AAA Server Protocols

AAA Server Protocols

When using AAA services, requests can be sent to remote AAA servers for authentication, authorization, and accounting. Cisco supports two main protocols for these requests : RADIUS and TACACS+. The request is sent to the servers, and the responses are used to allow the users into or out of the device. For example, in Figure 10.2 the PIX is configured to authenticate users before entering a privileged exec mode. The request is sent to the AAA server using RADIUS or TACACS+. Next, the AAA server authenticates the user either with its own database or, as shown in Figure 10.2, another database. After authentication is approved, authorization is checked and the responses are sent back to the PIX. Throughout all these transactions, accounting is working in the background logging and tracking user actions.

AAA stands for authentication, authorization, and accounting. You cannot have authorization without successful authentication first.

Remote Access Dial-in User Service

The Remote Access Dial-in User Service (RADIUS) protocol was originally developed by Livingston Enterprises, Inc., as an access protocol. This protocol provides authentication and accounting services and can be used by just about any size network or vendor. The protocol is a client/server configuration, and the PIX devices are the clients and the AAA server would be the RADIUS server itself. The protocol uses a UDP connection and encrypts only the password and leaves the username in clear text.

Terminal Access Controller Access Control System Plus

Terminal Access Controller Access Control System (TACACS) was originally created by the U.S. government and is an open standard security protocol. Cisco uses a modified version of TACACS called Terminal Access Controller Access Control System Plus (TACACS+). In contrast to RADIUS, which uses UDP, the TACACS+ protocol provides a reliable TCP connection between the client and the server for AAA service requests. These requests are more secure than RADIUS because the body of the transaction is always encrypted.

For a detailed comparison of RADIUS and TACACS+, see Cisco's Web site at www.cisco.com/warp/public/480/10.html.

TACACS+ uses TCP port 49 for connections between AAA servers and clients, whereas RADIUS uses UDP port 1812 for authentication and UDP port 1813 for accounting.

Supported AAA Servers

The Cisco PIX firewall can support several AAA servers. Most third-party AAA servers support the RADIUS protocol, making installations in multivendor environments very flexible. The following is a list of some supported AAA servers:

• Cisco Secure ACS for Windows

• Cisco Secure ACS for Unix

• Livingston

• Merit

Cisco Secure Access Control Server

The Cisco Secure Access Control Server (CSACS) is Cisco's AAA server that supports both the RADIUS and TACACS+ protocols. The software provides centralized AAA services for AAA clients such as the PIX firewall. It is also very scalable, with the option to use its own user database or connect to an external user database, such as one of these:

• Axent token server

• Generic LDAP

• Novell NDS

• SafeWord token server

• Windows NT/2000 local or domain controller

Installing CSACS

The CSACS can be installed onto Unix or Microsoft Windows Server. Cisco uses a Web page front-end to configure the system. The following are some of the Windows requirements:

• Pentium III processor with 550MHz or better

• 256MB of RAM

• 250MB of available disk space

• Windows 2000 with SP1 or Windows NT with SP6a

During the installation, the software asks for at least one network access server (NAS) to be set up. A NAS is an AAA client, and in this case it's the PIX firewall (see Figure 10.3). CSACS can support up to 2,000 AAA clients.

During installation, the NAS's details dialog box has a prompt that states Access Server IP Address . This is the address of the PIX firewall or other network access server that will be using the CSACS server.

Cisco supports several solutions for CSACS. The latest version is CSACS for Windows 3.2 and v2.3 for Unix. CSACS may also be purchased in a 1 RU hardware solution called the CSCAS Solution Engine. More information can be found in the "Need to Know More?" at the end of the chapter.