This is really more information than you've requested but I thought it was a
good enough discussion to post anyway. It comes from CBT Systems (now
Smartforce) Cisco Securty Systems CBT:
Cisco has developed the CiscoSecure Access Control Server (ACS) family of
security
servers, which supports both TACACS+ and Remote Authentication Dial-In User
Service (RADIUS).
Terminal Access Control Access System+ (TACACS+) and RADIUS are security
server
protocols used to communicate between the security server and router, NAS,
or firewall.
CiscoSecure secures network access for
. dial-up via Cisconetwork access serversand routers
. router and switchconsole and vty portaccess for management
. PIX Firewall access
<F>CiscoSecure interoperates with the network access server, router, and PIX
Firewall
to help you implement a comprehensive security policy via AAA architecture.
CiscoSecure also interoperates with token cards and servers.
ACS is easily managed via standard browsers.
You can easily make moves, additions, and changes to usernames, passwords,
and network devices.
ACS is implemented on both the UNIX and Windows NT server platforms.
TACACS+ forwards username and password information to a centralized security
server.
TACACS+ supports the AAA architecture, including PAP and CHAP
authentication.
TACACS+ is a proposed industry standard defined in RFC 1492.
And it can be used for LAN and WAN security.
TACACS+ supports autocommand and callback.
It also has the following features:
. TCP packets for reliable datatransport, using TCP/IP as thecommunication
protocol between the remote
client and security server
. encryption of links, includingTCP packets
. SLIP, PPP, and ARA supportsfor dial-up security
. it allows assignment of per-useraccess lists in authorization phase
The Cisco network access server exchanges user authentication information
with the
TACACS+ server process by transmitting TACACS+ packets across the network.
The TACACS+ authentication process involves the network access server and
the TACACS+
server process exchanging information using TACACS+ packets.
The TACACS+ server process and the access server can exchange accounting
information.
The access server sends an accounting record to the server process based on
the
selected event and method.
Then the TACACS+ server process sends a response packet to the access server
and
acknowledges receipt of the accounting record.
There are three main versions of TACACS+:
. TACACS (First Version)
. XTACACS (Cisco extensions)
. TACACS+
XTACACS defines the extensions that Cisco added to the TACACS protocol to
support
new and advanced features.
XTACACS is multiprotocol.
XTACACS is virtually obsolete in connection with Cisco AAA features and
products.
TACACS+ is an enhanced and continually improved version of TACACS that
allows a
TACACS+ server to provide the services of AAA independently.
It was introduced in Cisco IOS Release 10.3
It is not compatible with XTACACS.
RADIUS is a distributed client/server system that secures networks against
unauthorized access.
In a Cisco environment RADIUS clients can run on Cisco routers and send
authentication
requests to a central RADIUS server.
The RADIUS server contains all user authentication and network service
access information.
RADIUS is a fully open protocol and is described in RFCs 2058 and 2059.
It can be modified to work with any security system currently available.
Cisco supports RADIUS under its AAA security architecture.
RADIUS is compatible with other AAA security protocols such as
. TACACS+
. Kerberos
. local name lookup (LNL)
As well as CiscoSecure ACS, RADIUS is supported on the Cisco 1600, 2500,
3600, 4000,
5000, and 7000 series routers.
RADIUS has been implemented successfully in a range of network environments
that
require high levels of security while maintaining network access for remote
users.
There are three major versions of RADIUS available:
. IETF (~55 attributes)
. Cisco (~48 attributes)
. Ascend (~165 attributes)
Attributes are the various specified possible bits of a message.
The Cisco release offers an increasing number of attributes and
functionality.
Ascend offers
. constantly changing/adding attributes
. proprietary extensions such as tokencaching and password changing
. an Application ProgrammingInterface (API) that enablesdevelopment of new
extensions
TACACS+ is considered superior to RADIUS.
TACACS+ TCP packets are encrypted, whereas RADIUS encrypts the shared-secret
password
only.
RADIUS has limited name space for attributes.
TACACS+ separates authentication and authorization, making distributed
security services possible.
The TACACS+ protocol allows for customization of objects like usernames and
passwords
on a per-user basis.
RADIUS lacks this kind of flexibility.
RADIUS uses UDP instead of TCP as its transport protocol.
This means that the RADIUS protocol is less robust and requires the server
to implement reliability.
In a TACACS+ environment the server accepts or rejects the authentication
request based on the contents of the user profile.
The client never knows the contents of the user profile.
In a RADIUS environment all reply attributes in the user profile are sent to
the network access server.
The network server accepts or rejects the authentication request based on
the attributes received.
RADIUS's chief advantage over TACACS+ is its capacity for generating more
extensive accounting records.
Let's take a look at Kerberos.
Kerberos is a secret-key network authentication protocol that uses the Data
Encryption
Standard (DES) cryptographic algorithm for encryption and authentication.
Kerberos was designed to authenticate requests for network resources.
Like most secret-key systems, Kerberos is based on the concept of a trusted
third party.
This third party performs secure verification of users and services.
In the Kerberos protocol this is called the key distribution center (KDC).
Kerberos is primarily used for authentication purposes.
The trusted Kerberos server issues tickets to users.
These tickets have a limited life-span.
They are stored in a user's credential cache and can be used in place of the
standard
username-and-password authentication mechanism.
Kerberos embodies the single logon concept.
This concept requires authenticating a user once and then allowing secure
authentication
(without encrypting further passwords) wherever that user's credential is
accepted.
Cisco IOS Release 11.2 includes Kerberos 5 support.
This allows organizations already using Kerberos 5 on network hosts to use
the same
authentication database on their routers.
Among the applications and services that have been modified to support the
additional
security of the Kerberos credential infrastructure are
. Telnet
. rlogin virtual terminal
. remote shell service (RSH)
. Remote Procedure Call (RPC)
""Vincent"" <[EMAIL PROTECTED]> wrote in message
99nuig$isc$[EMAIL PROTECTED]">news:99nuig$isc$[EMAIL PROTECTED]...
> Hi;
>
> I want to know the diffenence between 2 system, I checked in the
> cisco web site already, but could not find the answer?
>
> Thanks
> Vincent
>
>
> _________________________________
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
