Version 4.1 - 2.0 RADIUS and TACACS+
This is another section where I am confident that I will not have a problem answering any questions. During my studies, I found that my recert date was quickly approaching. Rather than rushing my CCIE Security studies, I took a detour and prepared for (and passed) the SIMOS exam. At the beginning of this study, I would have considered myself about average with these topics. Then I took my knowledge up to the next level. The SIMOS material is good, but the main book that I would highly recommend is "AAA Identity Management Security." Another book that I read for that exam was "Cisco ISE for Byod and Secure Unified Access." If you read those books, you'll be fine for this section.
++ Differences between Radius and TACACS ++
That's the big picture of the major differences. Now, let's discuss important things to remember about RADIUS. Many of the functions and processes that involve RADIUS will be discussed later. RADIUS operates in a client-server environment. If you actually look at the AAA Components, you will see that what people consider a "client" (such as a laptop) is actually a SUPPLICANT that sends a request to a NAS (Network Access Server). The NAS is actually the "Authenticator" and is the AAA Client. The RADIUS Server is the AAA Server also known as the Authentication Server. It may or may not have the information to accept or reject an access request and may need to contact (AD/LDAP) the Policy Information Point to make that decision. So pay close attention to the "client" and "server" if you get a RADIUS question. Read the question in the context that it is presented to see if it's just asking something general or trying to point at something more specific and precise.
RADIUS can be extended using VSAs (Vendor-Specific Attributes) - which will be discussed in the ISE section. The process of "encrypting" the password in RADIUS:
1. RADIUS packet includes a random number called the Request Authenticator
2. Request Authenticator is combined with a preshared key and is run through the MD5 hash algorithm
3. The user's password is padded with a null value to reach a 16-octet value
4. The hash from #2 is XORed with the padded password and that generates the cipher text (the encrypted password)
5. The AAA Server calculates the hash (as in #2) and XORs it to get the password back to clear text
Note that the "encryption" relies on a preshared key. Does your laptop "client" have one with the RADIUS server? No. So think about this - This is the AAA Client (NAS) talking to the AAA Server (RADIUS) using the RADIUS protocol. When you set up a NAS to use RADIUS, you specify a preshared key.
RADIUS messages / packet types are:
Access-Request
Access-Accept
Access-Reject
Access-Challenge
Note that the response packets are either accept or reject. You're either allowed in or not. No levels. [Compare to TACACS and 16 privilege levels. There are levels 0 - 15. But you never see level 0 - so effectively 15.] RADIUS combines authentication and authorization in the same step. It uses the next higher port and separate messages for accounting.
TACACS+ has a separation of authentication, authorization and accounting. This is why it's used for device management. For accessing the network, either you are allowed in or not. For accessing a device, you are allowed in, but you're going to want different privilege levels for different groups of users.
Here's how TACACS+ "encrypts" the packet:
1. Concatenate the session id, shared secret, version number and sequence number.
2. Compute the MD5 Hash of #1
3. Truncate the hash to create a pseudo_pad
4. XOR the pseudo_pad with the data to create the cipher text
5. The AAA Server performs the same process to create the pseudo_pad and XORs the data to return the message to plain text.
Authentication _packet types_
* START (sent by client)
* CONTINUE (sent by client)
* REPLY (sent by server)
Authentication RESULT (in REPLY message)
- ACCEPT
- REJECT
- ERROR
TACACS+ Accounting records:
+ Start records
+ Stop records
+ Update records
Types of Authentication:
# Login
# Enable
Types of Authorization:
# Exec
# Command
From my notes:
And that's about all I want to cover for this section. Not sure if you noticed, but the RADIUS messages are in Mixed Case and the TACACS+ messages are mainly in ALL CAPS. Just something that might give you a clue if you're looking at a question and having to pick 3 out of 5 of something.