Correct my undestanding of these okay?

itdaddy

okay:

Radius and Tacacs+ are used as authentication servers with a Cisco ACS server?

Radius is only authentication and if you were to configure it with your cisco devices everyone would have enable mode? or do you set the priv mode when you set up the radius server? I didn't see this in the configs?

Tacacs+ by iself can do authentication and authorization separate and is fully encrypted while Radius password is the only thing encrypted.

Radius can only authenticate and not authorize any commands by itself.
But when tied to a ACS server of course authorization can happen.

NAC setup is when you configure a NAC server say off of a router that usually is config to TACACS+ or radius server for the database of names to access the network. I think maybe you could even config a ACS server along with this??? to work with the NAC server? or do you just need authentication? for the additional network security only?

radius old school use to use ports UDP 1645 and 1646
radius new school uses ports UDP 1812 and 1813
Tacacs+ uses TCP 49


okay guys rip me up. where am I way off. I just need you guys to set me straight..if I am off please let me know in detail where I am screwy..thanks mates!

instant000

itdaddy wrote: »

okay:

Radius and Tacacs+ are used as authentication servers with a Cisco ACS server?

authentication protocols

Radius is only authentication and if you were to configure it with your cisco devices everyone would have enable mode? or do you set the priv mode when you set up the radius server? I didn't see this in the configs?

no, radius is authentication and authorization all in one

Tacacs+ by iself can do authentication and authorization separate and is fully encrypted while Radius password is the only thing encrypted.

OK

Radius can only authenticate and not authorize any commands by itself.
But when tied to a ACS server of course authorization can happen.

incorrect, radius can't separate authentication from authorization, it's an important difference

NAC setup is when you configure a NAC server say off of a router that usually is config to TACACS+ or radius server for the database of names to access the network. I think maybe you could even config a ACS server along with this??? to work with the NAC server? or do you just need authentication? for the additional network security only?

NAC is a way to authenticate users/devices before even allowing them full access to your network, and is often used to quarantine them so they can only receive appropriate AV/patches before being allowed to fully communicate.

radius old school use to use ports UDP 1645 and 1646
radius new school uses ports UDP 1812 and 1813
Tacacs+ uses TCP 49

For ports, i'll confess that I usually memorize them before tests, but this looks about right. (ports also come in handy when filtering extremely long ACLs, so I guess it has some uses)

okay guys rip me up. where am I way off. I just need you guys to set me straight..if I am off please let me know in detail where I am screwy..thanks mates!

I attempted to assist where I could, but I'm only CCNA:Security, someone more knowledgeable would be able to say much more, mayhaps.