Filter
Top Products
A-5
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix A AAA Protocols
Access Protocols—TACACS+ and RADIUS
Access Protocols—TACACS+ and RADIUS
This section contains the following topics:
• Overview of TACACS+, page A-5
• Overview of RADIUS, page A-6
ACS 5.3 can use the TACACS+ and RADIUS access protocols. Table A-1 compares the two protocols.
Overview of TACACS+
TACACS+ must be used if the network device is a Cisco device-management application, access server,
router, or firewall. ACS 5.3 supports Cisco device-management applications by providing command
authorization for network users who are using the management application to configure managed
network devices.
You provide support for command authorization for management application users by using unique
command sets for each management application that is configured to use ACS for authorization.
ACS 5.3 uses TACACS+ to communicate with management applications. For a management application
to communicate with ACS, you must configure the management application in ACS 5.3 as a AAA client
that uses TACACS+.
You must also provide the device-management application with a valid administrator name and
password. When a management application initially communicates with ACS, these requirements ensure
the validity of the communication.
Except for the packet-headers, all information that the client and TACACS+ server communicate, which
is contained in the packet-bodies are encrypted through the use of a shared secret (which is, itself, not
sent over the network directly).
Additionally, the administrator that the management application uses must have the Command Set
privilege enabled.
Table A-1 TACACS+ and RADIUS Protocol Comparison
Point of Comparison TACACS+ RADIUS
Transmission Protocol TCP—Connection-oriented transport-layer
protocol, reliable full-duplex data
transmission.
UDP—Connectionless transport-layer protocol,
datagram exchange without acknowledgments or
guaranteed delivery. UDP uses the IP to get a data
unit (called a datagram) from one computer to
another.
Ports Used 49 Authentication and Authorization: 1645 and 1812
Accounting: 1646 and 1813.
Encryption Full packet-body encryption. Encrypts only passwords up to 16 bytes.
AAA Architecture Separate control of each service:
authentication, authorization, and accounting.
Authentication and authorization combined as
one service.
Intended Purpose Device management. User access control.