Security Protocol - TACACS+

Cisco IOS supports three versions of TACACS—TACACS, extended TACACS, and TACACS+. All three methods authenticate users and deny access to users who do not have a valid username/password pairing.

Cisco has also developed Cisco Secure Access Control Server (CSACS), a flexible family of security servers that supports both RADIUS and TACACS+. You can even run debugging commands on the Cisco Secure ACS software. In UNIX, you can modify files, such as syslog.conf and csu.cfg, to change the output to your screen.

For more details on how to debug on a UNIX server, see www.cisco.com/warp/public/480/cssample2x.html#debug.

 

TACACS+ has the following features:

 

²        TCP packets (port 49) ensure that data is sent reliably across the IP network.

²        Supports AAA architectures and, in fact, separates each of the three mechanisms (authentication, authorization, and accounting).

²        The data between the user and server is encrypted.

²        Supports both PAP/CHAP and multiprotocols, such as IPX and X.25.

²        Access lists can be defined on a user basis.

 

When a TACACS+ server authenticates a remote user, the following events occur:

 

1.       When the connection is established, the NAS contacts the TACACS+ daemon to obtain a username prompt, which is then displayed to the user. The user enters a username and the NAS and contacts the TACACS+ daemon to obtain a password prompt. The NAS displays the password prompt to the user, the user enters a password, and the password is sent to the TACACS+ daemon.

2.       The NAS eventually receives one of the following responses from the TACACS+ daemon:

²        ACCEPT—The user is authenticated and service can begin. If the NAS is configured to require authorization, authorization will begin at this time.

²        REJECT—The user has failed to authenticate. The user can be denied further access or will be prompted to retry the login sequence, depending on the TACACS+ daemon.

²        ERROR—An error occurred at some time during authentication. This can be either at the daemon or in the network connection between the daemon and the NAS. If an ERROR response is received, the NAS typically tries to use an alternative method for authenticating the user.

²        CONTINUE—The user is prompted for additional authentication information.

3.       A PAP login is similar to an ASCII login, except that the username and password arrive at the NAS in a PAP protocol packet instead of being typed in by the user, so the user is not prompted. PPP CHAP logins are also similar, in principle.

4.       Following authentication, the user is required to undergo an additional authorization phase, if authorization has been enabled on the NAS. Users must first successfully complete TACACS+ authentication before proceeding to TACACS+ authorization.

5.       If TACACS+ authorization is required, the TACACS+ daemon is again contacted and it returns an ACCEPT or REJECT authorization response. If an ACCEPT response is returned, the response will contain data in the form of attributes used to direct the EXEC or NETWORK session for that user, determining services that the user can access.

Services include the following:

²        Telnet, rlogin, Point-to-Point Protocol (PPP), Serial Line Internet Protocol (SLIP), or EXEC services

²        Connection parameters, including the host or client IP address, access list, and user timeouts

 

The TACACS+ authorization process is defined as the packet flow between the NAS and the TACACS+ server. The packets exchanged between the NAS and server contain attribute pairs (AV pairs). The NAS sends Start packets and the TACACS+ server responds with Response packets. The server can permit, deny, or modify commands requested by the end user. The data (that contains the full list of all username/password pairs) is stored on a local file defining what commands are permitted by the end user, for example.

 

TACACS+ Configuration Task List

To configure your router to support TACACS+, you must perform the following tasks:

Step 1 Use the aaa new-model global configuration command to enable AAA, which must be configured if you plan to use TACACS+. For more information about using the aaa new-model command, refer to the link, www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt1/index.htm.

 

Step 2 Use the tacacs-server host command to specify the IP address of one or more TACACS+ daemons. The command is as follows:

tacacs-server host hostname [single-connection] [port integer] [timeout integer] [key string]

 

Step 3 Use the tacacs-server key command to specify an encryption key to encrypt all exchanges between the network access server and the TACACS+ daemon. This same key must also be configured on the TACACS+ daemon. The actual command is as follows:

tacacs-server key key

The key should match the one used on the TACACS+ daemon.

