6.3 TACACS | The Practice of Network Security: Deployment Strategies for Production Environments

6.3 TACACS+

TACACS+ is an AAA protocol similar to RADIUS that was developed by Cisco Systems. TACACS+ is loosely based on two depreciated protocols, TACACS and Extended TACACS (XTACACS)TACACS+ is incompatible with both TACACS and XTACACS. Because of serious security flaws in the TACACS and XTACACS designs, it is recommended that they not be used in favor of the TACACS+ model.

While TACACS+ was developed by Cisco, the specification for the TACACS+ protocol has been released to the public. Other networking vendors , including Extreme Networks and Foundry Networks, have incorporated TACACS+ into their products.

While TACACS+ performs the same function as RADIUS, its origins are different. TACACS+ was originally developed as a protocol to control AAA for network devices, so the architecture is different than RADIUS, which was originally developed for dial-up networks.

TACACS+ operates over TCP, rather than UDP, and uses Port 49 by default, though TACACS+ can be configured to use any port a network administrator desires. Also unlike RADIUS, TACACS+ encrypts all packet data, not just the password.

The TACACS+ protocol is similar to RADIUS in the way it authenticates users. A user logs into a router or switch interface that is TACACS+-enabled. The network device obtains the username and password prompt from the TACACS+ server that is configured for the interface and passes it to the user attempting to authenticate. The user enters the username and password information, which is encrypted and passed from the network device to the TACACS+ server.

The TACACS+ server will send one of four responses to the network device: ACCEPT, REJECT, ERROR, or CONTINUE. An ACCEPT response indicates that the authentication was successful, and the session can start. If additional authentication information is needed, the user will be prompted for it at this time.

A REJECT message indicates that authentication failed. The user will either have to re-enter the password, or the session will be disconnected. This behavior varies depending on the TACACS+ daemon.

If an ERROR message is returned then there is a problem with the TACACS+ server, the network device making the query, or a problem with the network. If the network device receives the error message it will either try again, or it will try an alternate TACACS+ server, depending on how the network administrator has configured it.

The CONTINUE response is sent when authentication is successful, but additional information is required.

TACACS+ allows for multiple types of authentication. Password authentication is the most commonly used, and the most basic, form of authentication. However, a network administrator is not limited to password authentication; in fact, any form of authentication that is supported by the TACACS+ software can be used. In addition, multiple forms of authentication can be requiredas long as the chosen TACACS+ software supports it. For example, if password authentication is not enough, an administrator can configure TACACS+ to require a username/password combination, and an RSA key to gain access. The user would authenticate first by sending the username and password. If that were successful, the TACACS+ server would send an ACCEPT message, followed by a new challenge request, for the RSA key. When both levels of authentication have been completed, the user will be allowed to access the router.

Configuring TACACS+ on a router is a two-part process:

Set up a TACACS+ server.
Configure the network devices.

Cisco makes the source code for a TACACS+ daemon available on its website, but there are precompiled daemons available for Windows NT and 2000, Solaris, BSD, and Linux. The authentication policy for the network devices is configured on the TACACS+ server. The configuration options available are dependent on the options supported by the TACACS+ server. For example, the Linux version of the TACACS+ server allows an administrator to use pulse amplitude modulation (PAM) authentication to verify network device logins.

In configuring the network devices, it is important to ensure that the same authentication policy is in place across the network. There is very little benefit in defining a default security policy for the edge and core devices but not applying the same policy to the access switches. If TACACS+, or RADIUS for that matter, is going to be deployed, that should be set as the default security policy for all network devices.

The configuration process varies depending on the type of equipment being deployed; for a Cisco router, the process involves several steps. This is an overview of a simple TACACS+ authentication process. Before starting the configuration process, make sure you have console access to the network device you are configuring, so that you can back out of the configuration if something goes wrong.

The first step is to define a new AAA method:

 gw1(config)#aaa new-model

Next, set the TACACS+ host name :

 gw1(config)#tacacs-server host 192.168.0.40

Set TACACS+ as the default authentication policy for the network device:

 gw1(config)#aaa authentication login default tacacs+

Finally, set a secret password that is shared between network devices and the TACACS+ server:

 gw1(config)#tacacs-server key secretpassword

Now, when logging onto the router, the authentication process should be offloaded to the TACACS+ server (Figure 6.5).

Figure 6.5. The router authentication is forwarded to the TACACS+ server

graphics/06fig05.gif

The logs on the TACACS+ server should show the authentication for user allan:

 Mon Apr 8 22:36:34 2002 [31675]: login query for 'allan' tty2 from  192.168.0.10  1 accepted

Using a packet sniffer to monitor the transaction between the router and the TACACS+ server, you would see the information shown in Table 6.1 (in summary format):

192.168.0.101 is the router, and TACACS is the TACACS+ server. When the user allan attempts to login to the router, it sends a message to TACACS, saying it has a TACACS+ request. TACACS responds, saying that it is ready to accept the input. TACACS sends the encrypted information to the router, and the router responds by forwarding the authentication information to TACACS.

Table 6.1. Sniffing TACACS+ Session

Packet Number	Time	Source	Destination	Protocol Information
112	37.072634	192.168.0.101	TACACS	TACACS+ Request
113	37.076789	TACACS	192.168.0.101	TACACS+ Response
114	37.076892	TACACS	192.168.0.101	TCP 49 > 11003 [FIN, ACK] Seq=367679177 Ack=4239449051 Win=5840 Len=0
115	37.080430	192.168.0.101	TACACS	TCP 11003 > 49 [ACK] Seq=4239449051 Ack=367679178 Win=4027 Len=0

6.3.1 TACACS+ Security

To date, no security warnings have been issued against the TACACS+ protocol. In fact, enabling TACACS+ security is a very effective method for preventing problems arising from other security holes.

An example of this is that in June 2001 the CERT/CC issued an advisory concerning the HTTP server that is incorporated into Cisco's IOS software. The advisory related to the authentication process for the HTTP server. CERT/CC recommended using TACACS+ authentication to avoid the problem.

While no security flaws have been found with the TACACS+ protocol, there are some concerns about its design. Communication between the TACACS+ server and the network device is encrypted, but the header information is not. Anyone sitting on the network with sniffing software, as in the example, can track transactions between network devices and the servers. Knowing where the TACACS+ server is may help an attacker determine what software is running on the server, and the attacker may be able to use that information to figure out a way into the core of the network.

The other major security concern revolves around TACACS+ server software. The methods for adding, deleting, and assigning privileges to TACACS+ accounts vary greatly from one TACACS+ program to another. Before deciding on TACACS+ software, check with the vendor to find out what security precautions are taken and the recommended best practices for optimum security.