In this section:


Related articles:


Modified: for 12.1.4

Overview

Terminal Access Controller Access-Control System (TACACS) refers to a family of related protocols handling remote authentication and related services for network access control through a centralized server. TACACS Plus (TACACS+) has largely replaced its predecessors and is a separate protocol that handles authentication, authorization, and accounting (AAA) services. 

The SBC Core supports the TACACS+ protocol to allow the authentication of username/password information when logging into the SBC CLI or to access the Confd database using NETCONF. The SBC uses TCP/IP to communicate with the TACACS+ server.  

  • TACACS+ is similar to RADIUS in a number of ways.  Both are relatively insecure by today's cryptography standards since the TLS transport is not supported.
  • TACACS+ uses TCP for reliable communication, whereas RADIUS uses UDP.
  • TACACS+ separates out the Authorization functionality, while RADIUS combines both Authentication and Authorization functionality.

(The TACACS+ protocol is specified in RFC 8907 "The Terminal Access Controller Access-Control System Plus (TACACS+) Protocol")

TACACS Plus Functionality

The SBC is enhanced with the addition of the OAM "TACACS Plus Authentication" configurable object to authenticate SBC and Network Configuration Protocol (NETCONF) users with a TACACS+ server.

When using this feature, the SBC sends a TACACS+ authentication request to one or more configured TACACS+ servers. This request contains the user name to authenticate and the password encoded by one of two methods. This request contains various configurable parameters as described in the CLI and EMA documentation.

A TACACS+ authentication reply is returned to the TACACS+ client (Triggered by the "External Authentication" command) to acknowledge if the user name successfully authenticated.   

  • If the authentication request is successful, a TACACS+ authorization request is sent to one or more configured TACACS+ servers. This request contains contains various parameters, including an argument-value pair (AVP) that contains the name of the argument used to returned the group name of the user that was authenticated earlier. The SBC uses a Confd table to map that return group name to a Confd user group.
  • If the authorization request is successful and an AVP is returned with the value of the group name, the user can logon to the SBC.

This feature leverages the existing SBC System Admin "External Authentication Type" command that currently implements RADIUS and LDAP authentication functionality. The SBC is enhanced with the addition of the "Tacacs Plus" type.