 

Step 4 Use the aaa authentication global configuration command to define method lists that use TACACS+ for authentication.

 

Step 5 Use line and interface commands to apply the defined method lists to various interfaces.

 

Step 6 To enable authorization, use the aaa authorization global command to configure authorization for the NAS. Unlike authentication, which can be configured per line or per interface, authorization is configured globally for the entire NAS.

 

Step 7 To enable accounting for TACACS+ connections, use the aaa accounting command. Optional commands include the following:

²        Configuring AAA server groups (Optional)

²        Configuring AAA server group selection based on DNIS (Optional)

²        Specifying TACACS+ authentication (Required)

²        Specifying TACACS+ authorization (Optional)

²        Specifying TACACS+ accounting (Optional)

 

TACACS+ Authentication for PPP Example

aaa new-model

aaa authentication ppp CCIE group tacacs+ local

tacacs-server host 10.1.2.3

tacacs-server key cciesarecool

interface serial 0

ppp authentication chap pap CCIE

 

Description:

²        The aaa new-model command enables the AAA security services.

²        The aaa authentication command defines a method list, CCIE, to be used on serial interfaces running PPP. The keyword group tacacs+ means that authentication is done through TACACS+. If TACACS+ returns an ERROR during authentication, the keyword local indicate that authentication will be attempted using the local database on the NAS. Note that the local database is not used if a REJECT response is received from the security server.

²        The tacacs-server host command identifies the TACACS+ daemon as having an IP address of 10.1.2.3. The tacacs-server key command defines the shared encryption key as cciesarecool.

²        The interface command selects the line, and the ppp authentication command applies the test method list to this line.

 

Authorization and TACACS+ Example

aaa new-model

aaa authentication ppp default if-needed group tacacs+ local

aaa authorization network default group tacacs+

tacacs-server host 3.3.3.3

tacacs-server key simoniscool

interface serial 0

ppp authentication default

 

Description：

²        The aaa new-model command enables the AAA security services.

²        The aaa authentication command defines a method list, default, to be used on serial interfaces running PPP. The keyword default means that PPP authentication is applied by default to all interfaces. The if-needed keyword means that if the user has already authenticated by going through the ASCII login procedure, PPP authentication is not necessary and can be skipped. If authentication is needed, the keyword group tacacs+ means that authentication is done through TACACS+. If TACACS+ returns an ERROR during authentication, the keyword local indicates that authentication will be attempted using the local database on the NAS.

²        The aaa authorization command configures network authorization via TACACS+.

²        The tacacs-server host command identifies the TACACS+ daemon as having an IP address of 3.3.3.3.

²        The tacacs-server key command defines the shared encryption key as simoniscool.

²        The interface command selects the line, and the ppp authentication command applies the default method list to this line.

 

Accounting Example

aaa new-model

aaa authentication ppp default if-needed group tacacs+ local

aaa accounting network default stop-only group tacacs+

tacacs-server host 3.3.3.3

tacacs-server key andrewiscool

interface serial 0

ppp authentication default

 

Description:

²        The aaa new-model command enables the AAA security services.

²        The aaa authentication command defines a method list, default, to be used on serial interfaces running PPP. The keyword default means that PPP authentication is applied by default to all interfaces. The if-needed keyword means that if the user has already authenticated through the ASCII login procedure, PPP authentication is not necessary. If authentication is needed, the keyword group tacacs+ means that authentication is done through TACACS+. If TACACS+ returns an ERROR during authentication, the keyword local indicates that authentication will be attempted using the local database on the NAS.

²        The aaa accounting command configures network accounting through TACACS+. In this example, accounting records stop-only, meaning that the session that just terminated will be sent to the TACACS+ daemon whenever a network connection terminates.

²        The interface command selects the line, and the ppp authentication command applies

²        the default method list to this line.

 

NOTE You can define a group of TACACS+ servers by defining the servers with the IOS Command,

tacacs-server <ip address of server>. For example, to define six servers you would use the IOS configuration:

tacacs-server host 1.1.1.1

tacacs-server host 2.2.2.2