Understanding TACACS+

With the increased use of remote access, the need for managing more network access servers (NAS) has increased. Additionally, the need for control access on a per-user basis has escalated, as has the need for central administration of users and passwords.

Terminal Access Controller Access Control System (TACACS) is a security protocol that provides centralized validation of users who are attempting to gain access to a router or NAS. TACACS+, a more recent version of the original TACACS protocol, provides separate authentication, authorization, and accounting (AAA) services.

Note: TACACS+ is a completely new protocol and is not compatible with TACACS or XTACACS.

The TACACS+ protocol provides detailed accounting information and flexible administrative control over the authentication, authorization, and accounting process. The protocol allows a TACACS+ client to request detailed access control and allows the TACACS + process to respond to each component of that request. TACACS+ uses Transmission Control Protocol (TCP) for its transport.

TACACS+ provides security by encrypting all traffic between the NAS and the process. Encryption relies on a secret key that is known to both the client and the TACACS+ process.

Table 3 describes terms that are frequently used in this chapter.

Table 3: TACACS-Related Terms

Term

Description

NAS

Network access server. A device that provides connections to a single user, to a network or subnetwork, and to interconnected networks. In reference to TACACS+, the NAS is the E Series router.

TACACS+ process

A program or software running on a security server that provides AAA services using the TACACS+ protocol. The program processes authentication, authorization, and accounting requests from an NAS. When processing authentication requests, the process might respond to the NAS with a request for additional information, such as a password.

TACACS+ host

The security server on which the TACACS+ process is running. Also referred to as a TACACS+ server.

AAA Overview

TACACS+ allows effective communication of AAA information between NASs and a central server. The separation of the AAA functions is a fundamental feature of the TACACS+ design:

Central management of AAA means that the information is in a single, centralized, secure database, which is much easier to administer than information distributed across numerous devices. Both RADIUS and TACACS+ protocols are client-server systems that allow effective communication of AAA information.

For information about RADIUS, see RADIUS Overview.

Administrative Login Authentication

Fundamentally, TACACS+ provides the same services as RADIUS. Every authentication login attempt on an NAS is verified by a remote TACACS+ process.

TACACS+ authentication uses three packet types. Start packets and Continue packets are always sent by the user. Reply packets are always sent by the TACACS+ process.

TACACS+ sets up a TCP connection to the TACACS+ host and sends a Start packet. The TACACS+ host responds with a Reply packet, which either grants or denies access, reports an error, or challenges the user.

TACACS+ might challenge the user to provide username, password, passcode, or other information. Once the requested information is entered, TACACS+ sends a Continue packet over the existing connection. The TACACS+ host sends a Reply packet. Once the authentication is complete, the connection is closed. Only three login retries are allowed.

To enable login authentication through both TACACS+ and RADIUS servers, use the aaa new-model command to specify AAA authentication for Telnet sessions.

Privilege Authentication

The privilege authentication process determines whether a user is allowed to use commands at a particular privilege level. This authentication process is handled similarly to login authentication, except that the user is limited to one authentication attempt. An empty reply to the challenge forces an immediate access denial. The aaa authentication enable default command allows you to set privilege authentication for users.

Login Authorization

To allow login authorization through the TACACS+ server, you can use the following commands: aaa authorization, aaa authorization config-commands, and authorization. For information about using these commands, see the Passwords and Security chapter in the JunosE System Basics Configuration Guide.

Accounting

The TACACS+ accounting service enables you to create an audit trail of User Exec sessions and command-line interface (CLI) commands that have been executed within these sessions. For example, you can track user CLI connects and disconnects, when configuration modes have been entered and exited, and which configuration and operational commands have been executed.

You configure TACACS+ accounting in the JunosE Software by defining accounting method lists and then associating consoles and lines with the method lists. You define an accounting method list with a service type, name, accounting mode, and method:

You can then configure consoles and lines with an accounting method list name for each service type:

The NAS sends TACACS+ accounting packets to the TACACS+ host. The accounting packets contain data in the packet header, packet body, and attribute-value pairs (AVPs). Table 4 provides descriptions of the TACACS+ accounting data.

Table 4: TACACS+ Accounting Information

Field/Attribute

Location

Description

major_version

Packet header

Major TACACS+ version number

minor_version

Packet header

Minor TACACS+ version number

type

Packet header

Type of the AAA service: Accounting

flags

Packet body

Bitmapped flags representing the record type: start accounting record or stop accounting record

priv-level

Packet body

Privilege level of the user executing the Exec session or CLI command: 0 - 15

user

Packet body

Name of user running the Exec session or CLI command

port

Packet body

NAS port used by the Exec session or CLI command

rem-addr

Packet body

User’s remote location; either an IP address or the caller ID

service

AVP

User’s primary service: Shell

cmd

AVP

CLI command that is to be executed: specified for Command-level accounting only

task_id

AVP

Unique sequential identifier used to match start and stop records for a task

elapsed_time

AVP

Elapsed time in seconds for the task execution: specified for Exec-level accounting stop records only

timezone

AVP

Time zone abbreviation used Monitoring TACACS+ Statisticsfor all timestamps

Related Documentation