*

*
*

21.8. TACACS and Friends

TACACScan be an acronym for Terminal Access Controller Access ControlSystem, or then aobtain, it can not; its origins have been shed.TACACS is an old protocol. Tbelow are several more recent versions of it,including XTACACS and also TACACS+; TACACS+ presently shows up to be themany popular.

You are watching: Which of the following are characteristics of tacacs+

All of these protocols, like RADIUS, are designed to provideauthentication, authorization, and auditing solutions for dial-upindividuals.

TACACS and XTACACS sfinish all information, including usernames and also passwords,in cleartext. TACACS+ offers MD5 to avoidsfinishing passwords and usernames in a reusable create and also typically alsoencrypts all information. Basically, this makes TACACS and XTACACS lesssecure than RADIUS, and TACACS+ more secure than RADIUS.

In order to assistance encryption, TACACS+ needs a secret crucial sharedin between the server and the client. This vital should be stored on boththe server and also the client, and also an attacker who has actually accessibility to the keywill certainly have the ability to impersonate the server and to decrypt all information. Thiswill not actually provide the attacker access to passwords (thepasswords are not sent out in any kind of decryptable form). Nonetheless, youshould take reasonable actions to safeguard this essential.


21.8.1. Packet Filtering Characteristics of TACACS and also Friends

TACACS offers UDP port 49; it can also use TCP yet does not necessarilyusage port 49 once using TCP. XTACACS supplies UDP port 49. TACACS+ usesTCP port 49.

Direction

SourceAddr.

Dest.Addr.

Protocol

SourcePort

Dest.Port

ACKSet

Notes

In

Ext

Int

UDP

>1023

49

<142>

Research, exterior client to internal TACACS/XTACACS server

Out

Int

Ext

UDP

49

>1023

<142>Response, inner TACACS/XTACACS server to external client.

In

Ext

Int

TCP

>1023

49<143>

<144>

External client connecting to internal TACACS/TACACS+ server

Out

Int

Ext

TCP

49<143>

>1023

Yes

Internal TACACS/TACACS+ server responding to external client

Out

Int

Ext

UDP

>1023

49

<142>

Repursuit, internal client to exterior TACACS/XTACACS server

In

Ext

Int

UDP

49

>1023

<142>

Response, outside TACACS/XTACACS server to internal client

Out

Int

Ext

TCP

>1023

49<143>

<144>Internal client connecting to external TACACS/TACACS+ server

In

Ext

Int

TCP

49<143>

>1023

Yes

External TACACS/TACACS+ server responding to interior client.

<142>UDP has actually no ACK indistinguishable.

<143>This may be any type of port for TACACS.

<144>ACK will not be collection on the first packet(establishing connection) yet will be collection on the remainder.


21.8.2. Proxying Characteristics of TACACS and Friends

TACACS+ is a straightforward TCP-based protocol that is well suitedfor use via generic proxy systems. However before, note that TACACS+supports encryption utilizing a secret crucial mutual in between the server andthe client, and also tright here is no traditional way to recognize which crucial touse if various clients have actually different secrets. Some implementationsmay usage the resource address to identify the encryption key, requiringa specialized proxy that has its very own encryption essential.

TACACS and also XTACACS are both usually UDP-based, so they requireproxies that can address UDP. However before, they have no additionalcomplexities and also have to occupational through any kind of generic proxy that supportsUDP.


21.8.3. Netjob-related Address Translation Characteristics of TACACS and Friends

TACACS and XTACACS carry out not use installed IP addresses and will workwithout change with network-related deal with translation units.TACACS+ must additionally work-related, yet simply as via proxying, you must notethat TACACS+ supports encryption using a secret vital common betweenthe server and the client, and also there is no traditional way to determinewhich vital to usage if different clients have actually different secrets. Someimplementations might usage the resource address to determine theencryption vital, requiring static resolve mappings.

See more: Spanish Text Slang: How Do You Say Lol In Spanish ? How To Pronounce Jajaja?

In enhancement, TACACS+ supports the negotiation of IP addresses for PPPclients. In the unlikely event that you construct a networkconfiguration wbelow a netoccupational attend to translation mechanism is modifyingTACACS+ packets that are ultimately supplied to collection remote IP addresses,you must be mindful to configure the TACACS+ server so that theaddresses it gives are valid. The network-related resolve translationmechanism will not be able to modify those installed addresses.


21.8.4. Outline of Recommendations for TACACS and also Friends

Do not use TACACS or XTACACS across insecure netfunctions (they transmitcleartext usernames and passwords); usage TACACS+ instead.