A discussion of access controls would be remiss without some discussion of one of the most popular access control systems of all time, the Remote Authentication Dial-In
You do not need to have a very large network to understand the advantages of centralized access control. Imagine the following scenario, which may be common on even a small network. You have access control as part of the network operating system that controls users' ability to access network resources while locally logged on to the network. You also maintain a small modem bank and a remote access server that manages user connections over the modem bank. Finally, in an effort to reduce the costs associated with the modem bank and toll-free telephone calls, you have a separate remote access server that
Instead, the preferred solution is to centralize the access control mechanisms. RADIUS and TACACS+ are two systems that will accomplish just this for your network and they are both available as free services for your network or as bundled services in other operating systems or remote access controls. While commonly referred to as a service, RADIUS and TACACS+ are technically protocols that provide for the authentication, authorization, and various levels of accounting for users logging on to the network. Because the protocols are very similar, the remainder of this discussion will focus primarily on RADIUS, with attention paid to TACACS+ when it
RADIUS was originally developed by Livingston labs and has since moved into the realm of free software. Many free implementations of RADIUS are available for downloading. TACACS+ started out as the TACACS protocol and was extended by Cisco to the current version. Originally tightly controlled by Cisco, TACACS+
Like most TCP/IP protocols, RADIUS is a client/server protocol with the exception that RADIUS protocol is not found on user
Exhibit 1: Sample RADIUS Implementation
TACACS+ addresses the issue of unencrypted data of a RADIUS exchanges by encrypting the entire packet. Thus, someone capturing a TACACS+ packet will only see that a TACACS+ transaction has occurred, not who has logged in.
The primary advantage of centralized AAA servers such as RADIUS and TACACS+ is that user management is centralized. Instead of having to maintain user databases and access permissions on multiple RAS devices and other authentication points, network administrators are able to maintain that information in a single location and configure all other devices that perform authentication to query that central user database. With RADIUS and TACACS+, network administrators can maintain this user database on their own LAN and authenticate users company wide.
 There are actually three versions of TACACS. The most recent and commonly employed is TACACS "Plus," thus the "+" symbol after the acronym. The versions are not compatible with each other.