RADIUS stands for Remote Access Dial-In User Service, and TACACS+ stands for Terminal Access Controller Access Control Service Plus. The primary functional difference between RADIUS and TACACS+ is that TACACS+ separates out the Authorization functionality, where RADIUS combines both Authentication and Authorization. RADIUS was designed for subscriber AAA, and TACACS+ is designed for administrator AAA. RADIUS can still be used for small network administrator AAA, but only if authorization is not required, or if it is a homogeneous network (all one vendor). In any scenario where there is a heterogeneous environment or authorization policies are required for network devices, TACACS+ is the best option.
The following figure and table show their difference more instinctively:
This post and next one will show the basic Tacacs+Â configuration steps on a cisco 2960 switch to work with Free Tacacs+ Software for Windows from tacacs.net:
- Basic Cisco Tacacs+ Configuration With Free Tacacs+ Software for Windows - Part 1
- Basic Cisco Tacacs+ Configuration With Free Tacacs+ Software for Windows - Part 2
1. Software Installation and Verify Configuration
1.1 Download Software
Please download Version 1.3.2, which is from their website http://www.tacacs.net/1.2 Installation
Double click downloaded file TACACSSetup_v1.3.2.zip and simply click next to follow the wizard to complete the installation.
1.3 Configuration Tacacs+ server
The wizard will install the configuration and log files to different locations depending on your OS. Start Menu TACACS.net program group has a configuration shortcut to point to the configuration folder. In my case, all configuration files was installed at this directory: C:\ProgramData\TACACS.net\configCheck tacplus.xml to make sure server ip is not 127.0.0.1.
You do not need to restart/reload the server when you modify the configuration files. The server
monitors for changes to the configuration files and reloads them automatically.
1.4 Verify Tacacs service
telnet 127.0.0.1 49(test1 is the local administrator account in my Tacacs windows server)
tactest -s 10.94.200.14 -u test1 -p test1
2. Configure Cisco Switch to Use Tacacs server
Router(config)# aaa new-modelBased on above configuration steps 1 and step 2, the switch will be authenticated with Tacacs server's account in the local administrators group.
Router(config)# tacacs-server host 10.94.200.14 key mysharedsecret
Router(config)# aaa authentication login default group tacacs+ local
Router(config)# aaa authorization exec default group tacacs+ local
Router(config)# line console 0
Router(config-line)# login authentication default
Router(config)# line vty 0 15
Router(config-line)# login authentication default
Notes:
Fallback group includes all local administrators on the server. It should be commented out before it is deployed in production.Reference:
No comments:
Post a Comment