| • Science | • People | • Locations | • Timeline |
A later version of TACACS was called XTACACS (Extended). These two versions have generally been replaced by TACACS+ and RADIUS in newer or updated networks. TACACS+ is a completely new protocol and is therefore not compatible with TACACS or XTACACS.
TACACS+ has three major components: the protocol support within the access servers and routers, the protocol specification, and the centralized security database. Similar to an internal security database, TACACS+ supports the following three required features of a good security system.
Authentication
The TACACS+ protocol forwards many types of username password information. This information is encrypted over the network with MD5, an encryption algorithm. TACACS+ can forward the password types for ARA, SLIP, PAP, CHAP, and standard Telnet. This allows clients to use the same username password for different protocols. TACACS+ is extensible to support new password types like KCHAP .
TACACS+ authentication supports multiple challenge and response demands from the TACACS+ server. This allows token card vendors to provide advanced features like sending back a second token-generated number after the first one was manipulated by a security server.
Authorization
TACACS+ provides a mechanism to tell an access server which access list that a user connected to port 1 uses. The TACACS+ server and location of the username/password information identify the access list through which the user is filtered. The access list(s) reside on the access server. The TACACS server responds to a username with an accept and an Access List number which causes that list to be applied.
Accounting
TACACS+ provides accounting information to a database through TCP to insure a more secure and complete accounting log.
The accounting portion of the TACACS+ protocol contains the network address of the user, the username, the service attempted, protocol used, time and date, and the packet-filter module originating the log. For Telnet connections, it also contains source and destination port, action carried (communication accepted, rejected), log, and alert type. Formats are open and configurable.
The billing information includes connect time, user ID, location connected from, start time, and stop time. It identifies the protocol that the user is using and may contain commands being run if the users are connected through exec and Telnet.
Future TACACS+ accounting enhancements will provide connect time updates, which will send an update for current connect time to the accounting server every x minutes. This feature allows companies like Internet providers to bill a customer for an open session even if the access server restarts and loses the initial start time. Service providers can significantly minimize lost billing time.
The auditing information provides which commands + arguments, location connect from.
The protocol provides enough information so that a server can produce intruder detection routines, reporting statistics, number of packets, and number of bytes.
Users want servers to prevent multiple uses of the same username/password so that customers with flat rates do not share their account with others. Although the decision to give access is made on the server, the protocol is flexible enough to provide the necessary information to detect multiple passwords.
TACACS is defined in RFC 1492: http://www.ietf.org/rfc/rfc1492.txt