|
|
|
|
|
Terminal Access Controller Access Control System |
|
Protocol and software used to provide AAA
services to an access server or router |
|
TACACS+ protocol used in communication from NAS
and the TACACS+ daemon running on a security server |
|
|
|
|
|
|
Uses TCP port 49 to communicate |
|
Cisco proprietary |
|
Outgrowth of TACACS (RFC 1492) |
|
|
|
|
|
|
|
|
Entire packet after the TACACS+ header is
encrypted |
|
Relies on a preshared secret stored on both NAS
and AAA server |
|
Cipher text generated by XOR clear-text with
concatenated MD5 hashes of session_id, preshared key, version number, and
sequence number |
|
|
|
|
|
|
Request contains services or privileges needed
to be authorized |
|
Response may contain fail, pass with additional
attributes, pass with replacement attributes, error, or redirection to an
alternate AAA server |
|
|
|
|
|
Request packet |
|
‘Start’ record indicates that a service is about
to begin |
|
‘Continue’ record sent periodically while
service is in progress |
|
‘Stop’ record sent when service has terminated |
|
Response packet |
|
‘Success’ status indicates that AAA server has
received packet from NAS and has stored info into its database |
|
‘Error’ implies AAA server failed to commit
record to its database |
|
‘Follow’ status indicates that NAS should send
the records to another AAA server listed in packet data |
|
Notes