 | Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |
Fundamentally, TACACS+ provides the same services as RADIUS. Every authentication login attempt on an NAS is verified by a remote TACACS+ process.
TACACS+ authentication uses three packet types. Start packets and Continue packets are always sent by the user. Reply packets are always sent by the TACACS+ process.
TACACS+ sets up a TCP connection to the TACACS+ host and sends a Start packet. The TACACS+ host responds with a Reply packet, which either grants or denies access, reports an error, or challenges the user.
TACACS+ might challenge the user to provide username, password, passcode, or other information. Once the requested information is entered, TACACS+ sends a Continue packet over the existing connection. The TACACS+ host sends a Reply packet. Once the authentication is complete, the connection is closed. Only three login retries are allowed.
To enable login authentication through both TACACS+ and RADIUS servers, use the aaa new-model command to specify AAA authentication for Telnet sessions.
| Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |