What are TACACS+ RADIUS and Diameter protocols?
TACACS+ RADIUS and Diameter is a protocol to provide a centralized management system for AAA Authentication, Authorization, and Accounting. An ACS (Access Control Server) supports RADIUS and TACACS+ protocols and is commonly used in enterprise environments. TACACS+, RADIUS, and Diameter have some key differences. (if you are not familiar with AAA please click here )
Types of AAA Protocols
- Terminal access controller access-control system plus (TACACS+)
- Remote authentication dial-in user service (RADIUS)
- Diameter
TACACS+ (Terminal Access Controller Access Control System) is an enhancement to TACACS developed by Cisco. Which means TACACS+ is Cisco's proprietary protocol. TACACS+ is mainly used for device administration using ACS (Access Control Server). TACACS+ is used for the communication between the client and the Cisco ACS server. TACACS+ is a reliable protocol because it uses TCP port 49 for communication and the TACACS+ communication is encrypted means all the packets is encrypted. TACACS+ provides more control over accounting and authorization. TACACS+ combines authentication and authorization in one step.
Remote Access Dial-In User Service (RADIUS) is the IEFT standard protocol. The RADIUS protocol is used for communication between any vendor (cisco or non-cisco) AAA client and ACS server. If you are using multiple vendors devices then you can use RADIUS. In RADIUS communication is faster but a bit less reliable uses UDP port 1645/1812 for authentication and 1646/1813 for accounting. In a single process authentication and authorization can be done. RADIUS key with MD5 is used to hide the user password.
The Diameter protocol is a AAA protocol that works
with Long-Term Evolution (LTE) and multimedia networks. Diameter is an advanced
Authentication, Authorization, and Accounting (AAA) protocol that evolved from
the earlier RADIUS protocol. It’s part of the application layer protocols in
the Internet protocol suite.
let's see the configuration of the AAA TACACS+ and RADIUS server:
Topology:-
Goal: TACACS+
- configure the topology as per the diagram
- configure the IP addresses as per the topology
- configure dynamic routing between the network
- configure AAA authentication and key internet same for both (router and server)
- verify with telnet from PC-1 192.168.10.30
- configure RADIUS server
- verify with telnet from remote PC- 192.168.30.10
ROUTER-1(config-if)#ip address 192.168.10.1 255.255.255.0
ROUTER-1(config-if)#no shutdown
ROUTER-1(config-if)#exit
ROUTER-1(config)#interface gigabitEthernet 0/0
ROUTER-1(config-if)#ip address 192.168.20.1 255.255.255.0
ROUTER-1(config-if)#no shutdown
ROUTER-1(config-if)#exit
ROUTER-2(config)#interface gigabitEthernet 0/0
ROUTER-2(config-if)#ip address 192.168.20.2 255.255.255.0
ROUTER-2(config-if)#no shutdown
ROUTER-2(config-if)#exit
ROUTER-2(config)#interface gigabitEthernet 0/1
ROUTER-2(config-if)#ip address 192.168.30.1 255.255.255.0
ROUTER-2(config-if)#no shutdown
ROUTER-2(config-if)#exit
ROUTER-1(config)#router eigrp 100
ROUTER-1(config-router)#network 192.168.10.0
ROUTER-1(config-router)#network 192.168.20.0
ROUTER-1(config-router)#no auto-summary
ROUTER-1(config-router)#exit
%DUAL-5-NBRCHANGE: IP-EIGRP 100: Neighbor 192.168.20.1 (GigabitEthernet0/0) is up: new adjacency
ROUTER-2(config)#router eigrp 100
ROUTER-2(config-router)#network 192.168.20.0
ROUTER-2(config-router)#network 192.168.30.0
ROUTER-2(config-router)#no auto-summary
ROUTER-2(config-router)#exit
%DUAL-5-NBRCHANGE: IP-EIGRP 100: Neighbor 192.168.20.1 (GigabitEthernet0/0) is up: new adjacency
ROUTER-1(config)#tacacs-server host 192.168.10.10
ROUTER-1(config)#tacacs-server key cisco123
ROUTER-1(config)#aaa new-model
ROUTER-1(config)#aaa authentication login cisco123 group tacacs+ local
ROUTER-1(config)#line console 0
ROUTER-1(config-line)#login authentication cisco123
ROUTER-1(config-line)#exit
ROUTER-1(config)#end
User Access Verification
Username: user1
Password:
ROUTER-1>
ROUTER-1>
ROUTER-1>
ROUTER-1>password is user1
C:\>ipconfig
FastEthernet0 Connection:(default port)
Link-local IPv6 Address.........: FE80::2D0:D3FF:FEBA:44B2
IP Address......................: 192.168.10.30
Subnet Mask.....................: 255.255.255.0
Default Gateway.................: 192.168.10.1
(let's create another user with the name user2 and password user2)
(now verify with telnet from PC- 192.168.10.30)
ROUTER-1#show aaa sessions
Total sessions since last reload: 3
Session Id:4
Unique Id:4
User Name:user2
IP Address:192.168.10.30
Idle Time: 0
CT Call Handle: 0
now see the configuration of the RADIUS server with the same topology:
check the connectivity between the radius server and PC 192.168.30.10
configure router 2 to use external server RADIUS
configure the password the same as the previous lab.
ROUTER-2(config)#radius-server host 192.168.10.20
ROUTER-2(config)#radius-server key cisco123
ROUTER-2(config)#aaa authentication login cisco123 group radius local
ROUTER-2(config)#line consol 0
ROUTER-2(config-line)#login authentication cisco123
ROUTER-2(config-line)#exit
ROUTER-2(config-line)#login authentication cisco123
ROUTER-2(config-line)#exit
User Access Verification
Username: admin1
Password:
ROUTER-2>enable
C:\>ipconfig
FastEthernet0 Connection:(default port)
Link-local IPv6 Address.........: FE80::201:42FF:FEB5:6E2E
IP Address......................: 192.168.30.10
Subnet Mask.....................: 255.255.255.0
Default Gateway.................: 192.168.30.1
(now everything is working fine but as see we configure backup authentication on local routers, so let down the RADIUS server and verify the backup authentication)
now let's verify with telnet from PC 192.168.30.10
.
.
as you can see our task is completed and everything is fine. if you like this blog please visit our YouTube channel https://www.youtube.com/@internetworkss
No comments:
Post a Comment