"k0rz ." <[EMAIL PROTECTED]> queried the List:
>> I am trying to understand the which server would be better to use for
>> Ace authentication and why so far I have found very little literature or
>> web sites on this. I would really appreciate some insite into this
As I've come to expect, Paul Robertson <[EMAIL PROTECTED]> gave
the first-order reply better, faster, (and certainly more concisely) than I
ever could:
> There's no cut-and-dried answer, it's better to look and see which can do
> what you need, and then which is less-vulnerable to attack in your
> specific environment.
Both TACACS+ and RADIUS servers work well using the ACE/Server as
an authentication engine. Both have services they excell at. TACACS+ has a
different grandularity that some find useful, and many find TACACS+ server
somewhat easier to set up. Each requires administrative care in managing
their respective capabilities to get appropriate AAA: accounting,
authorization, and you-know-what.
In fact, however, the actual authentication capabilities of each
protocol is very similar. As Paul Robinson suggested:
>If you either switch or direct-path the host <-> auth server stuff though
>it really shouldn't matter a great deal. Radius has the advantage of
>multi-vendor support, tacas+ of being a "better" protocol.
SDTI, for whom I work as a dime-a-day consultant, itself offers a
native ACE-compatable RADIUS server for both UNIX and NT platforms. I think
SDTI's version of TACACS+ is only available for UNIX -- which, in some
circles (on some other mailing lists) is considered a selling point for
RADIUS/ACE -- but CiscoSecure's ACS on NT supports ACE strong
authentication on any Network Access Server (NAS), with either TACACS+
and/or RADIUS. See:
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/csnt23/
csnt23ug/ch1.htm#17075
Most RADIUS Servers -- certainly all the several commercial RADIUS
servers -- handle SDTI's ACE protocol, many with embedded ACE/Client code.
Paul mentioned a TACACS+ vs. RADIUS paper on the Cisco website, but
the closest thing I could find on CCO was an 1997 white paper: "RADIUS
Support in Cisco IOS Software." (I'd be interested if anyone has a better
cite for a better comparative doc.)
Two years ago, Cisco did publish an informational RFC on TACACS+.
See: <http://www.ietf.org/internet-drafts/draft-grant-tacacs-02.txt>
"k0rz" and any others concerned about ACE compatability with these
protocols might want to peruse SDTI's "Implementation Guide for Cisco
Remote Access Servers" at:
<http://www.securitydynamics.com/service/guides/ciscoras.html>
Livingston Enterprises, now part of Lucient, was the original
developer of the TCP-based RADIUS. (Steve Willens credited with most of the
work.) Lucient today offers an interesting RADIUS White Paper at:
<http://www.livingston.com/marketing/whitepapers/radius_paper.html>
RADIUS is a full IETF Standard, so you bave a suite of basic RFCs
-- RFC 2138 <ftp://ftp.isi.edu/in-notes/rfc2138.txt>; and RADIUS
Accounting, RFC 2139, at: <ftp://ftp.isi.edu/in-notes/rfc2139.txt>) -- but
a real-world caution is due. Despite vendor claims, not all RADIUS servers
and clients are fully standard-compliant. Don't assume interoperability
among even supposedly "compliant" RADIUS servers and clients.
Funk -- which for my money coined one of the best product names in
the industry when they labelled its "Steel-Belted RADIUS Server" -- also
offers a helpful Directory of RADIUS-compliant products and services at:
<http://www.funk.com/Radius/index.html>
Short-term problems demand immediate solutions; the best available
today or yesterday. For the intermediate to long-term, however, it seems
fair to point out that RADIUS has gained a fundamental advantage over
Cisco-controlled TACACS+ in that it is an IETF Standard which has been
widespread adopted by multiple remote-access equipment vendors. Many VPN
vendors are RADIUS based as well.
There is today a wide array of freeware, shareware, and commercial
RADIUS servers available. There is also ongoing research and development
around RADIUS at many companies. The accounting and audit data collected
in the centralized RADIUS database has long be ripe for being exploited in
a variety of useful ways, but it has always been difficult to get at it.
