Saturday 15 June 2024

What are TACACS+ RADIUS and Diameter protocols? How to configure TACACS+ RADIUS in cisco packet tracer? CCNA security

What are TACACS+ RADIUS and Diameter protocols? 


 TACACS+ RADIUS and Diameter is a protocol to provide a centralized management system for AAA Authentication, Authorization, and Accounting. An ACS (Access Control Server) supports RADIUS and TACACS+ protocols and is commonly used in enterprise environments. TACACS+, RADIUS, and Diameter have some key differences. (if you are not familiar with AAA please click here )


Types of AAA Protocols

  • Terminal access controller access-control system plus (TACACS+)
  • Remote authentication dial-in user service (RADIUS)
  • Diameter

TACACS+ (Terminal Access Controller Access Control System) is an enhancement to TACACS developed by Cisco. Which means TACACS+ is Cisco's proprietary protocol. TACACS+ is mainly used for device administration using ACS (Access Control Server). TACACS+ is used for the communication between the client and the Cisco ACS server. TACACS+ is a reliable protocol because it uses TCP port 49 for communication and the TACACS+ communication is encrypted means all the packets is encrypted. TACACS+ provides more control over accounting and authorization. TACACS+ combines authentication and authorization in one step.


Remote Access Dial-In User Service (RADIUS) is the IEFT standard protocol. The RADIUS protocol is used for communication between any vendor (cisco or non-cisco) AAA client and ACS server. If you are using multiple vendors devices then you can use RADIUS. In RADIUS communication is faster but a bit less reliable uses UDP port 1645/1812 for authentication and 1646/1813 for accounting. In a single process authentication and authorization can be done. RADIUS key with MD5 is used to hide the user password.

 The Diameter protocol is a AAA protocol that works with Long-Term Evolution (LTE) and multimedia networks. Diameter is an advanced Authentication, Authorization, and Accounting (AAA) protocol that evolved from the earlier RADIUS protocol. It’s part of the application layer protocols in the Internet protocol suite. 


let's see the configuration of the AAA TACACS+ and RADIUS server:

Topology:-




Goal: TACACS+

  • configure the topology as per the diagram 
  • configure the IP addresses as per the topology
  • configure dynamic routing between the network 
  • configure AAA authentication and key internet same for both (router and server)
  • verify with telnet from PC-1 192.168.10.30
  • configure RADIUS server 
  • verify with telnet from remote PC- 192.168.30.10


ROUTER-1(config)#interface gigabitEthernet 0/1
ROUTER-1(config-if)#ip address 192.168.10.1 255.255.255.0
ROUTER-1(config-if)#no shutdown
ROUTER-1(config-if)#exit

ROUTER-1(config)#interface gigabitEthernet 0/0
ROUTER-1(config-if)#ip address 192.168.20.1 255.255.255.0
ROUTER-1(config-if)#no shutdown
ROUTER-1(config-if)#exit
 
ROUTER-2(config)#interface gigabitEthernet 0/0
ROUTER-2(config-if)#ip address 192.168.20.2 255.255.255.0
ROUTER-2(config-if)#no shutdown
ROUTER-2(config-if)#exit

ROUTER-2(config)#interface gigabitEthernet 0/1
ROUTER-2(config-if)#ip address 192.168.30.1 255.255.255.0
ROUTER-2(config-if)#no shutdown
ROUTER-2(config-if)#exit

ROUTER-1(config)#router eigrp 100

ROUTER-1(config-router)#network 192.168.10.0

ROUTER-1(config-router)#network 192.168.20.0

ROUTER-1(config-router)#no auto-summary

ROUTER-1(config-router)#exit


%DUAL-5-NBRCHANGE: IP-EIGRP 100: Neighbor 192.168.20.1 (GigabitEthernet0/0) is up: new adjacency




ROUTER-2(config)#router eigrp 100

ROUTER-2(config-router)#network 192.168.20.0

ROUTER-2(config-router)#network 192.168.30.0

ROUTER-2(config-router)#no auto-summary

ROUTER-2(config-router)#exit


%DUAL-5-NBRCHANGE: IP-EIGRP 100: Neighbor 192.168.20.1 (GigabitEthernet0/0) is up: new adjacency




ROUTER-1(config)#username admin password internet
ROUTER-1(config)#tacacs-server host 192.168.10.10
ROUTER-1(config)#tacacs-server key cisco123

ROUTER-1(config)#aaa new-model
ROUTER-1(config)#aaa authentication login cisco123 group tacacs+ local

ROUTER-1(config)#line console 0
ROUTER-1(config-line)#login authentication cisco123
ROUTER-1(config-line)#exit
ROUTER-1(config)#end

User Access Verification


Username: user1

Password:

ROUTER-1>

ROUTER-1>

ROUTER-1>

ROUTER-1>password is user1


C:\>ipconfig


FastEthernet0 Connection:(default port)


Link-local IPv6 Address.........: FE80::2D0:D3FF:FEBA:44B2

IP Address......................: 192.168.10.30

Subnet Mask.....................: 255.255.255.0

Default Gateway.................: 192.168.10.1





(let's create another user with the name user2 and password user2)





(now verify with telnet from PC- 192.168.10.30)









ROUTER-1#show aaa sessions

Total sessions since last reload: 3

Session Id:4

Unique Id:4

User Name:user2

IP Address:192.168.10.30

Idle Time: 0

CT Call Handle: 0




now see the configuration of the RADIUS server with the same topology:




check the connectivity between the radius server and PC 192.168.30.10

configure router 2 to use external server RADIUS  

configure the password the same as the previous lab. 



ROUTER-2>enable

ROUTER-2(config)#username admin password cisco123
ROUTER-2(config)#radius-server host 192.168.10.20
ROUTER-2(config)#radius-server key cisco123

ROUTER-2(config)#aaa new-model
ROUTER-2(config)#aaa authentication login cisco123 group radius local

ROUTER-2(config)#line consol 0
ROUTER-2(config-line)#login authentication cisco123
ROUTER-2(config-line)#exit

ROUTER-2(config)#line vty 0 4
ROUTER-2(config-line)#login authentication cisco123
ROUTER-2(config-line)#exit







 
User Access Verification
 
Username: admin1
Password:
ROUTER-2>enable


C:\>ipconfig


FastEthernet0 Connection:(default port)


Link-local IPv6 Address.........: FE80::201:42FF:FEB5:6E2E

IP Address......................: 192.168.30.10

Subnet Mask.....................: 255.255.255.0

Default Gateway.................: 192.168.30.1






(now everything is working fine but as see we configure backup authentication on local routers, so let down the RADIUS server and verify the backup authentication)




now let's verify with telnet from PC 192.168.30.10

.

.



as you can see our task is completed and everything is fine. if you like this blog please visit our YouTube channel https://www.youtube.com/@internetworkss

No comments:

How to configure the DHCP server on a Cisco ASA device?

How to configure the DHCP server on a Cisco ASA device?    DHCP (Dynamic Host Configuration Protocol) servers provide all the basic informat...