AAA, RADIUS, and TACACS+ are all related to network security and access control. To access network device there are central access methods. Let’s dive into these access methods.
AAA
AAA (Authentication, Authorization, Accounting)
Access control is the way you control who is allowed access to the network device and what services they are allowed to use once they have access
Authentication, authorization, and accounting (AAA) network security services provide the primary framework through which you set up access control on your router or access server
- Authentication—Provides the method of identifying users, including login and password dialog, challenge and response, messaging support, and, depending on the security protocol you select, encryption
- Authorization—Provides the method for remote access control, including one-time authorization or authorization for each service, per-user account list and profile, user group support, and support of IP, IPX, ARA (AppleTalk), and Telnet
- Accounting—Provides the method for collecting and sending security server information used for billing, auditing, and reporting, such as user identities, start and stop times, executed commands (such as PPP), number of packets, and number of bytes
In many circumstances, AAA uses protocols such as RADIUS, TACACS+, or Kerberos to administer its security functions
If your router or access server is acting as a network access server, AAA is the means through which you establish communication between your network access server and your RADIUS, TACACS+, or Kerberos security server.
TACACS+
TACACS+ (Terminal Access Controller Access Control Service Plus)
- TACACS+ is a security application that provides centralized validation of users attempting to gain access to a router or network access server.
- TACACS+ services are maintained in a database on a TACACS+ daemon running, typically, on a UNIX or Windows NT workstation.
- You must have access to and must configure a TACACS+ server before the configured TACACS+ features on your network access server are available.
- TACACS+ provides for separate and modular authentication, authorization, and accounting facilities.
- TACACS+ allows for a single access control server (the TACACS+ daemon) to provide each service—authentication, authorization, and accounting—independently.
- Each service can be tied into its own database to take advantage of other services available on that server or on the network, depending on the capabilities of the domain.
- The goal of TACACS+ is to provide a methodology for managing multiple network access points from a single management service.
- The Cisco family of access servers and routers and the Cisco IOS user interface (for both routers and access servers) can be network access servers.
RADIUS
RADIUS (Remote Access Dial-In User Service)
- RADIUS is a fully open protocol, distributed in source code format, that can be modified to work with any security system currently available on the market.
- RADIUS is a distributed client/server system that secures networks against unauthorized access.
- In the Cisco implementation, RADIUS clients run on Cisco routers and send authentication requests to a central RADIUS server that contains all user authentication and network service access information.
- Cisco supports RADIUS under its AAA security paradigm.
- RADIUS can be used with other AAA security protocols, such as TACACS+, Kerberos, and local username lookup.
- RADIUS is supported on all Cisco platforms, but some RADIUS-supported features run only on specified platforms.
TACACS+ vs RADIUS
The primary functional difference between RADIUS and TACACS+ is that TACACS+ separates out the Authorization functionality, where RADIUS combines both Authentication and Authorization.
When a RADIUS Authentication request is sent to the AAA server, the AAA client expects to receive a reply containing the Authorization result.
