Chapter 2 Configuring TACACS+
TACACS+ is facilitated with AAA to control PPP, VPDN, and login access to routers.
CISCO ACS is the only application software that is supported.
Compared to RADIUS, TACACS+ features more reliable transmission and encryption,
and is more suitable for security control. The following table lists the primary
differences between TACACS+ and RADIUS protocols.
Table 2-1 Comparison between the TACACS+ protocol and the RADIUS protocol
TACACS+ protocol RADIUS protocol
Adopts TCP and hence can provide more reliable network
transmission. Adopts UDP.
Encrypts the entire main body of the packets except for
the standard TACACS+ header. Encrypts only the password field in the
authentication packets.
Supports separate authentication and authorization. For
example, you can use RADIUS for authentication but
TACACS+ for authorization.
If RADIUS is used for authentication before authorizing
with TACACS+, RADIUS is responsible for confirming
whether a user can be accepted, and TACACS+ is
responsible for the authorization.
Processes authentication and authorization
together.
Is well suited to security control. Is well suited to accounting.
Supports authorization before the configuration commands
on the Router can be used. Does not support authorization before
configuration.
In a typical TACACS+ application, a dial-up or terminal user needs to log in the router
for operations. Working as the TACACS+ client in this case, the router sends the user
name and password to the TACACS+ server for authentication. After passing the
authentication and getting the authorization, the user can log in to the router to
perform operations, as shown in the following figure.
Router
HWTACACS server
129.7.66.66
HWTACACS server
129.7.66.67
ISDN\PSTN
Dial-up
Terminal
HWTACACS c lient
Router
HWTACACS server
129.7.66.66
HWTACACS server
129.7.66.67
ISDN\PSTN
Dial-up user
Terminal user
HWTACACS c lient
Router
HWTACACS server
129.7.66.66
HWTACACS server
129.7.66.67
ISDN\PSTN
Dial-up
Terminal
HWTACACS c lient
Router
HWTACACS server
129.7.66.66
HWTACACS server
129.7.66.67
ISDN\PSTN
Dial-up
Terminal
HWTACACS c lient
Router
HWTACACS server
129.7.66.66
HWTACACS server
129.7.66.67
ISDN\PSTN
Dial-up user
Terminal user
HWTACACS c lient
Figure 2-2 Networking for a typical TACACS+ application
3Com Router Configuration Guide Addendum for V1.20
17