Terminal Access Controller Access-Control System (TACACS, /ˈtækæks/) refers to a family of related protocols handling remote authentication and related services for networked access control through a centralized server. The original TACACS protocol, which dates back to 1984, was used for communicating with an authentication server, common in older UNIX networks; it spawned related protocols:
- Extended TACACS (XTACACS) is a proprietary extension to TACACS introduced by Cisco Systems in 1990 without backwards compatibility to the original protocol. TACACS and XTACACS both allow a remote access server to communicate with an authentication server in order to determine if the user has access to the network.
- Terminal Access Controller Access-Control System Plus (TACACS+) is a protocol developed by Cisco and released as an open standard beginning in 1993. Although derived from TACACS, TACACS+ is a separate protocol that handles authentication, authorization, and accounting (AAA) services. TACACS+ has largely replaced its predecessors.
TACACS+ is a security application that provides centralized validation of users attempting to gain access to a router or network access server. TACACS+ provides detailed accounting information and flexible administrative control over authentication and authorization processes
TACACS+ is a remote authentication protocol, which allows a remote access server to communicate with an authentication server to validate user access onto the network. TACACS+ allows a client to accept a username and password, and pass a query to a TACACS+ authentication server. Login to ITNCM - Base is authenticated using the TACACS+ server instead of authentication locally.
There are significant benefits to be achieved from the implementation of external authentication:
- Improved Security — login authentication is more secure, as the ITNCM - Base user passwords are not held on a local database, instead it is managed and stored on a remote machine.
- Central Storage of Passwords — leverage existing password checking infrastructure. No need to duplicate account.
- Password Ageing — TACACS+ caters for password ageing, and notifies the user when the account has expired, and when it is about to expire.
- Configuring the TACACS server
The TACACS server must first be configured on a different machine than the server running ITNCM - Base. - Error messages
There are error messages associated with TACACS+ authentication. - AUTH.XML
The auth.xml file is configurable, and should be used to adjust settings for the TACACS server being used. For the purposes of TACACS authentication, the information within the <tacacsPlus> and <backupTacacsServer> XML tags, MUST be configured to modify TACACS server name, password, port number, client name, client port and authorization type.
- TACACS/TACACS+ Terminology
- Client - The client is any device, (often a Network Access Server) that provides access services.
- Server - The server receives TACACS+ protocol requests, and replies according to its business model.
- TACACS/TACACS+ Authentication - TACACS Authentication is the action of determining who a user (or entity) is. Authentication can take many forms. Traditional authentication utilizes a name and a fixed password. However, fixed passwords have limitations, mainly in the area of security. Many modern authentication mechanisms utilize "one-time" passwords or challenge-response query. TACACS+ is designed to support all of these, and be powerful enough to handle any future mechanisms. Authentication generally takes place when the user first logs in to a machine or requests a service of it.
- TACACS/TACACS+ Authorization - Authorization is the action of determining what a user is allowed to do. Generally authentication precedes authorization, but again, this is not required. An authorization request may indicate that the user is not authenticated (we don't know who they are). TACACS+ authorization does not merely provide yes or no answers, but it may also customize the service for the particular user. The TACACS+ server might respond to these requests by allowing the service, but placing a time restriction on the login shell, or by requiring IP access lists on the PPP connection.
- TACACS/TACACS+ Accounting - Accounting is typically the third action after authentication and authorization. But again, neither authentication nor authorization is required. Accounting is the action of recording what a user is doing, and/or has done. TACACS+ Accounting can serve two purposes: It may be used as an auditing tool for security services. It may also be used to account for services used, such as in a billing environment.
- Authentication Flow
There are 3 types of packets which are exchanged in tacacs+ authentication flow,they are - - 1. START
- 2. REPLY
- 3. CONTINUE
- At first the client sends the START packet to the TACACS server. Every packet sent either way consists of 12 byte Packet header followed by distinguished packet body.The START body packet consists of different fields such as Action, privilege level, authentication type, port, user, remote address and data.
- The server responds with the REPLY packet. The packet either consist of a request for more information (GETDATA, GETUSER or GETPASS) or a termination (PASS or FAIL).When the REPLY status equals TAC_PLUS_AUTHEN_STATUS_GETDATA, TAC_PLUS_AUTHEN_STATUS_GETUSER or TAC_PLUS_AUTHEN_STATUS_GETPASS, then authentication continues and the SHOULD provide server_msg content for the client to prompt the user for more information.
- The client MUST then return a CONTINUE packet containing the requested information in the user_msg field. All three cause the same action to be performed, but the use of TAC_PLUS_AUTHEN_STATUS_GETUSER, indicates to the client that the user response will be interpreted as a username, and for TAC_PLUS_AUTHEN_STATUS_GETPASS, that the user response represents will be interpreted as a password.
- After accepting all the required information server authenticates the client with the same REPLY packet.
- Authorization Flow
There are 2 types of packets which are exchanged in tacacs+ authorization flow,they are -
- TACACS+ protocol provides an extensible way of providing remote authorization services. An authorization session is defined as a single pair of messages, a REQUEST followed by a RESPONSE.
- The authorization REQUEST message contains a fixed set of fields that indicate how the user was authenticated or processed and a variable set of arguments that describe the services and options for which authorization is requested.
- The RESPONSE contains a variable set of response arguments (attribute-value pairs) that can restrict or modify the clients actions.
- The arguments in both a REQUEST and a RESPONSE can be specified as either mandatory or optional. An optional argument is one that may or may not be used, modified or even understood by the recipient.
- Accounting Flow
There are 2 types of packets which are exchanged in tacacs+ accounting flow,they are -
- TACACS+ accounting is very similar to authorization. The packet format is also similar. There is a fixed portion and an extensible portion. The extensible portion uses all the same attribute-value pairs that authorization uses, and adds several more.
- The extra field that the request packet body contain is the ‘flags’ field which may consist of START(0x02), STOP(0x04) or WATCHDOG(0x08) value.
- The response to an accounting message is used to indicate that the accounting function on the server has been completed. The server will reply with success only when the record has been committed to the required level of security, relieving the burden on the client from ensuring any better form of accounting is required.
references:
https://en.wikipedia.org/wiki/TACACS