TACACS+ Concepts

TACACS+ (Terminal Access Controller Access Control System) protocol is a sophisticated protocol developed by Cisco Systems. This protocol is rather different from TACACS and XTACACS, previous versions of the protocol that are now obsolete.

TACACS+ is a method of information exchange between a device that provides network access to users (the "TACACS+ client") and a device that contains authentication information for those users (the "TACACS+ server"). TACACS+ is based on AAA model: Authentication, authorization and accounting.

The TACACS-based remote access environment has three major components: Access Client, Network Access Server, and TACACS+ Server.

The Access Client may be a person dialing into a Service Provider network to connect to various Internet sites (the traditional User role). Alternatively, the Access Client may be a device; it may be an ISDN router or a dial-on-demand router that provides network access to multiple Users at a small office/home office.

A Network Access Server (NAS) is a device that can recognize and handle connection requests from outside the network "edge", primarily Cisco network equipment. When the NAS receives a user's connection request, it may perform an initial access negotiation with the user (PPP or SLIP). This negotiation will establish certain data (username, password, NAS port number, and so on). The NAS will then pass this data to the TACACS+ server and request authentication.

The TACACS+ server will authenticate the request, and will authorize services over the connection. The TACACS+ server does this by matching data from the NAS's request with entries in some well-known, trusted database.

The AAA security model, upon which TACACS+ protocol is based, states an exact distinction among the three distinct phases of a network user access: Authentication, Authorization and Accounting. The activation of each of these three phases can be configured independently on the NAS. What the NAS will send to the TACACS+ server strictly depends on the configuration of the NAS itself.

TACACS+ server can accept the user's authentication or authorization or reject the user. Based on this response from the TACACS+ server, the NAS will decide whether to establish the user's connection ("accept user" or "accept packet") or terminate the user's connection attempt ("reject user" or "reject packet"). Finally, the NAS issues accounting data to the TACACS+ server to document the transaction.

These behaviors together with basic components described above are similar to RADIUS concepts.

TACACS+ Packets

A TACACS+ client and TACACS+ server communicate by means of TACACS+ packets sent over TCP/IP networks. TACACS+ packets are formatted using conventions outlined in The TACACS+ Protocol Version 1.78.

To configure ClearBox Server, the essential information you'll need about TACACS+ packets is the following:

• They carry messages between the TACACS+ client and TACACS+ server.
• They follow a request/response convention: The client sends a request and expects a response from the server. In some cases a "TACACS session" may consist of several requests and responses initiated by a single user.
  
• Each packet supports a specific purpose: authentication, authorization or accounting.
  
• An authorization and accounting packet may contain values, called "attribute-value pairs".
  
• The specific attributes to be found in each packet depend upon the type of packet (authorization or accounting).

TACACS+ defines 7 type of packets (or "messages"):

• Authentication START (It describes the type of authentication to be performed, and may contain the username and some authentication data. The START packet is only ever sent as the first message in a TACACS+ authentication session.).
• Authentication REPLY (It indicates whether the authentication is finished, or whether it should continue. If the REPLY indicates that authentication should continue, then it will also indicate what new information is requested.).
• Authentication CONTINUE (It is sent from the NAS to the server following the receipt of a REPLY packet and possibly contains requested information.).
• Authorization REQUEST (It contains a fixed set of fields that describe the authenticity of the user or process, and a variable set of arguments that describes the services and options for which authorization is requested.).
• Authorization RESPONSE (It contains a variable set of response arguments (attribute-value pairs) which can restrict or modify the clients actions.).
• Accounting REQUEST (It conveys information used to provide accounting for a service provided to a user.).
• Accounting REPLY (It is used to indicate that the accounting function on the server has completed and securely
  committed the record.).

TACACS+ Secrets

The TACACS+ "shared secret" is used to encrypt/decrypt TACACS+ packets in communications between two devices. The shared secret may be any alphanumeric string. Each shared secret must be configured on both client and server sides. ClearBox Server can be configured to use one default shared secret used when no special secret is found for a specific host (setting Default client secret key and turning Require client secret key off).

IMPORTANT: Use caution. Upper- and lowercase letters make a difference!

ClearBox Server can be configured to use no packet encryption (Allow processing of unencrypted packets parameter), and in this case packets are transmitted in clear text from NAS to TACACS+ server and back. This is insecure and must be used for debug purposes only.

It is server extension dependent how shared secrets are stored as it may be required in different ways. See ICommonExtender interface description.

See also

Authentication, Authorization and Accounting concepts.