Which service is missing when RADIUS is selected to provide management access to the WLC?
- A. authorization
- B. authentication
- C. accounting
- D. confidentiality
Show Suggested Answer Hide Answer
Suggested Answer: D
🗳️
Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized authentication, authorization, and accounting (AAA) management for users who connect and use a network service.
With RADIUS only the password is encrypted while the other information such as
username, accounting information, etc are not encrypted. Encryption is "the process of converting information or data into a code, especially to prevent unauthorized access". So since RADIUS only encrypts the passwords, there is no confidentiality.
Terminal Access Controller Access-Control System (TACACS, ) refers to a family of related protocols handling remote authentication and related services for network access control through a centralized server. The original TACACS protocol, which dates back to 1984, was used for communicating with an authentication server, common in older UNIX networks including but not limited to the ARPANET, MILNET and BBNNET. It spawned related protocols:
- Extended TACACS (XTACACS) is a proprietary extension to TACACS introduced by Cisco Systems in 1990 without backwards compatibility to the original protocol. TACACS and XTACACS both allow a remote access server to communicate with an authentication server in order to determine if the user has access to the network.
- TACACS Plus (TACACS+) is a protocol developed by Cisco and released as an open standard beginning in 1993. Although derived from TACACS, TACACS+ is a separate protocol that handles authentication, authorization, and accounting (AAA) services. TACACS+ has largely replaced its predecessors.
History[edit]
TACACS was originally developed in 1984 by BBN, later known as BBN Technologies, for administration of ARPANET and MILNET, which ran unclassified network traffic for DARPA at the time and would later evolve into the U.S. Department of Defense's NIPRNet. Originally designed as a means to automate authentication – allowing someone who was already logged into one host in the network to connect to another on the same network without needing to re-authenticate – it was first formally described by BBN's Brian Anderson TAC Access Control System Protocols, BBN Tech Memo CC-0045 with minor TELNET double login avoidance change in December 1984 in IETF RFC 927.[1][2] Cisco Systems began supporting TACACS in its networking products in the late 1980s, eventually adding several extensions to the protocol. In 1990, Cisco's extensions on top of TACACS became a proprietary protocol called Extended TACACS (XTACACS). Although TACACS and XTACACS are not open standards, Craig Finseth of the University of Minnesota, with Cisco's assistance, published a description of the protocols in 1993 as IETF RFC 1492 for informational purposes.[1][3][4]
Technical descriptions[edit]
TACACS[edit]
TACACS is defined in RFC 8907 (older RFC 1492), and uses (either TCP or UDP) port 49 by default. TACACS allows a client to accept a username and password and send a query to a TACACS authentication server, sometimes called a TACACS daemon. It determines whether to accept or deny the authentication request and sends a response back. The TIP (routing node accepting dial-up line connections, which the user would normally want to log in into) would then allow access or not, based upon the response. In this way, the process of making the decision is "opened up" and the algorithms and data used to make the decision are under the complete control of whomever is running the TACACS daemon.
XTACACS[edit]
Extended TACACS (XTACACS) extends the TACACS protocol with additional functionality. It also separates the authentication, authorization, and accounting (AAA) functions out into separate processes, allowing them to be handled by separate servers and technologies.[5]
TACACS+[edit]
TACACS+ is a Cisco designed extension to TACACS that encrypts the full content of each packet. Moreover, it provides granular control in the form of command-by-command authorization.
TACACS+ has generally replaced TACACS and XTACACS in more recently built or updated networks. TACACS+ is an entirely new protocol which is not compatible with its predecessors, TACACS and XTACACS. Because TCP is a connection oriented protocol, TACACS+ is able to detect and correct network transmission errors.
Comparison with RADIUS[edit]
TACACS+ uses TCP (while RADIUS operates over UDP).[6]
Because TCP is a connection-oriented protocol, TACACS+ has to implement transmission control. RADIUS, however, is not required to detect and correct transmission errors such as packet loss or timeouts, etc., as it makes use of UDP which is connectionless. RADIUS encrypts only the users' password as it travels from the RADIUS client to RADIUS server. All other information such as the username, authorization, accounting are transmitted in clear text. Therefore, it is vulnerable to different types of attacks. TACACS+ encrypts all the information mentioned above and therefore does not have the vulnerabilities present in the RADIUS protocol.
Implementations[edit]
Client implementations
- Arista EOS, a proprietary implementation
- Cisco IOS, a proprietary implementation
- Fortinet FortiOS, a proprietary implementation
- Juniper Junos OS, a proprietary implementation
- Palo Alto Networks PAN-OS, a proprietary implementation
- Pam_tacplus, a TACACS+ protocol client library and PAM module
Server implementations
- FreeRADIUS TACACS+ module, an open-source implementation available since version 4.0
- Tac_plus by Shrubbery, an open-source implementation for Linux
- Tac_plus by Pro-Bono-Publico, an open-source implementation for Linux
- Tac_plus VM, tac_plus with an added webadmin in a VM (no longer updated)
- Aruba ClearPass Policy Manager, a proprietary implementation
- Cisco Identity Services Engine, a proprietary implementation
- Portnox TACACS+-as-a-Service, a proprietary implementation as a cloud-hosted service
- Pulse Secure Pulse Policy Secure, a proprietary implementation
- TACACS.net, a proprietary implementation of TACACS+ for Windows
Standards documents[edit]
- RFC <a target="_blank" rel="nofollow" class="external text" href="//datatracker.ietf.org/doc/html/rfc927">927</a> – TACACS User Identification Telnet Option</li> <li><link rel="mw-deduplicated-inline-style">RFC&nbsp;<a target="_blank" rel="nofollow" class="external text" href="//datatracker.ietf.org/doc/html/rfc1492">1492</a> – An Access Control Protocol, Sometimes Called TACACS</li> <li><link rel="mw-deduplicated-inline-style">RFC&nbsp;<a target="_blank" rel="nofollow" class="external text" href="//datatracker.ietf.org/doc/html/rfc8907">8907</a> – The Terminal Access Controller Access-Control System Plus (TACACS+) Protocol</li> <li>RFC <a target="_blank" rel="nofollow" class="external text" href="//datatracker.ietf.org/doc/rfc9105/">9105</a> – A YANG Data Model for Terminal Access Controller Access-Control System Plus (TACACS+)</li></ul> <h2><span class="mw-headline" id="See_also">See also</span><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a target="_blank" href="//en.wikipedia.org/w/index.php?title=TACACS&action=edit&section=9" title="Edit section: See also">edit</a><span class="mw-editsection-bracket">]</span></span></h2> <ul><li><a target="_blank" href="//en.wikipedia.org/wiki/Diameter_(protocol)" title="Diameter (protocol)">Diameter</a></li> <li><a target="_blank" href="//en.wikipedia.org/wiki/RADIUS" title="RADIUS">RADIUS</a></li></ul> <h2><span class="mw-headline" id="References">References</span><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a target="_blank" href="//en.wikipedia.org/w/index.php?title=TACACS&action=edit&section=10" title="Edit section: References">edit</a><span class="mw-editsection-bracket">]</span></span></h2> <style data-mw-deduplicate="TemplateStyles:r1011085734">.mw-parser-output .reflist{font-size:90%;margin-bottom:0.5em;list-style-type:decimal}.mw-parser-output .reflist .references{font-size:100%;margin-bottom:0;list-style-type:inherit}.mw-parser-output .reflist-columns-2{column-width:30em}.mw-parser-output .reflist-columns-3{column-width:25em}.mw-parser-output .reflist-columns{margin-top:0.3em}.mw-parser-output .reflist-columns ol{margin-top:0}.mw-parser-output .reflist-columns li{page-break-inside:avoid;break-inside:avoid-column}.mw-parser-output .reflist-upper-alpha{list-style-type:upper-alpha}.mw-parser-output .reflist-upper-roman{list-style-type:upper-roman}.mw-parser-output .reflist-lower-alpha{list-style-type:lower-alpha}.mw-parser-output .reflist-lower-greek{list-style-type:lower-greek}.mw-parser-output .reflist-lower-roman{list-style-type:lower-roman}<div class="reflist"> <div class="mw-references-wrap"><ol class="references"> <li id="cite_note-dooley-1"><span class="mw-cite-backlink">^ <a target="_blank" href="//en.wikipedia.org/wiki/TACACS#cite_ref-dooley_1-0"><sup><i><b>a</b></i></sup></a> <a target="_blank" href="//en.wikipedia.org/wiki/TACACS#cite_ref-dooley_1-1"><sup><i><b>b</b></i></sup></a></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style"><cite id="CITEREFDooley,_KevinBrown,_Ian2003" class="citation book cs1">Dooley, Kevin; Brown, Ian (2003). <a target="_blank" rel="nofollow" class="external text" href="//shop.oreilly.com/product/9780596003678.do"><i>Cisco Cookbook</i></a>. O'Reilly Media. p. 137. <a target="_blank" href="//en.wikipedia.org/wiki/ISBN_(identifier)" class="mw-redirect" title="ISBN (identifier)">ISBN</a> <a target="_blank" href="//en.wikipedia.org/wiki/Special:BookSources/9781449390952" title="Special:BookSources/9781449390952"><bdi>9781449390952</bdi></a>. <a target="_blank" rel="nofollow" class="external text" href="//web.archive.org/web/20160624221754///shop.oreilly.com/product/9780596003678.do">Archived</a> from the original on 2016-06-24.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=book&rft.btitle=Cisco+Cookbook&rft.pages=137&rft.pub=O%27Reilly+Media&rft.date=2003&rft.isbn=9781449390952&rft.au=Dooley%2C+Kevin&rft.au=Brown%2C+Ian&rft_id=http%3A%2F%2Fshop.oreilly.com%2Fproduct%2F9780596003678.do&rfr_id=info%3Asid%2Fen.wikipedia.org%3ATACACS" class="Z3988"></span></span> </li> <li id="cite_note-anderson-2"><span class="mw-cite-backlink"><b><a target="_blank" href="//en.wikipedia.org/wiki/TACACS#cite_ref-anderson_2-0">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style"><cite id="CITEREFAnderson,_Brian1984" class="citation web cs1">Anderson, Brian (December 1984). <a target="_blank" rel="nofollow" class="external text" href="//tools.ietf.org/html/rfc927">"TACACS User Identification Telnet Option"</a>. Internet Engineering Task Force. <a target="_blank" rel="nofollow" class="external text" href="//web.archive.org/web/20140812124509///tools.ietf.org/html/rfc927">Archived</a> from the original on 12 August 2014<span class="reference-accessdate">. Retrieved <span class="nowrap">22 February</span> 2014</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=TACACS+User+Identification+Telnet+Option&rft.pub=Internet+Engineering+Task+Force&rft.date=1984-12&rft.au=Anderson%2C+Brian&rft_id=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Frfc927&rfr_id=info%3Asid%2Fen.wikipedia.org%3ATACACS" class="Z3988"></span></span> </li> <li id="cite_note-ballad-3"><span class="mw-cite-backlink"><b><a target="_blank" href="//en.wikipedia.org/wiki/TACACS#cite_ref-ballad_3-0">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style"><cite id="CITEREFBallad,_BillBallad,_TriciaBanks,_Erin2011" class="citation book cs1">Ballad, Bill; Ballad, Tricia; Banks, Erin (2011). <i>Access Control, Authentication, and Public Key Infrastructure</i>. Jones & Bartlett Learning. pp. 278–280. <a target="_blank" href="//en.wikipedia.org/wiki/ISBN_(identifier)" class="mw-redirect" title="ISBN (identifier)">ISBN</a> <a target="_blank" href="//en.wikipedia.org/wiki/Special:BookSources/9780763791285" title="Special:BookSources/9780763791285"><bdi>9780763791285</bdi></a>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=book&rft.btitle=Access+Control%2C+Authentication%2C+and+Public+Key+Infrastructure&rft.pages=278-280&rft.pub=Jones+%26+Bartlett+Learning&rft.date=2011&rft.isbn=9780763791285&rft.au=Ballad%2C+Bill&rft.au=Ballad%2C+Tricia&rft.au=Banks%2C+Erin&rfr_id=info%3Asid%2Fen.wikipedia.org%3ATACACS" class="Z3988"></span></span> </li> <li id="cite_note-finseth-4"><span class="mw-cite-backlink"><b><a target="_blank" href="//en.wikipedia.org/wiki/TACACS#cite_ref-finseth_4-0">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style"><cite id="CITEREFFinseth,_Craig1993" class="citation web cs1">Finseth, Craig (July 1993). <a target="_blank" rel="nofollow" class="external text" href="//tools.ietf.org/html/rfc1492">"An Access Control Protocol, Sometimes Called TACACS"</a>. Internet Engineering Task Force. <a target="_blank" rel="nofollow" class="external text" href="//web.archive.org/web/20140222143528///tools.ietf.org/html/rfc1492">Archived</a> from the original on 22 February 2014<span class="reference-accessdate">. Retrieved <span class="nowrap">22 February</span> 2014</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=An+Access+Control+Protocol%2C+Sometimes+Called+TACACS&rft.pub=Internet+Engineering+Task+Force&rft.date=1993-07&rft.au=Finseth%2C+Craig&rft_id=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Frfc1492&rfr_id=info%3Asid%2Fen.wikipedia.org%3ATACACS" class="Z3988"></span></span> </li> <li id="cite_note-5"><span class="mw-cite-backlink"><b><a target="_blank" href="//en.wikipedia.org/wiki/TACACS#cite_ref-5">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style"><cite class="citation web cs1"><a target="_blank" rel="nofollow" class="external text" href="//epdf.pub/mike-meyers-comptia-security-certification-passport-second-edition.html">"Mike Meyers' CompTIA Security+ Certification Passport, Second Edition - PDF Free Download"</a>. <i>epdf.pub</i><span class="reference-accessdate">. Retrieved <span class="nowrap">2019-08-03</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=epdf.pub&rft.atitle=Mike+Meyers%27+CompTIA+Security%2B+Certification+Passport%2C+Second+Edition+-+PDF+Free+Download&rft_id=https%3A%2F%2Fepdf.pub%2Fmike-meyers-comptia-security-certification-passport-second-edition.html&rfr_id=info%3Asid%2Fen.wikipedia.org%3ATACACS" class="Z3988"></span></span> </li> <li id="cite_note-tacacs+v.radius-6"><span class="mw-cite-backlink"><b><a target="_blank" href="//en.wikipedia.org/wiki/TACACS#cite_ref-tacacs+v.radius_6-0">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style"><cite class="citation web cs1"><a target="_blank" rel="nofollow" class="external text" href="//www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/13838-10.html">"TACACS+ and RADIUS Comparison"</a>. Cisco. 14 January 2008. <a target="_blank" rel="nofollow" class="external text" href="//web.archive.org/web/20140907214150///www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/13838-10.html">Archived</a> from the original on 7 September 2014<span class="reference-accessdate">. Retrieved <span class="nowrap">9 September</span> 2014</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=TACACS%2B+and+RADIUS+Comparison&rft.pub=Cisco&rft.date=2008-01-14&rft_id=http%3A%2F%2Fwww.cisco.com%2Fc%2Fen%2Fus%2Fsupport%2Fdocs%2Fsecurity-vpn%2Fremote-authentication-dial-user-service-radius%2F13838-10.html&rfr_id=info%3Asid%2Fen.wikipedia.org%3ATACACS" class="Z3988"></span></span> </li> </ol></div></div> <h2><span class="mw-headline" id="External_links">External links</span><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a target="_blank" href="//en.wikipedia.org/w/index.php?title=TACACS&action=edit§ion=11" title="Edit section: External links">edit</a><span class="mw-editsection-bracket">]</span></span></h2> <ul><li><a target="_blank" rel="nofollow" class="external text" href="//www.openwall.com/advisories/OW-001-tac_plus/">An Analysis of the TACACS+ Protocol and its Implementations</a> from a security standpoint, by <a target="_blank" href="//en.wikipedia.org/wiki/Openwall" class="mw-redirect" title="Openwall">Openwall</a></li> <li><a target="_blank" rel="nofollow" class="external text" href="//www.tacacs.net/docs/TACACS_Advantages.pdf">TACACS+ Benefits and Best Practices</a></li></ul> <div class="navbox-styles nomobile"><style data-mw-deduplicate="TemplateStyles:r1061467846">.mw-parser-output .navbox{box-sizing:border-box;border:1px solid #a2a9b1;width:100%;clear:both;font-size:88%;text-align:center;padding:1px;margin:1em auto 0}.mw-parser-output .navbox .navbox{margin-top:0}.mw-parser-output .navbox+.navbox,.mw-parser-output .navbox+.navbox-styles+.navbox{margin-top:-1px}.mw-parser-output .navbox-inner,.mw-parser-output .navbox-subgroup{width:100%}.mw-parser-output .navbox-group,.mw-parser-output .navbox-title,.mw-parser-output .navbox-abovebelow{padding:0.25em 1em;line-height:1.5em;text-align:center}.mw-parser-output .navbox-group{white-space:nowrap;text-align:right}.mw-parser-output .navbox,.mw-parser-output .navbox-subgroup{background-color:#fdfdfd}.mw-parser-output .navbox-list{line-height:1.5em;border-color:#fdfdfd}.mw-parser-output .navbox-list-with-group{text-align:left;border-left-width:2px;border-left-style:solid}.mw-parser-output tr+tr>.navbox-abovebelow,.mw-parser-output tr+tr>.navbox-group,.mw-parser-output tr+tr>.navbox-image,.mw-parser-output tr+tr>.navbox-list{border-top:2px solid #fdfdfd}.mw-parser-output .navbox-title{background-color:#ccf}.mw-parser-output .navbox-abovebelow,.mw-parser-output .navbox-group,.mw-parser-output .navbox-subgroup .navbox-title{background-color:#ddf}.mw-parser-output .navbox-subgroup .navbox-group,.mw-parser-output .navbox-subgroup .navbox-abovebelow{background-color:#e6e6ff}.mw-parser-output .navbox-even{background-color:#f7f7f7}.mw-parser-output .navbox-odd{background-color:transparent}.mw-parser-output .navbox .hlist td dl,.mw-parser-output .navbox .hlist td ol,.mw-parser-output .navbox .hlist td ul,.mw-parser-output .navbox td.hlist dl,.mw-parser-output .navbox td.hlist ol,.mw-parser-output .navbox td.hlist ul{padding:0.125em 0}.mw-parser-output .navbox .navbar{display:block;font-size:100%}.mw-parser-output .navbox-title .navbar{float:left;text-align:left;margin-right:0.5em}