Describe device security using IOS AAA with TACACS+ and RADIUS

Exam: Cisco 300-101 - CCNP Implementing Cisco IP Routing (ROUTE v2.0)


AAA uses the security protocols to manage the security features. These security features protect the network against the failure and data loss resulting from attacks or from unintended mistakes by network users.

AAA with TACACS+

Terminal Access Controller Access Control System Plus (TACACS+) is a Cisco proprietary protocol that is used to deliver AAA security services. It is an application which is implemented through AAA and provides centralized acceptance of user to take the access control of routers and other access servers in the network. TACACS+ services are kept in a database on TACACS+ authentication server also called as TACACS+ daemon. TACACS+ server provides strong capabilities of authorization, authentication and accounting to the administrators. TACACS+ server has ability to handle multiple users accessing the device simultaneously.

TACACS+ is allowed for single access control server to provide each (AAA) service i.e. authorization, accounting and authentication independently. Each AAA service can bind up into own database so that it can take advantage of the other available services on the network. The methodology of managing the multiple network access points with a single management service is the main goal of TACACS+ server.

The TACACS+ security protocol provides the authentication between the access servers in network and TACACS+ daemon. As the exchanging of all protocols between the access server and TACACS+ daemon are encrypted, the confidentiality is ensured in TACACS+ protocol. The important feature of TACACS+ is that it supports 16 different privilege levels that are used to limit the access of user to a network device.

When the administrator is connected to router, the access sever contact the TACACS+ daemon for username prompt and the user name is displayed to the administrator. After entering the username the access server again contact the TACACS+ daemon for obtaining the password prompt. Once the password prompt is displayed to administrator, the administrator enters the password and then sends the same to the TACACS+ daemon.

The access server then receives the response from TACACS+ daemon. The response could be one of the following

  • Accept - means authentication of administrator is done and the service can begin.
  • Reject - means administrator is not authenticated may be denied further access.
  • Error - means error occurred during the authentication. This can either at daemon or in network connection between daemon and network access server.
  • Continue - means administrator is prompted for additional information.

The TACACS+ daemon is contacted once again if TCACCS+ authorization is required. The response could be Accept or Reject at this stage. If the response is Accept, the response contains data in the form of attributes, directing the Network or EXEC session for that administrator.

AAA with RADIUS

Remote Authentication Dial in User Service (RADIUS) is a security protocol that secures the network against unauthorised access. The components on which RADIUS consist are

  • A Client
  • A Server

The RADIUS clients run on the Cisco routers and send authentication request to a centralized RADIUS server which contains network service access information and user authentication. The network access server operates as the client of RADIUS which is having the responsibility of passing the information of user to designated RADIUS server and act on the returned response.

RADIUS servers are responsible for authenticating the user, receiving user connection requests and returning the information of configuration which is necessary for client to deliver the service to user. To other authentication servers they act as proxy client also. The transactions between the RADIUS server and the client are authenticated by using shared secret, which can never be sent over the network.

RADIUS is an open protocol and can be modified to work with any kind of security system. While maintaining the network access for remote users, RADIUS has been implemented in a number of network environments which require high level of security. RADIUS server supports different kinds of methods to authenticate the user such as PPP, Challenge Handshake Authentication Protocol, Password Authentication Protocol and other authentication mechanism.

When the administrator log in and authenticate to RADIUS Client (network access server), PPP request is initiated to RADIUS client by administrator. The administrator is prompted for and enters username and password. The client then sends Access Request packet which contains username and encrypt password along with other attributes to the RADIUS server. The RADIUS server then authenticates user, approve the client and send any one among following responses.

  • Access - Accept: means the user is authenticated and granted access.
  • Access - Reject: denied the access as user is not authenticated.
  • Access - Challenge: additional information is requested by user. It is issued by RADIUS server.

There are approximately 50 standard based attribute in RADIUS. Basic attributes are user for authentication purpose and other attributes are used for authorization purpose.

Local privilege authorization fallback

For several functions local database act as fallback method. It is designed to help the user to prevent accidental lockout from security devices. Users requiring the fallback support have the recommendation that their username and password in local database must match their username and password in AAA server. This is also called as transparent fallback support because user does not determine from whom it gets the services either by AAA server or by local database.

The fallback functions supported by local database are:

  • Console and enable password authentication: On using AAA authentication console command user can add LOCAL keyword after the tag of AAA server group. If the servers are unavailable in group then the local database is used by security appliances in order to authenticate the administrative access which can include enable password authentication as well.
  • Command Authorization: Using AAA authorization command, user is able to add LOCAL keyword after AAA server group tag. Based on privilege level local database is used to authorize commands, if TACACS+ server is unavailable in group.
  • VPN authentication and authorization: If the AAA servers that supports VPN services are not available then to enable the access to security appliances VPN authorization and authentication are supported.

Local database can also be used for privileged mode authentication, CLI access authentication and network access authentication.

Exam Question

While configuring AAA login authentication on a Router, which authentication method should be used as final method to ensure that the administrator can log in to the router in case external AAA server fails?

  1. Group TACACS+
  2. Group RADIUS
  3. Local
  4. Enable
  5. If-authenticated

Answer: 3,4

Explanation: On working with multiple authentication methods, the best practice is to have either local or enable authentication as final method to recover from a severed link to the chosen method server.


Related IT Guides

  1. Configure and verify default routing
  2. Configure and verify IPv4 and IPv6 DHCP
  3. Configure and Verify network types, area types, and router types
  4. Configure and Verify RIPv2
  5. Configure and verify static routing
  6. Describe administrative distance
  7. Describe DMVPN (single hub)
  8. Describe IPv6 NAT
  9. Describe, configure, and verify BGP peer relationships and authentication
  10. Explain BGP attributes and best-path selection
  11. Explain Frame Relay
  12. Explain general network challenges
  13. Layer 3 technologies - Describe administrative distance
  14. Use Cisco IOS troubleshooting tools