 |  |
21.8. TACACS and Friends
TACACS might be an acronym for Terminal Access Controller Access Control System, or then again, it might not; its origins have been lost. TACACS is an old protocol. There are several newer versions of it, including XTACACS and TACACS+; TACACS+ currently appears to be the most popular.All of these protocols, like RADIUS, are designed to provide authentication, authorization, and auditing services for dial-up users.
TACACS and XTACACS send all data, including usernames and passwords, in cleartext. TACACS+ uses MD5 to avoid sending passwords and usernames in a reusable form and normally also encrypts all data. Basically, this makes TACACS and XTACACS less secure than RADIUS, and TACACS+ more secure than RADIUS.
In order to support encryption, TACACS+ requires a secret key shared between the server and the client. This key must be stored on both the server and the client, and an attacker who has access to the key will be able to impersonate the server and to decrypt all data. This will not actually give the attacker access to passwords (the passwords are not sent in any decryptable form). Nonetheless, you should take reasonable steps to protect this key.
21.8.1. Packet Filtering Characteristics of TACACS and Friends
TACACS uses UDP port 49; it can also use TCP but does not necessarily use port 49 when using TCP. XTACACS uses UDP port 49. TACACS+ uses TCP port 49.| Direction | SourceAddr. | Dest.Addr. | Protocol | SourcePort | Dest.Port | ACKSet | Notes |
|---|---|---|---|---|---|---|---|
| In | Ext | Int | UDP | >1023 | 49 |
[142]
|
Request, external client to internal TACACS/XTACACS server |
| Out | Int | Ext | UDP | 49 | >1023 | [142] | Response, internal TACACS/XTACACS server to external client. |
| In | Ext | Int | TCP | >1023 |
49[143]
|
[144]
|
External client connecting to internal TACACS/TACACS+ server |
| Out | Int | Ext | TCP | 49[143] | >1023 | Yes | Internal TACACS/TACACS+ server responding to external client |
| Out | Int | Ext | UDP | >1023 | 49 | [142] | Request, internal client to external TACACS/XTACACS server |
| In | Ext | Int | UDP | 49 | >1023 | [142] | Response, external TACACS/XTACACS server to internal client |
| Out | Int | Ext | TCP | >1023 | 49[143] | [144] | Internal client connecting to external TACACS/TACACS+ server |
| In | Ext | Int | TCP | 49[143] | >1023 | Yes | External TACACS/TACACS+ server responding to internal client. |
[142]UDP has no ACK equivalent.
[143]This may be any port for TACACS.
[144]ACK will not be set on the first packet (establishing connection) but will be set on the rest.
21.8.2. Proxying Characteristics of TACACS and Friends
TACACS+ is a straightforward TCP-based protocol that is well suited for use with generic proxy systems. However, note that TACACS+ supports encryption using a secret key shared between the server and the client, and there is no standard way to determine which key to use if different clients have different keys. Some implementations may use the source address to determine the encryption key, requiring a dedicated proxy that has its own encryption key.TACACS and XTACACS are both normally UDP-based, so they require proxies that can deal with UDP. However, they have no additional complexities and should work with any generic proxy that supports UDP.
21.8.3. Network Address Translation Characteristics of TACACS and Friends
TACACS and XTACACS do not use embedded IP addresses and will work without modification through network address translation systems. TACACS+ should also work, but just as with proxying, you should note that TACACS+ supports encryption using a secret key shared between the server and the client, and there is no standard way to determine which key to use if different clients have different keys. Some implementations may use the source address to determine the encryption key, requiring static address mappings.In addition, TACACS+ supports the negotiation of IP addresses for PPP clients. In the unlikely event that you construct a network configuration where a network address translation system is modifying TACACS+ packets that are eventually used to set remote IP addresses, you should be careful to configure the TACACS+ server so that the addresses it provides are valid. The network address translation system will not be able to modify those embedded addresses.
21.8.4. Summary of Recommendations for TACACS and Friends
|  | |
| 21.7. Remote Authentication Dial-in User Service |  | 21.9. Auth and identd |
