Scribd
Upload
40 views9 pages

Practical 3

The document discusses configuring AAA authentication on Cisco routers using TACACS and RADIUS. It provides details on the protocols, advantages and disadvantages of each, and examples of configuring a router, servers, and PCs for authentication using TACACS and RADIUS.

Uploaded by

vinay009pal
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
40 views9 pages

Practical 3

The document discusses configuring AAA authentication on Cisco routers using TACACS and RADIUS. It provides details on the protocols, advantages and disadvantages of each, and examples of configuring a router, servers, and PCs for authentication using TACACS and RADIUS.

Uploaded by

vinay009pal
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
You are on page 1/ 9

SIC JOURNAL TYIT

PRACTICAL NO 3: Configure AAA Authentication on


Cisco Routers
To provide a centralized management system for the authentication, authorization and accounting (AAA
framework), Access Control Server (ACS) is used. For the communication between the client and the
ACS server, two protocols are used namely TACACS+ and RADIUS.
TACACS+
Terminal Access Controller Access Control System (TACACS+) is Cisco proprietary protocol which is
used for the communication of the Cisco client and Cisco ACS server. It uses TCP port number 49 which
makes it reliable.

RADIUS –
Remote Access Dial In User Service (RADIUS) is an open standard protocol used for the communication
between any vendor AAA client and ACS server. If one of the client or server is from any other vendor
(other than Cisco) then we have to use RADIUS. It uses port number 1812 for authentication and
authorization and 1813 for accounting.

TACACS+ RADIUS

Cisco proprietary protocol open standard protocol

It uses TCP as transmission protocol It uses UDP as transmission protocol

It uses UDP port number 1812 for


authentication and authorization and 1813
It uses TCP port number 49. for accounting.

Authentication, Authorization and Accounting is Authentication and Authorization is


separated in TACACS+. combined in RADIUS.

Only the passwords are encrypted while the


other information such as username,
accounting information etc are not
All the AAA packets are encrypted. encrypted.

Preferably used for ACS. used when ISE is used

It provides more granular control i.e can specify No external authorization of commands
the particular command for authorization. supported.

TACACS+ offers multiprotocol support No multiprotocol support.

ISMAIL H P Page 1
SIC JOURNAL TYIT

Used for device administration. used for network access

Similarities –
The process is start by Network Access Device (NAD – client of TACACS+ or RADIUS). NAD contact the
TACACS+ or RADIUS server and transmit the request for authentication (username and password) to the
server. First, NAD obtain username prompt and transmit the username to the server and then again the
server is contact by NAD to obtain password prompt and then the password is send to the server.
The server replies with access-accept message if the credentials are valid otherwise send an access-
reject message to the client. Further authorisation and accounting is different in both protocols as
authentication and authorisation is combined in RADIUS

Advantages (TACACS+ over RADIUS) –


1. As TACACS+ uses TCP therefore more reliable than RADIUS.
2. TACACS+ provides more control over the authorization of commands while in RADIUS,
no external authorization of commands is supported.
3. All the AAA packets are encrypted in TACACS+ while only the passwords are encrypted
in RADIUS i.e more secure.
Advantage (RADIUS over TACACS+) –
1. As it is open standard therefore RADIUS can be used with other vendors device while
because TACACS+ is Cisco proprietary, it can be used with Cisco devices only.
2. It has more extensive accounting support than TACACS+.
We use the following Topology for the present case

ISMAIL H P Page 2
SIC JOURNAL TYIT

Configuring PC0

Configuring PC1

ISMAIL H P Page 3
SIC JOURNAL TYIT

Configuring Router0

ISMAIL H P Page 4
SIC JOURNAL TYIT

Configuring Server0 (As TACACS)

While configuring the TACACS/RADIUS server the Client IP address must be the Router IP

ISMAIL H P Page 5
SIC JOURNAL TYIT

Configuring Server1 (As RADIUS)

ISMAIL H P Page 6
SIC JOURNAL TYIT

Type the following commands in the CLI mode of the Router0

Router>enable
Router#configure terminal
Router(config)#aaa new-model
Router(config)#tacacs-server host 192.168.2.3 key cisco
Router(config)#radius-server host 192.168.2.2 key cisco
Router(config)#aaa authentication login ismail group tacacs+ group radius local
Router(config)#line vty 0 4
Router(config-line)#login authentication ismail
Router(config-line)#exit
Router(config)#

The Authentication can be done by typing the command telnet 192.168.2.1 (the Router IP) in any of the
PCs
We get a prompt to type the username and password, the username and password set in TACACS are
entered
Username: smile
Password: smile
We get the following

ISMAIL H P Page 7
SIC JOURNAL TYIT

In order to authenticate the RADIUS server we need to turn OFF the TACACS service

ISMAIL H P Page 8
SIC JOURNAL TYIT

We again enter the command telnet 192.168.2.1 (the Router IP) and enter the username and password
of the RADIUS server (Username: smile , Password: cisco)
We get the following

The local login can also be verified by turning OFF both TACACS and RADIUS service. The username and
Password are both cisco (by default)
Hence the authentication through both TACACS and RADIUS

ISMAIL H P Page 9

You might also like