filmov
tv
AAA and RADIUS vs TACACS+
Показать описание
AAA and RADIUS vs TACACS+ or TACACS PLUS
I
In this video we are going to learn about AAA, RADIUS & TACACS+
The AAA Model
=============
The AAA is a system, not a protocol. The AAA system was designed to authenticate users, authorize them & to see what they did on the network or device when given access.
As AAA stands for Authentication, Authorization & Accounting, lets look at each one.
AAA Authentication: This is the phase that governs what you are allowed to do once you are inside the network or an administrative device
AAA Authorization: This phase comes into play after authentication, basically this phase dictates WHAT you are allowed to do in the network based on your identity.
AAA Accounting: This phase occurs after authentication and authorization have been completed. Accounting allows administrators of the network to collect information about users & essentially what they did when they were given access to the network or to the administrative device..
AAA Protocols
Now there are three types of protocols that can enforce the AAA system, namely RADIUS, TACACS+ & Diameter.
Diameter, that is because it’s commonly used in the Mobile world & with Mobile service Providers.
Diameter is essentially a better version of RADIUS & is meant to replace it. but in this video we will be focusing on RADIUS & TACACS+ as they are the one’s commonly used in Data Networks.
How can RADIUS or TACACS+ run?
Now these protocols require a separate dedicated or a Virtual Server that provide the RADIUS or TACACS+ functionality & often both services like in the Cisco’s ISE.
RADIUS vs TACACS+ Point#1
========================
Radius uses the UDP protocol with the port numbers 1812 & 1813 respectively. Port 1812 is used for both Authentication & Authorization, so it kind a combines the two. On the other hand, port 1813 is used for accounting alone.
As for TACACS+, it uses TCP & uses the TCP port 49 for all of it’s communications. But unlike Radius, it separates all the AAA functions effectively, that means you have more granular control here especially when it comes to authorization. But Radius has the flexibility to authenticate a user in a wide variety of ways as it supports different authentication protocols like EAP, PAP & CHAP.
Question#1
==========
I am Confused with the Radius Port Numbers 1812 & 1813, aren't they 1645 & 1646 or all of them?
When the Radius protocol was first launched, it was indeed allotted UDP port 1645 for Authentication & Authorization & 1646 for Accounting. But according to the following RFC 2865 by Carl,Allan,welliam & Steve in the year 2000 for RADIUS, stating that:
“ The early deployment of RADIUS was done using UDP port number 1645, which conflicts with the "datametrics" service. The officially assigned port number for RADIUS is 1812."
In the other RFC numbered 2866 for RADIUS Accounting, the same is said for the accounting port as it contradicts with the "sa-msg-port"
“The early deployment of RADIUS Accounting was done using UDP port number 1646,which conflicts with the "sa-msg-port" service. The officially assigned port number for RADIUS Accounting is 1813.
Now although the RFC’s state that the port Numbers are no longer in use for radius, the confusion mainly arises because Cisco devices still default to the old ports 1645 & 1646
Cisco AAA servers like Cisco ISE listen’s to both these pairs of ports. If you ask Cisco, they too recommend using the officially assigned ports.
Question#2
=========
“What do you mean by combining the Authentication & Authorization” of radius?
In radius when an authentication query is made to the radius server, the reply not only contains the authentication response, but also an authorization response in the form of Attribute Value pairs or AVP’s for example the AVP could contain a Privilege Level for the user or a DACL for a network user.
On the other hand, TACACS+ separates these functions allowing more granular control especially on the commands when it comes to authorization.
RADIUS vs TACACS+ Point#2
========================
When it comes to communication over the wire, RADIUS sends the username of the user in clear text, but the password is hashed.
I
In this video we are going to learn about AAA, RADIUS & TACACS+
The AAA Model
=============
The AAA is a system, not a protocol. The AAA system was designed to authenticate users, authorize them & to see what they did on the network or device when given access.
As AAA stands for Authentication, Authorization & Accounting, lets look at each one.
AAA Authentication: This is the phase that governs what you are allowed to do once you are inside the network or an administrative device
AAA Authorization: This phase comes into play after authentication, basically this phase dictates WHAT you are allowed to do in the network based on your identity.
AAA Accounting: This phase occurs after authentication and authorization have been completed. Accounting allows administrators of the network to collect information about users & essentially what they did when they were given access to the network or to the administrative device..
AAA Protocols
Now there are three types of protocols that can enforce the AAA system, namely RADIUS, TACACS+ & Diameter.
Diameter, that is because it’s commonly used in the Mobile world & with Mobile service Providers.
