Table of Contents
Advertisement
8.3 ConfigureTACACS+ Directory
8.3.1 TACACS+ Overview
TACACS+ is a security application that provides centralized validation of users attempting to gain
access to a router or network access server. The security of communication can be ensured for the
network access server and TACACS+ service program exchange the encrypted messages.
You must have access to and must configure a TACACS+ server before the configured TACACS+
features on your network access server are available. TACACS+ provides for separate and modular
authentication, authorization, and accounting facilities.
♦ Authentication---Supported
authentication facility provides the ability to conduct an arbitrary dialog with the user (for example,
after a login and password are provided, to challenge a user with a number of questions, like home
address, service type, and ID card number). In addition, the TACACS+ authentication service
supports sending messages to user screens. For example, a message could notify users that their
passwords must be changed because of the company's password aging policy.
♦ Authorization---Provides fine-grained control over user capabilities for the duration of the user's
session, including but not limited to setting autocommands, access control, session duration. You
can also enforce restrictions on what commands a user may executed.
♦ Accounting---Collects and sends information used for billing, auditing, and reporting to the
TACACS+ daemon. Network managers can use the accounting facility to track user activity for a
security audit or to provide information for user billing. Accounting records include user identities,
start and stop times, executed commands (such as PPP), number of packets, and number of bytes.
8.3.2 TACACS+ Protocol Operation
1. ASCII Mode Authentication
When a user attempts a simple ASCII login by authenticating to a network access server using
TACACS+, the following process typically occurs:
When the connection is established, the network access server will contact the TACACS+ daemon to
obtain a username prompt, which is then displayed to the user. The user enters a username and the
network access server then contacts the TACACS+ daemon to obtain a password prompt. The network
access server displays the password prompt to the user, the user enters a password, and the password
is then sent to the TACACS+ service program.
Note:
TACACS+ allows an arbitrary conversation to be held between the daemon and the user until the daemon receives enough
information to authenticate the user. This is usually done by prompting for a username and password combination, but may
include other items, such as mother's maiden name, all under the control of the TACACS+ service program.
The network access server will eventually receive one of the following responses from the TACACS+
server:
ACCEPT
REJECT
ERROR
CONTINUE
Model Name
multiple
authentication
The user is authenticated and service may begin. If the network access
server is configured to requite authorization, authorization will begin at this
time.
The user has failed to authenticate. The user may be denied further
access, or will be prompted to retry the login sequence depending on the
processing type of TACACS+ server.
An error occurred at some time during authentication. This can be either at
the daemon or in the network connection between the daemon and the
network access server. If an ERROR response is received, the network
access server will typically try to use an alternative method for
authenticating the user.
The user is prompted for additional authentication information.
- 353 -
methods
(ASCII,
PAP,
CHAP).
The
Hide quick links:
Advertisement
Table of Contents
