AAA Mechanisms

Previous page
Table of content
Next page

Two primary technologies are used to provide AAA for our network infrastructure:

  • Remote Authentication Dial-In User Service (RADIUS)

  • Terminal Access Controller Access Control System (TACACS+)

Remote Authentication Dial-In User Service (RADIUS)

RADIUS was developed as a client/server architecture that allows a remote access server to authenticate user connections against a centralized database of user credentials. RADIUS also provides a means of authorizing access to the resources that the user has requested . Finally, RADIUS provides a means of accounting that allows you to track what a user did once she was authenticated and authorized. Because RADIUS is a de facto industry standard, most vendors support RADIUS as a means of providing authentication for their network devices.

You can use a couple of different RADIUS servers in your environment. Microsoft ships RADIUS as a component of Microsoft Windows 2000 and 2003, known as Internet Authentication Service (IAS). A benefit of using Microsoft IAS for your RADIUS services is that it is designed to integrate seamlessly with Active Directory for credentials. We will use IAS on Microsoft Windows 2000 SP4 for this chapter.

Funk Software also produces the most widely used RADIUS server, known as Steel Belted RADIUS (SBR). The benefit of Funk SBR is that it is not tied to a Microsoft architecture and can be installed on NetWare and Solaris in addition to Microsoft Windows.

Terminal Access Controller Access  Control  System  (TACACS+)

TACACS+ is similar to RADIUS in function and use. In addition to authentication and authorization, TACACS+ provides a means of accounting that allows you to track what a user did once he was authenticated and authorized. While TACACS+ is similar to RADIUS, it has a couple of distinct differences. First, TACACS+ uses TCP for data delivery instead of UDP (what RADIUS uses). Second, TACACS+ separates the authentication and authorization operations. This means that a single user can have separate and distinct authentication and authorization options, which grants more granular control over user access, while RADIUS relies on a single profile for both authentication and authorization. The big drawback to TACACS+ is that since it is a protocol that was developed and pushed largely by Cisco, most other vendors offer little to no support for it, opting instead to use the more open RADIUS protocol. We will use Cisco Secure ACS version 3.2 for the TACACS+ server in this chapter.



Previous page
Table of content
Next page
Hardening Network Infrastructure. Bulletproof Your Systems Before You Are Hacked.
Hardening Network Infrastructure. Bulletproof Your Systems Before You Are Hacked.
ISBN: N/A
EAN: N/A
Year: 2004
Pages: 125
BUY ON AMAZON
Identifying and Managing Project Risk: Essential Tools for Failure-Proofing Your Project
C++ GUI Programming with Qt 3
C++ How to Program (5th Edition)
Service-Oriented Architecture (SOA): Concepts, Technology, and Design
After Effects and Photoshop: Animation and Production Effects for DV and Film, Second Edition
Java All-In-One Desk Reference For Dummies
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy