|ClearBox Server v1.2 User's Guide|
TACACS+ (Terminal Access Controller Access Control System) protocol is a sophisticated protocol developed by Cisco Systems. This protocol is rather different from TACACS and XTACACS, previous versions of the protocol that are now obsolete.
TACACS+ is a method of information exchange between a device that provides network access to users (the "TACACS+ client") and a device that contains authentication information for those users (the "TACACS+ server"). TACACS+ is based on AAA model: Authentication, authorization and accounting.
The TACACS-based remote access environment has three major components:
Access Client, Network Access Server, and TACACS+ Server.
The Access Client may be a person dialing into a Service Provider network to connect to various Internet sites (the traditional User role). Alternatively, the Access Client may be a device; it may be an ISDN router or a dial-on-demand router that provides network access to multiple Users at a small office/home office.
A Network Access Server (NAS) is a device that can recognize and
handle connection requests from outside the network "edge",
primarily Cisco network equipment. When the NAS receives a user's connection
request, it may perform an initial access negotiation with the user (PPP
or SLIP). This negotiation will establish certain data (username, password,
NAS port number, and so on). The NAS will then pass this data to the TACACS+
server and request authentication.
The TACACS+ server will authenticate the request, and will authorize services over the connection. The TACACS+ server does this by matching data from the NAS's request with entries in some well-known, trusted database.
The AAA security model, upon which TACACS+ protocol is based, states an exact distinction among the three distinct phases of a network user access: Authentication, Authorization and Accounting. The activation of each of these three phases can be configured independently on the NAS. What the NAS will send to the TACACS+ server strictly depends on the configuration of the NAS itself.
TACACS+ server can accept the user's authentication or authorization or reject the user. Based on this response from the TACACS+ server, the NAS will decide whether to establish the user's connection ("accept user" or "accept packet") or terminate the user's connection attempt ("reject user" or "reject packet"). Finally, the NAS issues accounting data to the TACACS+ server to document the transaction.
These behaviors together with basic components described above are similar to RADIUS concepts.
A TACACS+ client and TACACS+ server communicate by means of TACACS+ packets sent over TCP/IP networks. TACACS+ packets are formatted using conventions outlined in The TACACS+ Protocol Version 1.78.
To configure ClearBox Server, the essential information you'll need about TACACS+ packets is the following:
TACACS+ defines 7 type of packets (or "messages"):
The TACACS+ "shared secret" is used to encrypt/decrypt TACACS+ packets in communications between two devices. The shared secret may be any alphanumeric string. Each shared secret must be configured on both client and server sides. ClearBox Server can be configured to use one default shared secret used when no special secret is found for a specific host (setting Default client secret key and turning Require client secret key off).
IMPORTANT: Use caution. Upper- and lowercase letters make a difference!
ClearBox Server can be configured to use no packet encryption (Allow processing of unencrypted packets parameter), and in this case packets are transmitted in clear text from NAS to TACACS+ server and back. This is insecure and must be used for debug purposes only.
It is server extension dependent how shared secrets are stored as it may be required in different ways. See ICommonExtender interface description.
© 2001-2003 XPerience Technologies. www.xperiencetech.com
|Created by chm2web html help conversion utility.|