Scribd
Upload
4 views8 pages

Practical 3

The document outlines the configuration of AAA authentication on Cisco routers using TACACS+ and RADIUS protocols. TACACS+ is a Cisco proprietary protocol that offers more reliability and security through encryption, while RADIUS is an open standard protocol that supports multiple vendors but has less granular control. The document also includes configuration commands for setting up TACACS and RADIUS servers and demonstrates the authentication process using both protocols.

Uploaded by

bandiwadekarsakshi56
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
4 views8 pages

Practical 3

The document outlines the configuration of AAA authentication on Cisco routers using TACACS+ and RADIUS protocols. TACACS+ is a Cisco proprietary protocol that offers more reliability and security through encryption, while RADIUS is an open standard protocol that supports multiple vendors but has less granular control. The document also includes configuration commands for setting up TACACS and RADIUS servers and demonstrates the authentication process using both protocols.

Uploaded by

bandiwadekarsakshi56
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd

PRACTICAL NO 3: Configure AAA Authentication on

Cisco Routers
To provide a centralized management system for the authentication, authorization and accounting (AAA
framework), Access Control Server (ACS) is used. For the communication between the client and the
ACS server, two protocols are used namely TACACS+ and RADIUS.
TACACS+
Terminal Access Controller Access Control System (TACACS+) is Cisco proprietary protocol which is
used for the communication of the Cisco client and Cisco ACS server. It uses TCP port number 49 which
makes it reliable.

RADIUS –
Remote Access Dial In User Service (RADIUS) is an open standard protocol used for the communication
between any vendor AAA client and ACS server. If one of the client or server is from any other vendor
(other than Cisco) then we have to use RADIUS. It uses port number 1812 for authentication and
authorization and 1813 for accounting.

TACACS+ RADIUS

Cisco proprietary protocol open standard protocol

It uses TCP as transmission protocol It uses UDP as transmission protocol

It uses TCP port number 49. It uses UDP port number 1812 for
authentication and authorization and 1813
for accounting.

Authentication, Authorization and Accounting is Authentication and Authorization is


separated in TACACS+. combined in RADIUS.

All the AAA packets are encrypted. Only the passwords are encrypted while the
other information such as username,
accounting information etc are not
encrypted.

Preferably used for ACS. used when ISE is used

It provides more granular control i.e can specify No external authorization of commands
the particular command for authorization. supported.

TACACS+ offers multiprotocol support No multiprotocol support.


Used for device administration. used for network access

Similarities –
The process is start by Network Access Device (NAD – client of TACACS+ or RADIUS). NAD contact the
TACACS+ or RADIUS server and transmit the request for authentication (username and password) to the
server. First, NAD obtain username prompt and transmit the username to the server and then again the
server is contact by NAD to obtain password prompt and then the password is send to the server.
The server replies with access-accept message if the credentials are valid otherwise send an access-
reject message to the client. Further authorisation and accounting is different in both protocols as
authentication and authorisation is combined in RADIUS

Advantages (TACACS+ over RADIUS) –


1. As TACACS+ uses TCP therefore more reliable than RADIUS.
2. TACACS+ provides more control over the authorization of commands while in RADIUS,
no external authorization of commands is supported.
3. All the AAA packets are encrypted in TACACS+ while only the passwords are encrypted
in RADIUS i.e more secure.
Advantage (RADIUS over TACACS+) –
1. As it is open standard therefore RADIUS can be used with other vendors device while
because TACACS+ is Cisco proprietary, it can be used with Cisco devices only.
2. It has more extensive accounting support than TACACS+.
We use the following Topology for the present case

Configuring PC0
Configuring PC1

Configuring Router0
Configuring Server0 (As TACACS)
While configuring the TACACS/RADIUS server the Client IP address must be the Router IP

Configuring Server1 (As RADIUS)


Type the following commands in the CLI mode of the Router0

Router>enable
Router#configure terminal
Router(config)#aaa new-model
Router(config)#tacacs-server host [Link] key cisco
Router(config)#radius-server host [Link] key cisco
Router(config)#aaa authentication login ismail group tacacs+ group radius local
Router(config)#line vty 0 4
Router(config-line)#login authentication universal
Router(config-line)#exit
Router(config)#

The Authentication can be done by typing the command telnet [Link] (the Router IP) in any of the
PCs
We get a prompt to type the username and password, the username and password set in TACACS are
entered
Username: universal
Password: cisco
We get the following

In order to authenticate the RADIUS server we need to turn OFF the TACACS service
We again enter the command telnet [Link] (the Router IP) and enter the username and password
of the RADIUS server (Username: universal , Password: cisco)
We get the following

The local login can also be verified by turning OFF both TACACS and RADIUS service. The username and
Password are both cisco (by default)
Hence the authentication through both TACACS and RADIUS

You might also like