AAA Protocols

Communication between an AAA client and an AAA server occurs using one of several protocols. The most prevalent AAA protocols are the Remote Authentication Dial In User Service (RADIUS) and the Terminal Access Controller Access Control System Plus (TACACS+). A third protocol, Kerberos, is used for authentication in server environments. A fourth protocol, Secure Remote Password (SRP), is leveraged by many application protocols as a substitute for native authentication procedures.

RADIUS is defined in IETF RFC 2865, and RADIUS source code is freely distributed. As its name implies, RADIUS was originally implemented to authenticate remote users trying to access a LAN via analog modem connections. Remote users dial into a Network Access Server (NAS), which relays the user's credentials to a RADIUS server. Thus, the NAS (not the user) is the RADIUS client. RADIUS is still used for remote user authentication, but RADIUS is now commonly used for other authentication requirements, too. For example, network administrators are often authenticated via RADIUS when accessing routers and switches for management purposes. To prevent unauthorized access to the RADIUS database, RADIUS client requests are authenticated by the RADIUS server before the user's credentials are processed. RADIUS also encrypts user passwords prior to transmission. However, other information (such as user ID, source IP address, and so on) is not encrypted. RADIUS implements authentication and authorization together. When a RADIUS server replies to a client authentication request, authorization information is included in the reply. A RADIUS server can reply to a client request or relay the request to another RADIUS server or other type of authentication server (such as Microsoft Active Directory). Communication between client and server is accomplished via variable-length keys in the form of Attribute-Length-Value. This enables new attributes to be defined to extend RADIUS functionality without affecting existing implementations. Note that RADIUS uses UDP (not TCP). Whereas the decision to use UDP is justified by a variety of reasons, this sometimes causes a network or security administrator to choose a different AAA protocol.

TACACS began as a protocol for authenticating remote users trying to access the ARPANET via analog modem connections. TACACS is defined in IETF RFC 1492. TACACS was later augmented by Cisco Systems. The proprietary augmentation is called Extended TACACS (XTACACS). Cisco subsequently developed the TACACS+ protocol based on TACACS and XTACACS. However, TACACS+ is a significantly different protocol and is incompatible with TACACS and XTACACS. Cisco Systems has deprecated TACACS and XTACACS in favor of TACACS+. Similar to RADIUS, the TACACS+ client (NAS, router, switch, and others) relays the user's credentials to a TACACS+ server. Unlike RADIUS, TACACS+ encrypts the entire payload of each packet (but not the TACACS+ header). Thus, TACACS+ is considered more secure than RADIUS. TACACS+ supports authentication, authorization, and accounting functions separately. So, any combination of services can be enabled via TACACS+. TACACS+ provides a more granular authorization service than RADIUS, but the penalty for this granularity is increased communication overhead between the TACACS+ client and server. Another key difference between TACACS+ and RADIUS is that TACACS+ uses TCP, which makes TACACS+ more attractive than RADIUS to some network and security administrators.

Kerberos was originally developed by the Massachusetts Institute of Technology (MIT) in the mid 1980s. The most recent version is Kerberos V5 as defined in IETF RFC 4120. Kerberos V5 is complemented by the Generic Security Services API (GSS-API) defined in IETF RFC 4121. Kerberos provides an encrypted authentication service using shared secret keys. Kerberos can also support authentication via public key cryptography, but this is not covered by RFC 4120. Kerberos does not provide an authorization service, but Kerberos does support pass-through to other authorization services. Kerberos does not provide an accounting service.

Another popular authentication protocol is the SRP protocol as defined in IETF RFC 2945. SRP provides a cryptographic authentication mechanism that can be integrated with a broad variety of existing Internet application protocols. For example, IETF RFC 2944 defines an SRP authentication option for Telnet. SRP implements a secure key exchange that enables additional protection such as data integrity and data confidentiality.