TACACS+ uses a client server model approach. The server (running on UNIX or NT) is questioned by the client and the server in turn reply by stating whether the user passed or failed the authentication. It is important to note that the client is not the user or the user’s machine, but rather the device that is trying to determine if the user should be allowed entry into the network (typically a router or a firewall). TACACS+ uses TCP as the transport protocol – the default port is 49. If required, the server can be configured to listen on other ports. TACACS+ is similar to RADIUS (remote Access Dial In User Server) with a few key differences. RADIUS uses UDP for communication between the client and the server were as TACACS+ used TCP.
With TCP being connection oriented protocol and more reliable it makes for a more robust transport protocol of choice. Both TACACS+ and RADIUS use a shared secret key to provide encryption for communication between the client and the server. RADIUS encrypts the user’s password when the client made a request to the server. This encryption prevents someone from sniffing the user’s password using a packet analyzer. However other information such as username and services that is being performed can be analyzed. TACACS+ encrypts not just only the entire payload when communicating, but it also encrypts the user’s password between the client and the server. This makes it more difficult to decipher information about the communication between the client and the server. TACACS+ uses MD5 hash function in its encryption and decryption algorithm.
Lastly in RADIUS the Authentication and Authorization checking are bundled together. When the client request authentication from the server; the server replies with the authentication attributes, as well as the authorization attributes. These functions cannot be performed separately. In TACACS+ all three AAA functions (authentication, authorization, and accounting) can be performed separately. This definitely gives the administrator much more flexibility when designing his AAA policy. For instance one method such as Kerberos can be used for authentication, and a separate method such as TACACS+ can be used for authorization. Configuring TACACS+ Configuring TACACS+ consists of two parts 1) creating user profiles in the server’s database, 2) setting up the clients to communicate with the server.
