AAA Authentication Authorization and Accounting
In CCNA Routing and Switching level, we studied local authentication by setting passwords to move to privilege mode (enable password) or creating local user database for authenticating users. In Cisco network infrastructure device running IOS, by default authentication is by a line password (line console or line vty) and authorization by a level 15 enable password. Both line authentication and enable level 15 authorization are good if you have only a very small number of network infrastructure equipments.
Your network is growing and if you are are managing a large network environment, authentication using local device user database and authorization using enable level 15 authorization is not a scalable solution. This is the time to think about Cisco AAA solutions.
AAA stands for Authentication, Authorization and Accounting.
Authentication: Authentication is the process in which the identify of a device or a user is verified when they attempt to access a network resource and confirm that it is the real entity which it claims. Authentication typically uses userid/password combination for authenticating users. Other types of authentication are also available like biometric authentication or authentication using digital certificates. Authentication provides the answer for the questions "Who are you?" or "Are you the same person you are claiming?"
Authorization: Authorization is the process after authentication used for determining whether a user who try to access any device, data or execute a command has the permission to access that device, data or execute a command. Authorization provides the answer for the question "Are you allowed to do this task?"
Accounting: Accounting can be defined as tracking of data, access, usage, events or network resources. Accounting is logging, auditing, and monitoring of data, access, usage, events of network resources. Accounting provides the answer for the questions "What did you do?", "Who is responsible for this?"
AAA RADIUS and TACACS+, Difference between RADIUS and TACACS+
RADIUS (Remote Authentication Dial-in User Service) is all-vendor supported AAA protocol. RADIUS was first developed by Livingston Enterprises Inc in 1991, which later merged with Alcatel Lucent. RADIUS later became an Internet Engineering Task Force (IETF) standard. RADIUS uses UDP ports 1812 Authentication and 1813 for Accounting.
TACACS+ is another AAA protocol. TACACS+ was developed by Cisco from TACACS (developed in 1984 for the U.S Department of Defense). TACACS+ uses TCP and provides separate authentication, authorization and accountingservices. Port used by TACACS+ is TCP 49.
The RADIUS or TACACS+ protocol can provide a central authentication protocol to authenticate users, routers, switches or servers. If your network is growing and if you are are managing a large network environment, authentication using local device user database and authorization using privilege level 15 authorization is not a scalable solution. AAA (Authentication Authorization Accounting) protocol like RADIUS or TACACS+ can provide a better centralized authentication solution in a big enterprise network.
The main differences between RADIUS and TACACS+ can be tabulated as below.
RADIUS | TACACS+ |
---|---|
RADIUS uses UDP as Transport Layer Protocol | TACACS+ uses TCP as Transport Layer Protocol |
RADIUS uses UDP ports 1812 and 1813 | TACACS+ uses TCP port 49 |
RADIUS encrypts passwords only | TACACS+ encrypts the entire communication |
RADIUS combines authentication and Authorization | TACACS+ treats Authentication, Authorization, and Accountability differently |
RADIUS is an open protocol supported by multiple vendors | TACACS+ is Cisco proprietary protocol |
RADIUS is a light-weight protocol consuming less resources | TACACS+ is a heavy-weight protocol consuming more resources |
Thanks for Sharing Quality information With us List of Accounting Firms in Dubai | Accounting Services Dubai
ReplyDelete