Two primary technologies are used to provide AAA for our network infrastructure:
Remote Authentication Dial-In User Service (RADIUS)
Terminal Access Controller Access Control System (TACACS+)
RADIUS was developed as a client/server architecture that allows a remote access server to authenticate user connections against a centralized database of user credentials. RADIUS also provides a means of authorizing access to the resources that the user has requested . Finally, RADIUS provides a means of accounting that allows you to track what a user did once she was authenticated and authorized. Because RADIUS is a de facto industry standard, most vendors support RADIUS as a means of providing authentication for their network devices.
You can use a couple of different RADIUS servers in your environment. Microsoft ships RADIUS as a component of Microsoft Windows 2000 and 2003, known as Internet Authentication Service (IAS). A benefit of using Microsoft IAS for your RADIUS services is that it is designed to integrate seamlessly with Active Directory for credentials. We will use IAS on Microsoft Windows 2000 SP4 for this chapter.
Funk Software also produces the most widely used RADIUS server, known as Steel Belted RADIUS (SBR). The benefit of Funk SBR is that it is not tied to a Microsoft architecture and can be installed on NetWare and Solaris in addition to Microsoft Windows.
TACACS+ is similar to RADIUS in function and use. In addition to authentication and authorization, TACACS+ provides a means of accounting that allows you to track what a user did once he was authenticated and authorized. While TACACS+ is similar to RADIUS, it has a couple of distinct differences. First, TACACS+ uses TCP for data delivery instead of UDP (what RADIUS uses). Second, TACACS+ separates the authentication and authorization operations. This means that a single user can have separate and distinct authentication and authorization options, which grants more granular control over user access, while RADIUS relies on a single profile for both authentication and authorization. The big drawback to TACACS+ is that since it is a protocol that was developed and pushed largely by Cisco, most other vendors offer little to no support for it, opting instead to use the more open RADIUS protocol. We will use Cisco Secure ACS version 3.2 for the TACACS+ server in this chapter.