RADIUS, TACAS+ and DIAMETER
The ideal technique for keeping administrative users access to a network is through the Cisco Authentication, Authorization, and Accounting system and is known as AAA. Authentication determines who the user is, authorization determines what the user has access to. And accounting keeps track of what they did on the equipment, AAA acts as a centralized systems.
The access control system and AAA system generally works with two protocols known as RADIUS and TACAS+. Both RADIUS and TACAS+ are known as access control protocols.
RADIUS
Remote Access Dial In User Service (RADIUS) is an open standard, AAA protocol created by IETF (Internet Engineering Task Force) and is used for the communication between any AAA client and ACS server. In case one of the client or servers belongs to any other vendor/OEM (other than Cisco) then RADIUS is being used. Many of the RADIUS server are available for every key operating system from both freeware and commercial sources, and the RADIUS client comes standard on NAS products from every major vendor. RADIUS has eight standard transaction methods such as, access-request, access-accept, access-reject, accounting-request, accounting-response, access-challenge, status-server, and status-client. by decrypting a NAS access-request packet, authenticating the NAS
- It uses UDP for transmission protocol.
- It works on port number 1812 for authentication and authorization and port no 1813 for accounting.
- It does not come with multi-protocol support.
- RADIUS is used for network access.
- RADIOUS is limited to privileged mode.
TACACS
Terminal Access Controller Access Control System (TACACS+) is the proprietary protocol of Cisco which is used for the authorization, authentication and accounting services on the Cisco client and Cisco ACS server.
- It uses TCP protocol and port number 49 for transmission.
- All the authorization packets were encrypted in ACS.
- It offers multi-protocol support such as x.25, NASI, NeBios, Appletalk remote access, etc.
- TACAS+ supports up to 15 privilege levels.
TACAS+ attributes are used for authentication and authorization. Some of the examples as provided below;
ACL (EXEC Authorization): In this it comprises an access-class number which is applied to a line.
ADDR (SLIP, PPP/IP Authorization): The IP address of the remote host is specified in this authorization type. It is the address that should be assigned when using a SLIP or PPP/IP connection.
CMD (EXEC): For this type of authorization, the AV pair is used. It is used for starting an authorization request for an EXEC command.
What is Privilege Level?
In Privileged mode or Privileged level, it allows users to view the system configuration, restart the system, and enter router configuration mode. Privileged level permits all commands that are available in user mode. Privileged level can be identified by the hash (#) prompt after the router name in the command line. A user can also change user mode to Privileged mode, by running the "enable" command.
DIAMETER protocol
DIAMETER is a highly extensible AAA framework capable of supporting number of authentications, authorization, or accounting process and multiple connections. The protocol is divided into two distinct parts: The Base Protocol and the Extensions. The DIAMETER Base Protocol defines the message format, transport, error reporting, and security services used by all DIAMETER extensions. DIAMETER Extensions are modules designed to conduct detailed types of authentication, authorization, or accounting transactions (i.e., NAS, Mobile-IP, ROAMOPS, and EAP). ROAMOPS is known as Roaming operations. DIAMETER is built upon the RADIUS protocol.
-DR
No comments:
Post a Comment