Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Understanding TACACS+

    With the increased use of remote access, the need for managing more network access servers (NAS) has increased. Additionally, the need for control access on a per-user basis has escalated, as has the need for central administration of users and passwords.

    Terminal Access Controller Access Control System (TACACS) is a security protocol that provides centralized validation of users who are attempting to gain access to a router or NAS. TACACS+, a more recent version of the original TACACS protocol, provides separate authentication, authorization, and accounting (AAA) services.

    Note: TACACS+ is a completely new protocol and is not compatible with TACACS or XTACACS.

    The TACACS+ protocol provides detailed accounting information and flexible administrative control over the authentication, authorization, and accounting process. The protocol allows a TACACS+ client to request detailed access control and allows the TACACS + process to respond to each component of that request. TACACS+ uses Transmission Control Protocol (TCP) for its transport.

    TACACS+ provides security by encrypting all traffic between the NAS and the process. Encryption relies on a secret key that is known to both the client and the TACACS+ process.

    Table 1 describes terms that are frequently used in this chapter.

    Table 1: TACACS-Related Terms

    Term

    Description

    NAS

    Network access server. A device that provides connections to a single user, to a network or subnetwork, and to interconnected networks. In reference to TACACS+, the NAS is the E Series router.

    TACACS+ process

    A program or software running on a security server that provides AAA services using the TACACS+ protocol. The program processes authentication, authorization, and accounting requests from an NAS. When processing authentication requests, the process might respond to the NAS with a request for additional information, such as a password.

    TACACS+ host

    The security server on which the TACACS+ process is running. Also referred to as a TACACS+ server.

    AAA Overview

    TACACS+ allows effective communication of AAA information between NASs and a central server. The separation of the AAA functions is a fundamental feature of the TACACS+ design:

    • Authentication—Determines who a user is, then determines whether that user should be granted access to the network. The primary purpose is to prevent intruders from entering your networks. Authentication uses a database of users and passwords.
    • Authorization—Determines what an authenticated user is allowed to do. Authorization gives the network manager the ability to limit network services to different users. Also, the network manager can limit the use of certain commands to various users. Authorization cannot occur without authentication.
    • Accounting—Tracks what a user did and when it was done. Accounting can be used for an audit trail or for billing for connection time or resources used. Accounting can occur independent of authentication and authorization.

    Central management of AAA means that the information is in a single, centralized, secure database, which is much easier to administer than information distributed across numerous devices. Both RADIUS and TACACS+ protocols are client-server systems that allow effective communication of AAA information.

    For information about RADIUS, see RADIUS Overview.

    Administrative Login Authentication

    Fundamentally, TACACS+ provides the same services as RADIUS. Every authentication login attempt on an NAS is verified by a remote TACACS+ process.

    TACACS+ authentication uses three packet types. Start packets and Continue packets are always sent by the user. Reply packets are always sent by the TACACS+ process.

    TACACS+ sets up a TCP connection to the TACACS+ host and sends a Start packet. The TACACS+ host responds with a Reply packet, which either grants or denies access, reports an error, or challenges the user.

    TACACS+ might challenge the user to provide username, password, passcode, or other information. Once the requested information is entered, TACACS+ sends a Continue packet over the existing connection. The TACACS+ host sends a Reply packet. Once the authentication is complete, the connection is closed. Only three login retries are allowed.

    To enable login authentication through both TACACS+ and RADIUS servers, use the aaa new-model command to specify AAA authentication for Telnet sessions.

    Privilege Authentication

    The privilege authentication process determines whether a user is allowed to use commands at a particular privilege level. This authentication process is handled similarly to login authentication, except that the user is limited to one authentication attempt. An empty reply to the challenge forces an immediate access denial. The aaa authentication enable default command allows you to set privilege authentication for users.

    Login Authorization

    To allow login authorization through the TACACS+ server, you can use the following commands: aaa authorization, aaa authorization config-commands, and authorization. For information about using these commands, see the Passwords and Security chapter in the JunosE System Basics Configuration Guide.

    Accounting

    The TACACS+ accounting service enables you to create an audit trail of User Exec sessions and command-line interface (CLI) commands that have been executed within these sessions. For example, you can track user CLI connects and disconnects, when configuration modes have been entered and exited, and which configuration and operational commands have been executed.

    You configure TACACS+ accounting in the JunosE Software by defining accounting method lists and then associating consoles and lines with the method lists. You define an accounting method list with a service type, name, accounting mode, and method:

    • service type—Specifies the type of information being recorded
    • name—Uniquely identifies an accounting method list within a service type
    • accounting mode—Specifies what type of accounting records will be generated
    • method—Specifies the protocol for sending the accounting records to a security server

    You can then configure consoles and lines with an accounting method list name for each service type:

    • Method list—A specified configuration that defines how the NAS performs the AAA accounting service. A service type can be configured with multiple method lists with different names, and a method list name can be used for different service types. Initially, no accounting method list is defined; therefore TACACS+ accounting is disabled.
      • Default method list—Configuration used by consoles and lines when no named method list is assigned. You enable TACACS+ accounting by defining default accounting method lists for each service type.
      • Named method list—Assigned to a console, specific line, or group of lines; overrides the default method list.
    • Service type—Specifies the type of information provided by the TACACS+ accounting service:
      • Exec—Provides information about User Exec terminal sessions, such as telnet, Local Area Transport (LAT), and rlogin, on the NAS.
      • Commands <0-15>—Provides information about User Exec mode CLI commands for a specified privilege level that are being executed on the NAS. Each of the sixteen command privilege levels is a separate service type. Accounting records are generated for commands executed by users, CLI scripts, and macros.
    • Accounting mode—Specifies the type of accounting records that are recorded on the TACACS+ server. Accounting records track user actions and resource usage. You can analyze and use the records for network management, billing, and auditing purposes.
      • start-stop—A start accounting record is generated just before a process begins, and a stop accounting record is generated after a process successfully completes. This mode is supported only for the Exec service type.
      • stop-only—A stop accounting record is generated after a process successfully completes. This mode is supported only for the Commands service types.

    The NAS sends TACACS+ accounting packets to the TACACS+ host. The accounting packets contain data in the packet header, packet body, and attribute-value pairs (AVPs). Table 2 provides descriptions of the TACACS+ accounting data.

    Table 2: TACACS+ Accounting Information

    Field/Attribute

    Location

    Description

    major_version

    Packet header

    Major TACACS+ version number

    minor_version

    Packet header

    Minor TACACS+ version number

    type

    Packet header

    Type of the AAA service: Accounting

    flags

    Packet body

    Bitmapped flags representing the record type: start accounting record or stop accounting record

    priv-level

    Packet body

    Privilege level of the user executing the Exec session or CLI command: 0 - 15

    user

    Packet body

    Name of user running the Exec session or CLI command

    port

    Packet body

    NAS port used by the Exec session or CLI command

    rem-addr

    Packet body

    User’s remote location; either an IP address or the caller ID

    service

    AVP

    User’s primary service: Shell

    cmd

    AVP

    CLI command that is to be executed: specified for Command-level accounting only

    task_id

    AVP

    Unique sequential identifier used to match start and stop records for a task

    elapsed_time

    AVP

    Elapsed time in seconds for the task execution: specified for Exec-level accounting stop records only

    timezone

    AVP

    Time zone abbreviation used Monitoring TACACS+ Statisticsfor all timestamps

    Published: 2014-08-20