Authentication Question

Quick question.
I am under the impression that RADIUS, DAIMETER and TACACS+ do remote authentication. I keep remembering that RADIUS is remote, but I believe they all provide for remote authentication, right?

Aside from that the main diff between RADIUS and TACAS+:
UDP,TCP
AAA, AAA (Separate)
RFC, CISCO
Some plaintext, All encrypted
TACAS+ Port 49

….Anything else REALLY important?

Find more posts tagged with

Comments

TheProfezzor

I have an evenly interesting question for you. Which one of these is recommended and better supports mobile devices and wireless technology?

5502george

Good question, there is somehting that is telling me it is RADUIS (Only becasue it is more openly used). Might have been from a tidbit I read from a book somewhere, and thats maybe why I have it stuck in my head....Which is it?

JDMurray

Here is an article explaining why CISCO developed TACACS+ rather than using RADIUS. Explanations of AAA and relevant RFCs are there as well.

The gist seems to be that Cisco couldn't sufficiently influence the evolution of the RADIUS standard to sufficiently replace XTACACS, so making an entirely new remote access protocol was their best second option.

5502george

JDMurray wrote: »

Here is an article explaining why CISCO developed TACACS+ rather than using RADIUS. Explanations of AAA and relevant RFCs are there as well.

The gist seems to be that Cisco couldn't sufficiently influence the evolution of the RADIUS standard to sufficiently replace XTACACS, so making an entirely new remote access protocol was their best second option.

Good info. As far as wireless device connection, It really depends on what you are trying to accomplish from RADIUS or TACACS when choosing between one or the other.

JDMurray

...or if you are an organization that already buys a lot of Cisco products and services.

Spin Lock

TheProfezzor wrote: »

I have an evenly interesting question for you. Which one of these is recommended and better supports mobile devices and wireless technology?

I haven't read anything that discusses which AAA implementation is better for mobile devices. This is an interesting question.

In such a network, you're talking about a mobile device connecting to a WiFi Access Point and that AP is, in turn, communicating with a RADIUS or TACACS+ server to authenticate and authorize the mobile device.

Obviously the wireless communication protocol (802.11x) that is being used between the mobile device and the AP is the most critical piece from a security perspective (Are you using WEP, WPA or WPA2 for example). But the wireless communication protocol and the encryption method has nothing to do with your AAA implementation. The RADIUS vs TACACS choice effects how the AP communicates with the authentication server. And regardless of which authentication implementation you go with, neither the RADIUS nor the TACACS+ server is aware that the end user is on a mobile device vs a wired device because the server only communicates with the AP. The AP could have wireless connection and, presumably, wired connections (via a built in hub) and the authentication server wouldn't care which one was being authenticated.

If all my assumptions above are true, then the choice between RADIUS and TACACS+ would seem to come down to the normal set of factors that come into play. TACACS+ uses TCP as the underlying transport protocol while RADIUS uses UDP. This gives TACACS+ the advantage because TCP is a connection oriented protocol and UDP is best effort. TACACS+ also encrypts all traffic between the AP and the server, while RADIUS only encrypts the password. So TACACS+ has a security advantage here as well. But RADIUS is IETF standard with several robus open source implementations, so it's potentially easier to get implemented on your AP. If your using Cisco equipment than your AP will ship with TACACS+ support, but if you're not using Cisco or have a mixed network, then TACACS+ support might be an issue.