What is TACACS?
TACACS usually pronounced as tack-axe is the acronym for Termnial Access Controller/Access Control System. As the name implies, it is a protocol used as an access control mechanism for accessing networking devices via terminal connections. In other words, it is used to regulate the access to routers, switches, wireless access controllers, network security devices, and any other network device that supports it. It regulates this access by determining who can connect to the devices, what time they can connect, and once they are connected it determines what they can see and do. In addition, it also records the activity of each authenticated user and information about the TACACS session.
Briefly to go into the history of the protocol, TACACS was originally developed in 1984 for the US department of defense by MILNET as a way to secure and automate access to network resources. Since then, it has undergone several changes and three versions of it have been deployed over time. The first version of the protocol to be adopted by the wider public was facilitated by Cisco’s adaption of the protocol at the end of 1984. This version was in use for some time until Cisco began adding more features and extensions to the original protocol. In 1990 these extensions on top of TACACS became Cisco’s proprietary protocol and were called Extended TACACS or XTACACS and gave us the second version of TACACS. The protocol continued to evolve over the following years and eventually a third version of the protocol called TACACS+ was developed by Cisco in 1996. Although TACACS+ is developed by Cisco and has not been accepted as an open standard, it is considered the most widely deployed protocol nowadays. Most networking vendors now support the use of TACACS+ in their products.
What does TACACS do?
TACACS is a protocol that implements Authentication, Authorization, and Accounting (AAA) modules to achieve access control for network devices. The Authentication module determines which users can connect to network devices. It does that by checking the credentials against a list of users locally configured in the TACACS server or by checking against external user data stores such LDAP or Microsoft Active Directory. Once users are authenticated, the Authorization module is responsible for determining what the users are allowed to see and do. In other words, this module puts boundaries around what commands can be seen and executed by network administrators on the network devices they have been granted access. Finally the Accounting module tracks information on the activity of the users and the TACACS session itself. This information includes among other things, the commands that were executed, the length of the session, the user credentials, and the network device accessed.
So what does all of this really mean? To demonstrate what TACACS can do, we will use an example in which a company has 200 network devices and 3 network administrators. Without TACACS, each of the 200 network devices have to be configured with 3 separate user accounts representing the three administrators. Each of the three administrators have to remember the username and password of the 200 network devices unless they decide to have the same credentials on all the devices. If one administrator leaves, then the other admins need to reconfigure all of the 200 devices to remove the credential of the admin who has left. In order to audit what a particular admin has done, all 200 network devices have to be configured for logging and checked individually. Furthermore, if you want to limit what your administrates can see and do, then again you have to configure all the 200 devices one by one. As you can see, without central mechanism, it quickly becomes clear that this is going to be an operational nightmare and most likely will lead to an insecure implementation. TACACS solves the operational and security issues related to managing network devices by centralizing the AAA functions.
In the above example, the credentials for the three admins can be configured on the TACACS server or can be pulled from an LDAP or AD server. Once the credentials are configured, then TACACS gets into action by allowing the admins access to all 200 devices using only one credential. Furthermore, each admin can be assigned a different authorization profile centrally on the TACACS server thus restricting what they can see and do on each router. Finally all of the actions of the three admins are tracked centrally. If any of the admins leave, then it is just a smiple matter of deleting one credential from the TACACS configuration instead of doing it 200 times. So in a nutshell, TACACS allows you to centrally manage your network devices allowing you to drastically reduce your operational and security risks.
How does it work?
So now that we know a little about TACACS and what it is capable of doing, the next question will be how does it work.
As shown in the diagram, there are three components in a TACACS implementation. A user, a client and a TACACS server. The user is either an administrator or a program requesting access to a network device (client), and the client is any network device that is configured to be accessed via the TACACS protocol. The TACACS server sometimes referred as to nework authentication server or NAS is the server running software components containing the AAA modules we mentioned above. Without going into detail, the following are the main steps involved when a user or program is requesting access to a network device (client) configured with TACACS protocol.
A user or a program requests access to the terminal connection of a network client such a router using Telnet or SSH protocol. Also most networking equipment today include web based management access which can also be integrated with TACACS.
The request is then passed onto the TACACS server which in turn asks the client (router) for a username.
The client router then responds with the username supplied by the user or program trying to connect to it.
Once the TACACS server receives the username, it responds back with a request for a password from the client.
The client router then responds with the password supplied by the user or program.
The TACACS server then responds to the client router whether the supplied credentials were valid or not after which the session is established if valid credentials were entered or otherwise it is ended.
As we have seen, TACACS is a protocol that was invented to centralize and secure the access to network resources. Since it was first introduced in 1984, it was adopted by the networking giant Cisco which have added several options to it. Today the version widely deployed is Cisco’s version of the protocol called TACACS+ or TACACS Plus. TACACS is used to implement authentication, authorization, and accounting for networking devices and can be used to minimize the operational complexity and security related risks.
In conclusion, i strongly advice network administrators and security professionals tasked with securing networks to look into implementing centralized AAA environment for managing network resources either through TACACS or Radius. There are free TACACS servers available as open source implementation as well as commercially available products that should meet the requirements of most enterprise networks. In the second part of this series, I will be posting about the options available and configuration details.