Diameter is essentially a better version of RADIUS & is meant to replace it. but in this video we will be focusing on RADIUS & TACACS+ as they are the one’s commonly used in Data Networks.
How can RADIUS or TACACS+ run?
Now these protocols require a separate dedicated or a Virtual Server that provide the RADIUS or TACACS+ functionality & often both services like in the Cisco’s ISE.
RADIUS vs TACACS+ Point#1
========================
Radius uses the UDP protocol with the port numbers 1812 & 1813 respectively. Port 1812 is used for both Authentication & Authorization, so it kind a combines the two. On the other hand, port 1813 is used for accounting alone.
As for TACACS+, it uses TCP & uses the TCP port 49 for all of it’s communications. But unlike Radius, it separates all the AAA functions effectively, that means you have more granular control here especially when it comes to authorization. But Radius has the flexibility to authenticate a user in a wide variety of ways as it supports different authentication protocols like EAP, PAP & CHAP.
Question#1
==========
I am Confused with the Radius Port Numbers 1812 & 1813, aren't they 1645 & 1646 or all of them?
When the Radius protocol was first launched, it was indeed allotted UDP port 1645 for Authentication & Authorization & 1646 for Accounting. But according to the following RFC 2865 by Carl,Allan,welliam & Steve in the year 2000 for RADIUS, stating that:
“ The early deployment of RADIUS was done using UDP port number 1645, which conflicts with the "datametrics" service. The officially assigned port number for RADIUS is 1812."
In the other RFC numbered 2866 for RADIUS Accounting, the same is said for the accounting port as it contradicts with the "sa-msg-port"
“The early deployment of RADIUS Accounting was done using UDP port number 1646,which conflicts with the "sa-msg-port" service. The officially assigned port number for RADIUS Accounting is 1813.
Now although the RFC’s state that the port Numbers are no longer in use for radius, the confusion mainly arises because Cisco devices still default to the old ports 1645 & 1646
Cisco AAA servers like Cisco ISE listen’s to both these pairs of ports. If you ask Cisco, they too recommend using the officially assigned ports.
Question#2
=========
“What do you mean by combining the Authentication & Authorization” of radius?
In radius when an authentication query is made to the radius server, the reply not only contains the authentication response, but also an authorization response in the form of Attribute Value pairs or AVP’s for example the AVP could contain a Privilege Level for the user or a DACL for a network user.
On the other hand, TACACS+ separates these functions allowing more granular control especially on the commands when it comes to authorization.
RADIUS vs TACACS+ Point#2
========================
When it comes to communication over the wire, RADIUS sends the username of the user in clear text, but the password is hashed.
0:07:19
AAA and RADIUS vs TACACS+
0:04:39
AAA framework: TACACS+ vs RADIUS
0:05:32
RADIUS and TACACS - CompTIA Security+ SY0-401: 5.1
1:06:18
Learn AAA From Scratch | TACACS+ vs RADIUS and Kerberos [Full Course]
0:03:49
An Overview of AAA, RADIUS, and TACACS - CompTIA Network+ N10-005: 5.3
0:03:54
TACACS and RADIUS - CompTIA Network+ N10-006 - 1.2
0:02:01
What is TACACS+?
0:07:36
'Understanding AAA Protocols: Exploring TACACS and RADIUS'
0:03:05
External Authentication with RADIUS and TACACS+ (CCNA Complete Video Course Sample)
0:02:40
RADIUS Authentication Pros and Cons
0:05:00
MicroNugget: AAA, TACACS+, and SSH
0:06:16
Authentication Methods - CompTIA A+ 220-1102 - 2.2
0:08:00
004 AAA Protocols TACACS RADIUS
0:19:10
AAA, TACACS+ and RADIUS Configuration
0:09:12
TACACS haqqında və RADIUS Server ilə fərqlilikləri
0:10:50
What is AAA Protocol? | Local AAA | Server Based AAA |Radius|TACCAS+ | Part-40 |CCNA 200-301
0:13:50
AAA with RADIUS or TACACS - Cisco Security
0:05:19
Configure a Router to use AAA (Radius/TACACS) for Authentication using Cisco Packet Tracer
0:06:13
How RADIUS Authentication Works [Step-by-Step Simplified]
0:04:20
TACACS+ and RADIUS Comparison
1:07:27
AAA (Authentication, Authorization and Accounting) {TACACS+/RADIUS} GNS3 Lab || {New!} CCNA 200-301
0:18:34
TACACS, XTACACS, RADIUS, TACACS+, DIAMETER
0:29:46
How to Configure AAA, TACACS and RADIUS (Step by Step)
0:09:00
AAA là gì ? Xác thực RADIUS vs.TACACS
Комментарии