Cisco Systems CSACS3415K9 Manual De Usuario
A-5
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Appendix A AAA Protocols
Access Protocols—TACACS+ and RADIUS
Access Protocols—TACACS+ and RADIUS
This section contains the following topics:
•
•
compares the two protocols.
Overview of TACACS+
TACACS+ must be used if the network device is a Cisco device-management application, access server,
router, or firewall. ACS 5.4 supports IPv6 addresses in TACACS+ protocols. ACS 5.4 supports Cisco
device-management applications by providing command authorization for network users who are using
the management application to configure managed network devices.
router, or firewall. ACS 5.4 supports IPv6 addresses in TACACS+ protocols. ACS 5.4 supports Cisco
device-management applications by providing command authorization for network users who are using
the management application to configure managed network devices.
You provide support for command authorization for management application users by using unique
command sets for each management application that is configured to use ACS for authorization.
command sets for each management application that is configured to use ACS for authorization.
ACS 5.4 uses TACACS+ to communicate with management applications. For a management application
to communicate with ACS, you must configure the management application in ACS 5.4 as a AAA client
that uses TACACS+.
to communicate with ACS, you must configure the management application in ACS 5.4 as a AAA client
that uses TACACS+.
You must also provide the device-management application with a valid administrator name and
password. When a management application initially communicates with ACS, these requirements ensure
the validity of the communication.
password. When a management application initially communicates with ACS, these requirements ensure
the validity of the communication.
Except for the packet-headers, all information that the client and TACACS+ server communicate, which
is contained in the packet-bodies are encrypted through the use of a shared secret (which is, itself, not
sent over the network directly).
is contained in the packet-bodies are encrypted through the use of a shared secret (which is, itself, not
sent over the network directly).
Additionally, the administrator that the management application uses must have the Command Set
privilege enabled.
privilege enabled.
Table A-1
TACACS+ and RADIUS Protocol Comparison
Point of Comparison
TACACS+
RADIUS
Transmission Protocol
TCP—Connection-oriented transport-layer
protocol, reliable full-duplex data
transmission.
protocol, reliable full-duplex data
transmission.
UDP—Connectionless transport-layer protocol,
datagram exchange without acknowledgments or
guaranteed delivery. UDP uses the IP to get a data
unit (called a datagram) from one computer to
another.
datagram exchange without acknowledgments or
guaranteed delivery. UDP uses the IP to get a data
unit (called a datagram) from one computer to
another.
Ports Used
49
Authentication and Authorization: 1645 and 1812
Accounting: 1646 and 1813.
Accounting: 1646 and 1813.
Encryption
Full packet-body encryption.
Encrypts only passwords up to 16 bytes.
AAA Architecture
Separate control of each service:
authentication, authorization, and accounting.
authentication, authorization, and accounting.
Authentication and authorization combined as
one service.
one service.
Intended Purpose
Device management.
User access control.