CCNP (Cisco Certified Network Professional) Route Certification Exam Cram Notes

5. Infrastructure Security

5.2 RADIUS Server

an authentication and accounting system used by many Internet Service Providers (ISPs). When you dial in to the ISP you must enter your username and password. This information is passed to a RADIUS server, which checks that the information is correct, and then authorizes access to the ISP system. RADIUS implements a client/server architecture, where typical client is a router, switch, or AP and the typical server is a Windows or Unix device that is running RADIUS software.

Features of Radius server :

1. Open standard, and widely supported. Note that TACACS+ is a Cisco proprietary standard, but well supported too.

2. Uses UDP port

3. Provides extensive accounting capability when compared with TACACS+ server

4. Only the password is encrypted in packets transiting between the RADIUS server and the client (any device acting as client, such as a router or a switch or a host computer).

5. On the other hand , TACACS+ provides complete encryption for communication between the TACACS+ server and the client.

6. There is a new upgrade expected, named Diameter.

5.3 TACACS+ Server

TACACS+ is a security application that provides centralized validation of users attempting to gain access to a router or network access server. TACACS+ services are maintained in a database on a TACACS+ daemon running, typically, on a UNIX or Windows NT workstation. We must have access to and must configure a TACACS+ server before the configured TACACS+ features on a network access server are available. It provides for separate and modular authentication, authorization, and accounting facilities. TACACS+ allows for a single access control server (the TACACS+ daemon) to provide each service authentication, authorization, and accounting independently. Each service can be tied into its own database to take advantage of other services available on that server or on the network, depending on the capabilities of the daemon. The goal of TACACS+ is to provide a methodology for managing multiple network access points from a single management service. The Cisco family of access servers and routers and the Cisco IOS user interface (for both routers and access servers) can be network access servers.

Syntax : Router(config)#tacacs-server host <ip-address> key <keyname>

Ex: Router(config)#tacacs-server host 192.168.10.1 key cisco123

Features of TACACS+ Server

a. Granular control: TACACS+ uses the AAA architecture, which separates AAA. This allows separate authentication solutions that can still use TACACS+ for authorization and accounting. For example, with TACACS+, it is possible to use Kerberos authentication and TACACS+ authorization and accounting. TACACS+ is very commonly used for device administration.

b. TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header.

c. TACACS+ is a Cisco proprietary protocol (later became an Open standard), and very widely supported by various vendors offering AAA servers. Note that RADIUS is an Open Standard and widely supported too.

d. TACACS+ uses TCP port (port #49) to communicate between the server and the client.

With respect to the given command "test aaa group tacacs+ admin Frisco123 legacy", the following are true:

a. It enables you to verify that the ACS to router authentication component is working

b. Frisco123 is the shared secret that has been configured on the ACS server

c. It tests the reachability of ACS server

d. tacacs+ is the group name

Previous   Contents   Next


CCNP Route Cram Notes Contents certexams.com ad