Both RADIUS and TACACS+ provides centralized validation of users attempting to gain access to a both protocols supported network devices, which provides Authentication, Authorization, and Accounting (AAA) services on network devices.
RADIUS stands for Remote Access Dial-In User Service, and TACACS+ stands for Terminal Access Controller Access Control Service Plus. The primary functional difference between RADIUS and TACACS+ is that TACACS+ separates out the Authorization functionality, where RADIUS combines both Authentication and Authorization. RADIUS was designed for subscriber AAA, and TACACS+ is designed for administrator AAA. RADIUS can still be used for small network administrator AAA, but only if authorization is not required, or if it is a homogeneous network (all one vendor). In any scenario where there is a heterogeneous environment or authorization policies are required for network devices, TACACS+ is the best option.
The following figure and table show their difference more instinctively:
This post and next one will show the basic Tacacs+ configuration steps on a cisco 2960 switch to work with Free Tacacs+ Software for Windows from tacacs.net:
- Basic Cisco Tacacs+ Configuration With Free Tacacs+ Software for Windows – Part 1
- Basic Cisco Tacacs+ Configuration With Free Tacacs+ Software for Windows – Part 2
1. Software Installation and Verify Configuration
1.1 Download Software
Please download Version 1.3.2, which is from their website http://www.tacacs.net/
1.2 Installation
After installation, TACACS.net service will automatically start. Localhost (127.0.0.1) and RFC 1918 IP address ranges (172.16.0.0/12, 192.168.0.0/16, 10.0.0.0/8) are already added as clients by default. Any user in the Administrators group on the local machine will be authorized as the fallback method.
1.3 Configuration Tacacs+ server
The wizard will install the configuration and log files to different locations depending on your OS. Start Menu TACACS.net program group has a configuration shortcut to point to the configuration folder. In my case, all configuration files was installed at this directory: C:ProgramDataTACACS.netconfig
Check tacplus.xml to make sure server ip is not 127.0.0.1.
You do not need to restart/reload the server when you modify the configuration files. The server
monitors for changes to the configuration files and reloads them automatically.
1.4 Verify Tacacs service
telnet 127.0.0.1 49
tactest -s 10.9.200.14 -u test1 -p test1
(test1 is the local administrator account in my Tacacs windows server)
2. Configure Cisco Switch to Use Tacacs server
Router(config)# aaa new-model
Router(config)# tacacs-server host 10.9.200.14 key mysharedsecret
Router(config)# aaa authentication login default group tacacs+ local
Router(config)# aaa authorization exec default group tacacs+ local
Router(config)# line console 0
Router(config-line)# login authentication default
Router(config)# line vty 0 15
Router(config-line)# login authentication default
Based on above configuration steps 1 and step 2, the switch will be authenticated with Tacacs server’s account in the local administrators group.
Notes:
Fallback group includes all local administrators on the server. It should be commented out before it is deployed in production.
Reference:
[…] 8. Basic Cisco Tacacs+ Configuration With Free Tacacs+ … […]