AAA Server Protocols

When using AAA services, requests can be sent to remote AAA servers for authentication, authorization, and accounting. Cisco supports two main protocols for these requests : RADIUS and TACACS+. The request is sent to the servers, and the responses are used to allow the users into or out of the device. For example, in Figure 10.2 the PIX is configured to authenticate users before entering a privileged exec mode. The request is sent to the AAA server using RADIUS or TACACS+. Next, the AAA server authenticates the user either with its own database or, as shown in Figure 10.2, another database. After authentication is approved, authorization is checked and the responses are sent back to the PIX. Throughout all these transactions, accounting is working in the background logging and tracking user actions.

Figure 10.2. AAA services transaction.



AAA stands for authentication, authorization, and accounting. You cannot have authorization without successful authentication first.

Remote Access Dial-in User Service

The Remote Access Dial-in User Service (RADIUS) protocol was originally developed by Livingston Enterprises, Inc., as an access protocol. This protocol provides authentication and accounting services and can be used by just about any size network or vendor. The protocol is a client/server configuration, and the PIX devices are the clients and the AAA server would be the RADIUS server itself. The protocol uses a UDP connection and encrypts only the password and leaves the username in clear text.

Terminal Access Controller Access Control System Plus

Terminal Access Controller Access Control System (TACACS) was originally created by the U.S. government and is an open standard security protocol. Cisco uses a modified version of TACACS called Terminal Access Controller Access Control System Plus (TACACS+). In contrast to RADIUS, which uses UDP, the TACACS+ protocol provides a reliable TCP connection between the client and the server for AAA service requests. These requests are more secure than RADIUS because the body of the transaction is always encrypted.


For a detailed comparison of RADIUS and TACACS+, see Cisco's Web site at


TACACS+ uses TCP port 49 for connections between AAA servers and clients, whereas RADIUS uses UDP port 1812 for authentication and UDP port 1813 for accounting.

Supported AAA Servers

The Cisco PIX firewall can support several AAA servers. Most third-party AAA servers support the RADIUS protocol, making installations in multivendor environments very flexible. The following is a list of some supported AAA servers:

  • Cisco Secure ACS for Windows

  • Cisco Secure ACS for Unix

  • Livingston

  • Merit

CSPFA Exam Cram 2 (Exam 642-521)
CCSP CSPFA Exam Cram 2 (Exam Cram 642-521)
ISBN: 0789730235
EAN: 2147483647
Year: 2003
Pages: 218 © 2008-2017.
If you may any questions please contact us: