Information About TACACS+
S e n d f e e d b a c k t o n x 5 0 0 0 - d o c f e e d b a c k @ c i s c o . c o m
•
TACACS+ Advantages
TACACS+ has the following advantages over RADIUS authentication:
•
•
•
User Login with TACACS+
When a user attempts a Password Authentication Protocol (PAP) login to a Nexus 5000 Series switch
using TACACS+, the following actions occur:
1.
Note
2.
3.
Cisco Nexus 5000 Series Switch CLI Software Configuration Guide
18-2
TACACS+ Server Monitoring, page 18-3
Provides independent AAA facilities. For example, the Nexus 5000 Series switch can authorize
access without authenticating.
Uses the TCP transport protocol to send data between the AAA client and server, making reliable
transfers with a connection-oriented protocol.
Encrypts the entire protocol payload between the switch and the AAA server to ensure higher data
confidentiality. The RADIUS protocol only encrypts passwords.
When the Nexus 5000 Series switch establishes a connection, it contacts the TACACS+ daemon to
obtain the username and password.
TACACS+ allows an arbitrary conversation between the daemon and the user until the daemon
receives enough information to authenticate the user. This action is usually done by prompting
for a username and password combination, but may include prompts for other items, such as the
user's mother's maiden name.
The Nexus 5000 Series switch will receive one of the following responses from the TACACS+
daemon:
•
ACCEPT—User authentication succeeds and service begins. If the Nexus 5000 Series switch
requires user authorization, authorization begins.
•
REJECT—User authentication failed. The TACACS+ daemon either denies further access to the
user or prompts the user to retry the login sequence.
•
ERROR—An error occurred at some time during authentication dither at the daemon or in the
network connection between the daemon and the Nexus 5000 Series switch. If the Nexus 5000
Series switch receives an ERROR response, the Nexus 5000 Series switch tries to use an
alternative method for authenticating the user.
The user also undergoes an additional authorization phase, if authorization has been enabled on the
Nexus 5000 Series switch. Users must first successfully complete TACACS+ authentication before
proceeding to TACACS+ authorization.
If TACACS+ authorization is required, the Nexus 5000 Series switch again contacts the TACACS+
daemon and it returns an ACCEPT or REJECT authorization response. An ACCEPT response
contains attributes that are used to direct the EXEC or NETWORK session for that user and
determines the services that the user can access.
Services include the following:
•
Telnet, rlogin, Point-to-Point Protocol (PPP), Serial Line Internet Protocol (SLIP), or EXEC
services
Chapter 18
Configuring TACACS+
OL-16597-01