Cisco Systems OL-24201-01 manual Access Protocols-TACACS+ and Radius, Overview of TACACS+

Appendix A AAA Protocols

Access Protocols—TACACS+ and RADIUS

Access Protocols—TACACS+ and RADIUS

This section contains the following topics:

•Overview of TACACS+, page A-5

•Overview of RADIUS, page A-6

ACS 5.3 can use the TACACS+ and RADIUS access protocols. Table A-1compares the two protocols.

Overview of TACACS+

TACACS+ must be used if the network device is a Cisco device-management application, access server, router, or firewall. ACS 5.3 supports Cisco device-management applications by providing command authorization for network users who are using the management application to configure managed network devices.

You provide support for command authorization for management application users by using unique command sets for each management application that is configured to use ACS for authorization.

ACS 5.3 uses TACACS+ to communicate with management applications. For a management application to communicate with ACS, you must configure the management application in ACS 5.3 as a AAA client that uses TACACS+.

You must also provide the device-management application with a valid administrator name and password. When a management application initially communicates with ACS, these requirements ensure the validity of the communication.

Except for the packet-headers, all information that the client and TACACS+ server communicate, which is contained in the packet-bodies are encrypted through the use of a shared secret (which is, itself, not sent over the network directly).

Additionally, the administrator that the management application uses must have the Command Set privilege enabled.

User Guide for Cisco Secure Access Control System 5.3