Center at Cisco.com.

The AAA configuration options are numerous, and those presented in this guide are only a small subset of a larger set that you can view online at Cisco.com. Visit the following URL for more quality examples of how AAA, along with RADIUS or TACACS, can be implemented on Cisco IOS routers:

http://www.cisco.com/pcgi-bin/Support/browse/index.pl?i=Technologies&f=774

The IOS debug command set for RADIUS and TACACS is extensive. Presented here are some common RADIUS and TACACS debug outputs found in real networks.

Example 4-8 displays a sample output from the debug aaa authentication command for a RADIUS login attempt that failed. The information indicates that TACACS is the authentication method used.

Example 4-8 debug aaa authentication Command R1# debug aaa authentication

14:02:55: AAA/AUTHEN (164826761): Method=RADIUS 14:02:55: AAA/AUTHEN (164826761): status = GETPASS 14:03:01: AAA/AUTHEN/CONT (164826761): continue_login 14:03:01: AAA/AUTHEN (164826761): status = GETPASS 14:03:04: AAA/AUTHEN (164826761): status = FAIL

Example 4-9 displays a sample output from the debug radius command that shows a successful login attempt (note that newer versions of IOS code may display some differences), as indicated by an Access-Accept message.

Example 4-9 debug radius Command

R1# debug

radius

13:59:02

Radius

IPC Send 0.0

0.0:1645, Access

Request

id 0xB

len 56

13:59:02:

Attribute 4 6

AC150E5A

13:59:02:

Attribute 5 6

0000000A

13:59:02:

Attribute 1 6

62696C6C

13:59:02:

Attribute 2 1i

0531FEA3

13:59:04:

Radius:

Received from

131.108.1.1:1645

Access

Accept,

id 0xB, len 26

13:59:04:

Attribute 6 6

00000001

Example 4-10 displays a sample output from the debug radius command that shows an unsuccessful login attempt, as indicated by an Access-Reject message.

Example 4-10 debug radius Command

R1# debug

radius

13:57:56:

Radius:

IPC Send 0.0.(

9.0:1645, Access-Request, id 0xA,

len

57

13:57:56:

Attribute 4 6

AC150E5A

13:57:56:

Attribute 5 6

0000000A

13:57:56:

Attribute 1 7

62696C6C

13:57:56:

Attribute 2 1i

49C28F6C

13:57:59:

Radius:

Received from

171.69.1.152:1645, Access-Reject

id

0xA, len 20

Was this article helpful?

0 0

Post a comment