TACACS+ servers
When users connect to their corporate network remotely, they do so through a remote access server. As remote access technology has evolved, the need for security when accessing networks has become increasingly important. This need can be filled using a Terminal Access Controller Access-Control System (TACACS+) server.
TACACS+ is a remote authentication protocol that provides access control for routers, network access servers, and other networked computing devices via one or more centralized servers. TACACS+ allows a client to accept a username and password and send a query to a TACACS+ authentication server. The server host determines whether to accept or deny the request and sends a response back that allows or denies the user access to the network.
TACACS+ offers fully encrypted packet bodies, and supports both IP and AppleTalk protocols. TACACS+ uses TCP port 49, which is seen as more reliable than RADIUS’s UDP protocol.
There are several different authentication protocols that TACACS+ can use during the authentication process:
Authentication protocols
Protocol Definition
ASCII Machine-independent technique that uses representations of English characters.
Requires user to type a username and password that are sent in clear text (unen- crypted) and matched with an entry in the user database stored in ASCII format.
PAP Password Authentication Protocol (PAP) Used to authenticate PPP connections. Trans- mits passwords and other user information in clear text.
CHAP Challenge-Handshake Authentication Protocol (CHAP) Provides the same functionality as PAP, but is more secure as it does not send the password and other user inform- ation over the network to the security server.
MS–CHAP MicroSoft Challenge-Handshake Authentication Protocol v1 (MSCHAP) Microsoft-spe- cific version of CHAP.
default The default protocol configuration, Auto, uses PAP, MS-CHAP, and CHAP, in that order.