Page 136 - StudyBook.pdf
P. 136
120 Chapter 3 • Communication Security: Remote Access and Messaging
TACACS/+
RADIUS is not the only centralized RAS.TACACS is also used in authenticating
remote users.TACACS has gone through three major “generations,”TACACS,
XTACACS, and TACACS+. For the Security+ exam, you need to know about
TACACS and TACACS+; however, for continuity purposes, XTACACS will also
be discussed.
TACACS
As stated previously,TACACS is the “old man” of centralized remote access
authentication.TACACS was first developed during the days of ARPANET, which
was the basis for the Internet.TACACS is detailed in RFC 1492, which can be
found at httwww.cis.ohio-state.edu/cgi-bin/rfc/rfc1492.html.Although TACACS
offers authentication and authorization, it does not offer any accounting tools.As
mentioned earlier, a good RAS must fit all the criteria of the AAA model. Similar
to RADIUS, a dial-up user connects to a RAS that prompts the user for their cre-
dentials.The credentials are then passed to the TACACS server, which either per-
mits or denies access to the network.
XTACACS
Initially,TACACS utilized the User Datagram Protocol (UDP) to handle commu-
nications.The problem with UDP is that it does not provide packet sequencing or
connection reliability.Therefore, services such as TACACS must make sure that the
entire message has arrived and is intact.To overcome this shortcoming, Cisco
Systems developed Extended TACACS (or XTACACS). In XTACACS, the trans-
port protocol was changed from UDP to Transmission Control Protocol (TCP),
ensuring that messages would be divided into packets and reassembled when
received at the intended destination. XTACACS was a step in the right direction,
but it did not provide all of the functionality needed for a centralized remote access
authentication solution.
NOTE
The above information on XTACACS is provided for historical back-
ground only. XTACACS is rarely deployed in modern installations, and is
not a topic of the Security+ exam.
www.syngress.com
