21.8. TACACS and FriendsTACACScan be an acronym for Terminal Access Controller Access ControlSystem, or then aobtain, it can not; its origins have been shed.TACACS is an old protocol. Tbelow are several more recent versions of it,including XTACACS and also TACACS+; TACACS+ presently shows up to be themany popular.
You are watching: Which of the following are characteristics of tacacs+
All of these protocols, like RADIUS, are designed to provideauthentication, authorization, and auditing solutions for dial-upindividuals.
TACACS and XTACACS sfinish all information, including usernames and also passwords,in cleartext. TACACS+ offers MD5 to avoidsfinishing passwords and usernames in a reusable create and also typically alsoencrypts all information. Basically, this makes TACACS and XTACACS lesssecure than RADIUS, and TACACS+ more secure than RADIUS.
In order to assistance encryption, TACACS+ needs a secret crucial sharedin between the server and the client. This vital should be stored on boththe server and also the client, and also an attacker who has actually accessibility to the keywill certainly have the ability to impersonate the server and to decrypt all information. Thiswill not actually provide the attacker access to passwords (thepasswords are not sent out in any kind of decryptable form). Nonetheless, youshould take reasonable actions to safeguard this essential.
21.8.1. Packet Filtering Characteristics of TACACS and also FriendsTACACS offers UDP port 49; it can also use TCP yet does not necessarilyusage port 49 once using TCP. XTACACS supplies UDP port 49. TACACS+ usesTCP port 49.
|In||Ext||Int||UDP||>1023||49||<142>||Research, exterior client to internal TACACS/XTACACS server|
|Out||Int||Ext||UDP||49||>1023||<142>||Response, inner TACACS/XTACACS server to external client.|
|In||Ext||Int||TCP||>1023||49<143>||<144>||External client connecting to internal TACACS/TACACS+ server|
|Out||Int||Ext||TCP||49<143>||>1023||Yes||Internal TACACS/TACACS+ server responding to external client|
|Out||Int||Ext||UDP||>1023||49||<142>||Repursuit, internal client to exterior TACACS/XTACACS server|
|In||Ext||Int||UDP||49||>1023||<142>||Response, outside TACACS/XTACACS server to internal client|
|Out||Int||Ext||TCP||>1023||49<143>||<144>||Internal client connecting to external TACACS/TACACS+ server|
|In||Ext||Int||TCP||49<143>||>1023||Yes||External TACACS/TACACS+ server responding to interior client.|
<143>This may be any type of port for TACACS.
<144>ACK will not be collection on the first packet(establishing connection) yet will be collection on the remainder.
21.8.2. Proxying Characteristics of TACACS and FriendsTACACS+ is a straightforward TCP-based protocol that is well suitedfor use via generic proxy systems. However before, note that TACACS+supports encryption utilizing a secret crucial mutual in between the server andthe client, and also tright here is no traditional way to recognize which crucial touse if various clients have actually different secrets. Some implementationsmay usage the resource address to identify the encryption key, requiringa specialized proxy that has its very own encryption essential.
TACACS and also XTACACS are both usually UDP-based, so they requireproxies that can address UDP. However before, they have no additionalcomplexities and also have to occupational through any kind of generic proxy that supportsUDP.
21.8.3. Netjob-related Address Translation Characteristics of TACACS and FriendsTACACS and XTACACS carry out not use installed IP addresses and will workwithout change with network-related deal with translation units.TACACS+ must additionally work-related, yet simply as via proxying, you must notethat TACACS+ supports encryption using a secret vital common betweenthe server and the client, and also there is no traditional way to determinewhich vital to usage if different clients have actually different secrets. Someimplementations might usage the resource address to determine theencryption vital, requiring static resolve mappings.
See more: Spanish Text Slang: How Do You Say Lol In Spanish ? How To Pronounce Jajaja?
In enhancement, TACACS+ supports the negotiation of IP addresses for PPPclients. In the unlikely event that you construct a networkconfiguration wbelow a netoccupational attend to translation mechanism is modifyingTACACS+ packets that are ultimately supplied to collection remote IP addresses,you must be mindful to configure the TACACS+ server so that theaddresses it gives are valid. The network-related resolve translationmechanism will not be able to modify those installed addresses.