A centralized authentication mechanism provides an easy way for your users to access their important resources and it provides the administrator with a central mechanism for access control. In this video, you’ll learn how RADIUS and TACACS can be used to authenticate, authorize, and account for logins.
<< Previous: VPN ProtocolsNext: Remote Access Services >>
One of the challenges with having these very large enterprise networks is there are so many different places where you need to login or authenticate to different parts or different resources on the network. There’s also a lot of different locations where you might be you might be off site. You might be inside of the building, you might be in a different location, and this is from your desktop. You might be connecting through a VPN, you might need to log into your routers to administer them. Maybe you need to log into a firewall to configure firewall rules. And each one of those places need some type of authentication. We not only need this authentication, but we also need to make sure that we have all this information logged.
So we’ve created these AAA devices, we call them. That stands for Authentication, Authorization and Accounting. This is going to make sure that your username and password is correct, it’s going to provide you with the proper access, and it’s going to log this so that later on, if we need to audit who’s connecting to the network, we have a centralized place to go to find out exactly who logged in to what and when they did that. There is this centralized method that really allows us a seamless access to all of these devices. That way you don’t have to have a separate username and password for your VPN, and for your router login, for your desktop machine, it can all be centralized in one single database.
This diagram summarizes this challenge quite nicely. You’ve got these remote access clients that are somewhere out in the world. They might be at a conference, or an off site meeting, they might be staying in a hotel, and they’re connecting back to the main site through the internet to perhaps a remote access server, or maybe a VPN concentrator. Inside of your network, you have users that are on wireless devices that are trying to gain access to the network through all wireless access point. of these devices need some way to be able to provide you with that authentication functionality, and they’re going to communicate back to a AAA server.
The method that it uses to communicate to this AAA server is very standardized protocol called RADIUS. RADIUS stands for Remote Authentication Dial In User Service, and RADIUS is one that is supported by remote access servers, and wireless access points, and firewalls, and many other devices, as well. This RADIUS server insurers then, that wherever I happen to be, whether I’m at a hotel or whether I’m inside the building on a wireless device, I’ll be able to use the same credentials that I always used to log into every other device that I have inside of the organization.
RADIUS is not the only way to do this, however. There are other mechanisms that allow us to use the capabilities of these AAA servers. There are generally two camps you’ll find when we are discussing protocols that allow a remote access device to communicate to the AAA server. You have RADIUS, and then you also have TACACS. TACACS stands for Terminal Access Controller Access Control System. It’s a standard RFC 1492, that goes way back to the ARPANET days. Cisco took this older type protocol and extended it a bit called it Extended TACACS or XTACACS.
This added accounting and auditing to this authentication protocol, truly making it a AAA mechanism. Cisco then improved again called this TACACS+, and whenever you hear someone talk about running TACACS in their environment, this is the version they’re probably talking about. TACACS+ is the latest version from Cisco. It’s not backwards compatible with those other versions, but it has many more requests and authorization capabilities inside of it. These days, whether you’re running TACACS or RADIUS, the important part is that you have a standardized way to authenticate, authorize and account for these user sessions.