Table of Contents
Advertisement
3. TACACS+
Ethernet Routing Switch 5500, 1600 and 8300 Series all support the Terminal Access Controller Access
Control System plus (TACACS+) client. TACACS+ is a security application implemented as a
client/server-based protocol that provides centralized validation of users attempting to gain access to a
router or network access server.
TACACS+ differs from RADIUS in two important ways:
TACACS+ is a TCP-based protocol using port 49
TACACS+ uses full packet encryption, rather than just encrypting the password (RADIUS
authentication request)
TACACS+ encrypts the entire body of the packet and uses a standard TACACS+
header
TACACS+ separates authentication, authorization, and accounting services. This means that you can
selectively implement one or more TACACS+ services.
TACACS+ provides management of users who access the switch through Telnet, serial, and SSH v2
connections. TACACS+ supports users only on the CLI.
Access to the console interface, SNMP, and Web management are disabled when TACACS+ is enabled.
The TACACS+ protocol is a draft standard available at:
draft-grant-tacacs-02
TACACS+ is not compatible with any previous versions of TACACS.
3.1 Terminology
The following terms are used in connection with TACACS+:
AAA - Authentication, Authorization, Accounting
o
Authentication is the action of determining who a user (or entity) is, before allowing the
user to access the network and network services.
o
Authorization is the action of determining what an authenticated user is allowed to do.
o
Accounting is the action of recording what a user is doing or has done.
Network Access Server (NAS)—any client, such as an Ethernet Routing Switch 1600, 5500 and
8300 Series switches, that makes TACACS+ authentication and authorization requests, or
generates TACACS+ accounting packets.
daemon/server—a program that services network requests for authentication and authorization,
verifies identities, grants or denies authorizations, and logs accounting records.
AV pairs—strings of text in the form "attribute=value" sent between a NAS and a TACACS+
daemon as part of the TACACS+ protocol.
Authentication, Authorization and Accounting (AAA) for ERS and ES
November 2010
ftp://ietf.org/internetdrafts/
Technical Configuration Guide
avaya.com
39
Advertisement
Table of Contents