Now there seems to be a new generation of RADIUS tools and utilities which
will allow mutiple services -- e.g., "callerID" based authentication; site
rather than user, but useful -- to rely upon the RADIUS database.
Then, of course, there is the fact that you don't need to be a
Weatherman to see which way the wind is blowin'....
Pending IETF Draft RFCs on RADIUS include:
Network Access Server Requirements Next Generation (NASREQNG):
http://www.ietf.org/internet-drafts/draft-mitton-nasreqng-model-00.txt
DIAMETER QOS Extension
http://www.ietf.org/internet-drafts/draft-calhoun-diameter-qos-00.txt
Extended Authentication Within ISAKMP/Oakley
http://www.ietf.org/internet-drafts/draft-ietf-ipsec-isakmp-xauth-03.txt
RADIUS Authentication Server MIB
http://www.ietf.org/internet-drafts/draft-ietf-radius-auth-servmib-04.txt
RADIUS Accounting Client MIB
http://www.ietf.org/internet-drafts/draft-ietf-radius-acc-clientmib-04.txt
RADIUS Accounting Server MIB
http://www.ietf.org/internet-drafts/draft-ietf-radius-acc-servmib-04.txt
RADIUS Accounting Modifications for Tunnel Protocol Support:
http://www.ietf.org/internet-drafts/draft-ietf-radius-tunnel-acct-02.txt
Extensible Authentication Protocol Support in RADIUS:
http://www.ietf.org/internet-drafts/draft-ietf-radius-eap-05.txt
Lightweight Directory Access Protocol (v3):
Schema for the Remote Access Dialin User Service (RADIUS)
http://www.ietf.org/internet-drafts/draft-aboba-radius-03.txt
RADIUS Attributes for Tunnel Protocol Support
http://www.ietf.org/internet-drafts/draft-ietf-radius-tunnel-auth-06.txt
Implementation of L2TP Compulsory Tunneling via RADIUS
http://www.ietf.org/internet-drafts/draft-ietf-radius-tunnel-imp-04.txt
RADIUS Attributes for Multilink PPP Banwidth Allocation Control
http://www.ietf.org/internet-drafts/draft-ietf-radius-bap-01.txt
RADIUS Attributes for MS-CHAP Support
http://www.ietf.org/internet-drafts/draft-ietf-radius-mschap-attr-01.txt
Microsoft Vendor-specific RADIUS Attributes
http://www.ietf.org/internet-drafts/draft-ietf-radius-ms-vsa-01.txt
The Zone Routing Protocol (ZRP) for Ad Hoc Networks
http://www.ietf.org/internet-drafts/draft-ietf-manet-zone-zrp-01.txt
RADIUS Attributes for Multilink PPP Bandwidth Allocation Control
http://www.ietf.org/internet-drafts/draft-ietf-radius-ms-ba-attr-01.txt
Support for Mobile IP in RADIUS
http://www.ietf.org/internet-drafts/draft-ietf-radius-mobileip-00.txt
RADIUS Extension for Multicast Router Authentication
http://www.ietf.org/internet-drafts/draft-yamanouchi-radius-ext-00.txt
RADIUS Accounting - Interim Accounting Record Extension
http://www.ietf.org/internet-drafts/draft-ietf-radius-acct-interim-01.txt
RADIUS Vendor Specific Attributes for ACC/Ericsson Datacom Access
http://www.ietf.org/internet-drafts/draft-ilgun-radius-accvsa-01.txt
For your entertainment and information.
Suerte,
_Vin
-----
"Cryptography is like literacy in the Dark Ages. Infinitely potent, for
good and ill... yet basically an intellectual construct, an idea, which by
its nature will resist efforts to restrict it to bureaucrats and others who
deem only themselves worthy of such Privilege."
_ A Thinking Man's Creed for Crypto _vbm.
* Vin McLellan + The Privacy Guild + <[EMAIL PROTECTED]> *
53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
