programming4us
programming4us
ENTERPRISE

Identity on Cisco Firewalls : Selecting the Authentication Protocol

- How To Install Windows Server 2012 On VirtualBox
- How To Bypass Torrent Connection Blocking By Your ISP
- How To Install Actual Facebook App On Kindle Fire
2/20/2015 1:06:03 AM

Firewalls acting as AAA clients rely on an authentication protocol to communicate with the AAA server and determine User Identity. After subjecting the user to centralized authentication, a NAS typically receives a set of access control parameters, enforces them locally, and optionally accounts for user activity. Now you face the challenge of selecting RADIUS or TACACS+ to accomplish the task of creating Identity-based security policies.

Traditional comparisons between RADIUS and TACACS+ discuss topics such as transport layer protocol used (UDP or TCP), what portions of the packets are encrypted (only password or the complete payload), and decoupling of the authentication and authorization processes. Deciding if any of the previous choices is the best path to follow is subjective and controversial. For example, RFC 2865 has a section dedicated to justify “Why UDP ?”, whereas many customers select TACACS+ because it is carried over TCP, a protocol that was designed with reliable delivery and retransmission as basic requirements.

The decision process is based on the suitability of the protocol to deliver the two main categories of Identity-based services:

  • RADIUS: Considering that authorization data is embedded in the authentication response sent by the RADIUS server, this protocol is more appropriate for delivering attributes that remain valid for the duration of the user session rather than authorizing each activity individually. RADIUS is ideal for controlling access to network-based services requested by regular users who connect via dial-up, VPN, or Dot1X (for both wired and wireless environments).

  • TACACS+: Has proved effective to control administrative access to network devices because EXEC sessions (requests for execution of commands) are interactive in nature. On a typical TACACS+ session, each attempt of an admin user to issue commands on a NAS device is authorized individually.

Note

RADIUS and TACACS+ client functions are simultaneously available on Cisco firewall products, therefore reinforcing the approach of selecting each protocol for the category of task to which it is more suited.


You can confirm after analyzing several examples that while TACACS+ is optimized for authorization and accounting of commands, RADIUS is flexible about the attributes it can send back to the NAS to control a noninteractive access session.

It deserves special mention the fact that RADIUS is standardized by the IETF and supports Vendor Specific Attributes (VSA), allowing an always expanding universe of network services that can be controlled.

The study of RADIUS and TACACS+ is contextualized in the following way:

  • RADIUS: Employed to control access through the firewall using mechanisms such as Cut-through Proxy in the ASA family or the correspondent Auth-Proxy on the IOS Firewall. After authenticating the user with one of these features, authorization ACLs can be downloaded via RADIUS to the NAS, therefore specifying traffic allowed to flow through the firewall.

  • TACACS+: Used to authenticate potential admin users who request access to the firewall devices, individually authorizing the command execution attempts. This can be achieved in a scalable manner by creating authorization profiles known as Shell Command Authorization Sets on Cisco Secure ACS. A natural follow-on to command authorization is the accounting of allowed commands and registering the unauthorized attempts of issuing commands. This is valuable for configuration change control and contributes to minimize the operational risk in the network.

Note

Cisco Secure ACS implements simultaneously the RADIUS and TACACS+ server functions, therefore enabling the security administrator to use this product to define access control policies for both regular and admin users.

Other  
  •  Commercial Backup Utilities : Ease of Recovery, Robustness, Automation, Volume Verification
  •  Commercial Backup Utilities : Ease of Administration, Security
  •  Commercial Backup Utilities : Support of a Standard or Custom Backup Format
  •  HP Network Node Manager 9 : Discovering and Monitoring Your Network - Examining discovery results (part 4)
  •  HP Network Node Manager 9 : Discovering and Monitoring Your Network - Examining discovery results (part 4)
  •  HP Network Node Manager 9 : Discovering and Monitoring Your Network - Examining discovery results (part 3)
  •  HP Network Node Manager 9 : Discovering and Monitoring Your Network - Examining discovery results (part 2)
  •  HP Network Node Manager 9 : Discovering and Monitoring Your Network - Examining discovery results (part 1)
  •  HP Network Node Manager 9 : Discovering and Monitoring Your Network - Limiting discovery with filters
  •  HP Network Node Manager 9 : Discovering and Monitoring Your Network - Boosting up discovery with seeds
  •  
    Top 10
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
    - Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
    - Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
    - Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
    - Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
    - Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
    REVIEW
    - First look: Apple Watch

    - 3 Tips for Maintaining Your Cell Phone Battery (part 1)

    - 3 Tips for Maintaining Your Cell Phone Battery (part 2)
    programming4us programming4us
    programming4us
     
     
    programming4us