Cisco WS-C4003 Software Guide - Page 357

Chapter 27 Configuring Switch Access Using AAA Understanding How Authentication Works Understanding How TACACS+ Authentication Works TACACS+ is an enhanced version of TACACS, a User Datagram Protocol (UDP)-based access-control protocol specified by RFC 1492. TACACS+ controls access to network devices by exchanging Network Access Server (NAS) information between a network device and a centralized database to determine the identity of a user or device. TACACS+ uses TCP to ensure reliable delivery and encrypt all traffic between the TACACS+ server and the TACACS+ daemon on a network device. TACACS+ works with many authentication types, including fixed password, one-time password, and challenge-response authentication. TACACS+ authentication usually occurs in these instances: • When you first log onto a machine • When you send a service request that requires privileged access When you request privileged or restricted services, TACACS+ encrypts your user password information using the MD5 encryption algorithm and adds a TACACS+ packet header. This header information identifies the packet type being sent (for example, an authentication packet), the packet sequence number, the encryption type used, and the total packet length. The TACACS+ protocol then forwards the packet to the TACACS+ server. A TACACS+ server can provide authentication, authorization, and accounting functions. These services, while all part of TACACS+, are independent of one another, so that a given TACACS+ configuration can use any or all of the three services. When the TACACS+ server receives the packet, it does the following: • Authenticates the user information and notifies the client that authentication has either passed or failed. • Notifies the client that authentication will continue and that the client must provide additional information. This challenge-response process can continue through multiple iterations until authentication either passes or fails. You can configure a TACACS+ key on the client and server. If you configure a key on the switch, it must be the same as the one configured on the TACACS+ servers. The TACACS+ clients and servers use the key to encrypt all TACACS+ packets transmitted. If you do not configure a TACACS+ key, packets are not encrypted. The TACACS+ key must be less than 100 characters long. You can configure the following TACACS+ parameters on the switch: • Enable or disable TACACS+ authentication to determine if a user has permission to access the switch • Enable or disable TACACS+ authentication to determine if a user has permission to enter privileged mode • Specify a key used to encrypt the protocol packets • Specify the server on which the TACACS+ server daemon resides • Set the number of login attempts allowed • Set the timeout interval for server daemon response • Enable or disable the directed-request option TACACS+ authentication is disabled by default. You can enable TACACS+ authentication and local authentication at the same time. If local authentication is disabled and you then disable all other authentication methods, local authentication is reenabled automatically. 78-12647-02 Software Configuration Guide-Catalyst 4000 Family, Catalyst 2948G, Catalyst 2980G, Releases 6.3 and 6.4 27-3