beautypg.com

Configuring tacacs, Chapter 2 configuring tacacs – 3Com 10014303 User Manual

Page 17

background image

Chapter 2 Configuring TACACS+

TACACS+ is facilitated with AAA to control PPP, VPDN, and login access to routers.

CISCO ACS is the only application software that is supported.

Compared to RADIUS, TACACS+ features more reliable transmission and encryption,

and is more suitable for security control. The following table lists the primary

differences between TACACS+ and RADIUS protocols.

Table 2-1 Comparison between the TACACS+ protocol and the RADIUS protocol

TACACS+ protocol

RADIUS protocol

Adopts TCP and hence can provide more reliable network
transmission.

Adopts UDP.

Encrypts the entire main body of the packets except for
the standard TACACS+ header.

Encrypts only the password field in the
authentication packets.

Supports separate authentication and authorization. For
example, you can use RADIUS for authentication but
TACACS+ for authorization.
If RADIUS is used for authentication before authorizing
with TACACS+, RADIUS is responsible for confirming
whether a user can be accepted, and TACACS+ is
responsible for the authorization.

Processes authentication and authorization
together.

Is well suited to security control.

Is well suited to accounting.

Supports authorization before the configuration commands
on the Router can be used.

Does not support authorization before
configuration.

In a typical TACACS+ application, a dial-up or terminal user needs to log in the router

for operations. Working as the TACACS+ client in this case, the router sends the user

name and password to the TACACS+ server for authentication. After passing the

authentication and getting the authorization, the user can log in to the router to

perform operations, as shown in the following figure.

Router

HWTACACS server

129.7.66.66

HWTACACS server

129.7.66.67

ISDN\PSTN

Dial-up

Terminal

HWTACACS client

Router

HWTACACS server

129.7.66.66

HWTACACS server

129.7.66.67

ISDN\PSTN

Dial-up user

Terminal user

HWTACACS client

Router

HWTACACS server

129.7.66.66

HWTACACS server

129.7.66.67

ISDN\PSTN

Dial-up

Terminal

HWTACACS client

Router

HWTACACS server

129.7.66.66

HWTACACS server

129.7.66.67

ISDN\PSTN

Dial-up

Terminal

HWTACACS client

Router

HWTACACS server

129.7.66.66

HWTACACS server

129.7.66.67

ISDN\PSTN

Dial-up user

Terminal user

HWTACACS client

Figure 2-2 Networking for a typical TACACS+ application

3Com Router Configuration Guide Addendum for V1.20

17

See also other documents in the category 3Com Hardware: