Table 64: Tacacs-Related Terms; Administrative Login Authentication; Aaa Overview - Juniper JUNOSE SOFTWARE 11.0.X - BROADBAND ACCESS CONFIGURATION GUIDE 4-1-2010 Configuration Manual

JUNOSe 11.0.x Broadband Access Configuration Guide

Table 64: TACACS-Related Terms

AAA Overview

TACACS+ allows effective communication of AAA information between NASs and
a central server. The separation of the AAA functions is a fundamental feature of the
TACACS+ design:
Central management of AAA means that the information is in a single, centralized,
secure database, which is much easier to administer than information distributed
across numerous devices. Both RADIUS and TACACS+ protocols are client-server
systems that allow effective communication of AAA information.
For information about RADIUS, see "Configuring Remote Access" on page 3.

Administrative Login Authentication

Fundamentally, TACACS+ provides the same services as RADIUS. Every
authentication login attempt on an NAS is verified by a remote TACACS+ process.
TACACS+ authentication uses three packet types. Start packets and Continue packets
are always sent by the user. Reply packets are always sent by the TACACS+ process.
312
TACACS+ Overview
Term Description
NAS Network access server. A device that provides connections to a single user,
to a network or subnetwork, and to interconnected networks. In reference
to TACACS+, the NAS is the E Series router.
TACACS+ process A program or software running on a security server that provides AAA
services using the TACACS+ protocol. The program processes
authentication, authorization, and accounting requests from an NAS. When
processing authentication requests, the process might respond to the NAS
with a request for additional information, such as a password.
TACACS+ host The security server on which the TACACS+ process is running. Also
referred to as a TACACS+ server.
Authentication Determines who a user is, then determines whether that user
should be granted access to the network. The primary purpose is to prevent
intruders from entering your networks. Authentication uses a database of users
and passwords.
Authorization Determines what an authenticated user is allowed to do.
Authorization gives the network manager the ability to limit network services to
different users. Also, the network manager can limit the use of certain commands
to various users. Authorization cannot occur without authentication.
Accounting Tracks what a user did and when it was done. Accounting can be
used for an audit trail or for billing for connection time or resources used.
Accounting can occur independent of authentication and authorization.