Aaa Overview; Administrative Login Authentication; Table 64: Tacacs-Related Terms - Juniper JUNOSE SOFTWARE 11.2.X - BROADBAND ACCESS CONFIGURATION GUIDE 7-20-2010 Configuration Manual

JunosE 11.2.x Broadband Access Configuration Guide

AAA Overview

Administrative Login Authentication

312

Table 64: TACACS-Related Terms

Term Description
NAS Network access server. A device that provides connections to a single user,
to a network or subnetwork, and to interconnected networks. In reference
to TACACS+, the NAS is the E Series router.
TACACS+ process A program or software running on a security server that provides AAA
services using the TACACS+ protocol. The program processes
authentication, authorization, and accounting requests from an NAS. When
processing authentication requests, the process might respond to the NAS
with a request for additional information, such as a password.
TACACS+ host The security server on which the TACACS+ process is running. Also referred
to as a TACACS+ server.
TACACS+ allows effective communication of AAA information between NASs and a
central server. The separation of the AAA functions is a fundamental feature of the
TACACS+ design:
Authentication—Determines who a user is, then determines whether that user should
be granted access to the network. The primary purpose is to prevent intruders from
entering your networks. Authentication uses a database of users and passwords.
Authorization—Determines what an authenticated user is allowed to do. Authorization
gives the network manager the ability to limit network services to different users. Also,
the network manager can limit the use of certain commands to various users.
Authorization cannot occur without authentication.
Accounting—Tracks what a user did and when it was done. Accounting can be used
for an audit trail or for billing for connection time or resources used. Accounting can
occur independent of authentication and authorization.
Central management of AAA means that the information is in a single, centralized, secure
database, which is much easier to administer than information distributed across
numerous devices. Both RADIUS and TACACS+ protocols are client-server systems that
allow effective communication of AAA information.
For information about RADIUS, see "Configuring Remote Access" on page 3.
Fundamentally, TACACS+ provides the same services as RADIUS. Every authentication
login attempt on an NAS is verified by a remote TACACS+ process.
TACACS+ authentication uses three packet types. Start packets and Continue packets
are always sent by the user. Reply packets are always sent by the TACACS+ process.
TACACS+ sets up a TCP connection to the TACACS+ host and sends a Start packet. The
TACACS+ host responds with a Reply packet, which either grants or denies access, reports
an error, or challenges the user.
Copyright © 2010, Juniper Networks, Inc.