Terminal Access Controller Access Control System Plus

Cisco IOS supports three versions of TACACS—TACACS, extended TACACS, and TACACS+. All three methods authenticate users and deny access to users who do not have a valid username/ password pairing. TACACS+ is Cisco proprietary, whereas RADIUS is an open standard originally created by Livingston Enterprises.

Cisco has also developed Cisco Secure Access Control Server (ACS), a flexible family of security servers that supports both RADIUS and TACACS+. You can even run debugging commands on the Cisco Secure ACS software. In UNIX, you can modify files, such as syslog.conf and csu.cfg, to change the output to your screen. For more details on how to debug on a UNIX server, see http://www.cisco.com/warp/public/480/cssample2x.html#debug.

TACACS+ has the following features:

■ TCP packets (port 49) ensure that data is sent reliably across the IP network.

■ Supports AAA architectures and, in fact, separates each of the three AAA mechanisms.

■ The data between the NAS and server is encrypted.

■ Supports both PAP/CHAP and multiprotocols such as IPX and X.25.

Access control lists (ACL) can be defined on a per-user basis. (RADIUS can also define ACLs on a per-user basis.)

Figure 4-3 displays a typical TACACS+ connection request (authentication).

Figure 4-3 TACACS+ Authentication Example Sequence



Network Access Server


TACACS+ Server



TACACS+ Server




Network Access Server


Username: Simon Password: Uy_%#!

User is prompted with Username/Password.

Username: Simon Password: Uy_%#!

User is prompted with Username/Password.


Authentication Process

1 User initiates PPP connection to the NAS.

' NAS sends START packet to the TACACS+ server.

' TACACS+ server responds with GETUSER packets that contains the prompt username/password.

1 The NAS sends the displays to the remote USER.

1 USER responds with username/password pair.

The TACACS+ server checks username/password and sends back a pass or fail packet to the NAS.

1 Connection is then set up or rejected.

1 Followed by Authorization.

Followed by Accounting.

When a TACACS+ server authenticates a remote user, the following events occur:

1. When the connection is established, the NAS contacts the TACACS+ daemon to obtain a username prompt, which is then displayed to the user. The user enters a username and the NAS and communicates to the TACACS+ server to obtain a password prompt. The NAS displays the password prompt to the user, the user enters a password, and the password is sent to the TACACS+ daemon.

2. The NAS eventually receives one of the following responses from the TACACS+ daemon:

■ ACCEPT—The user is authenticated and service can begin. If the NAS is configured to require authorization, authorization begins at this time.

■ REJECT—The user has failed to authenticate. The user may be denied further access or may be prompted to retry the login sequence, depending on the TACACS+ daemon.

■ ERROR—An error occurred at some time during authentication. This can be either at the daemon or in the network connection between the daemon and the NAS. If an ERROR response is received, the NAS typically tries to use an alternative method for authenticating the user.

■ CONTINUE—The user is prompted for additional authentication information.

3. A PAP login is similar to an ASCII login, except that the username and password arrive at the NAS in a PAP protocol packet instead of being typed in by the user, so the user is not prompted. PPP CHAP logins are also similar, in principle.

4. Following authentication, the user is required to undergo an additional authorization phase, if authorization has been enabled on the NAS. Users must first successfully complete TACACS+ authentication before proceeding to TACACS+ authorization.

5. If TACACS+ authorization is required, the TACACS+ daemon is again contacted and it returns an ACCEPT or REJECT authorization response. If an ACCEPT response is returned, the response contains data in the form of attributes used to direct the EXEC or NETWORK session for that user, determining services that the user can access.

Services include the following:

■ Telnet, rlogin, PPP, SLIP, or EXEC services

■ Connection parameters, including the host or client IP address, ACL, and user timeouts

The TACACS+ authorization process is defined as the packet flow between the NAS and the TACACS+ server. The packets exchanged between the NAS and server contain AV pairs. The NAS sends Start packets and the TACACS+ server responds with Response packets. The server can permit, deny, or modify commands requested by the end user. The data (that contains the full list of all username/password pairs) is stored on a local file defining what commands are permitted by the end user, for example.

TACACS+ accounting provides an audit record of what commands were completed. The NAS sends a record of any commands, and the TACACS+ server sends a response acknowledging the accounting record.

Table 4-3 summarizes the main features of TACACS+.

Table 4-3 Summary of TACACS+ Protocol



Packets sent between client and server are TCP.

TCP destination port

Port 49.


Packet types are defined in TACACS+ frame format as follows: Authentication 0x01 Authorization 0x02 Accounting 0x03


The sequence number of the current packet flow for the current session. The Seq_no starts with 1, and each subsequent packet increments by one. The client sends only odd numbers. The TACACS+ server sends only even numbers.

Encryption method

The entire packet is encrypted. Data is encrypted using MD5 and a secret key that matches both on the NAS (for example, a Cisco IOS router) and the TACACS+ server.

Multiprotocol support

Multiprotocol Support indicates the following are fully supported in non IP networks, multiprotocols such as AppleTalk, NetBIOS, or IPX, along with IP.

Now, examine the TACACS+ configuration tasks required when enabling TACACS+ on a Cisco

IOS router.

Was this article helpful?

0 0

Post a comment