Today, networks are providing dial-in access to more and more people. Low-cost, high-speed modems and inexpensive ISDN service are giving telecommuters and mobile users convenient access to corporate-wide network-based resources. Similarly, the explosive growth of the Internet has fueled the need for dial-in access available to the general public.
Companies providing dial-in network access need to secure their systems and corporate information from unauthorized users. Internet service providers need to provide Internet access only to authorized customers. Network Access Servers (NAS) must provide mechanisms to allow dial-in access that will fulfill all these requirements.
A mechanism is also needed to require network administrators to login on each network device when performing maintenance or troubleshooting. This allows the management staff to easily answer the "What changed last?" question regarding changes in the network's operation.
Fortunately, Cisco has been addressing these needs. This article describes the components of dial-in access security, and its implementation in various protocols.
Authentication determines who you are and if you should be allowed access to the network. It allows network managers to bar intruders from their networks. Simple authentication methods use a database of usernames and passwords while more complex methods use one-time passwords.
Authorization determines what you are allowed to do. Authorization allows network mangers to limit which network services are available to different users. It helps to restrict the exposure of the internal network to outside callers and simplifies the view of the network for the less technical remote access user. Authorization allows mobile users to connect to the closest local connection and still have the same access privileges of their local networks. It also can specify what commands a new network administrator can issue on specific network devices.
Accounting keeps track of what you did and when you did it. Network administrators may need to bill departments or customers for connection time or resources used on the network (bytes transferred). Accounting also can track suspicious connection attempts to the network.
Central management of access security servers is desirable. A client/ server architecture allows all security information to be located in a single, centralized database, instead of being scattered around a network in many different devices. Changes to the database are made in a few security servers instead of in every NAS in the network. This type of design allows for easy scalability and extendability.
Cisco extended the basic server concept, creating XTACACS, to allow multiple servers and to record the length of time a user was logged in. The logging was accomplished through use of the Unix login accounting system. Both protocols use UDP as their data transport mechanism. The server code for both TACACS and XTACACS has been publicly available from Cisco, with no support provided. The Cisco user community has been active in enhancing the XTACACS server, and this is the server software that most sites are running today.
Radius, a protocol and database server, is a major competitor to XTACACS. Radius is also implemented as a client-server system, similar to the XTACACS system. All authentication and network service access information is located on the server. The latest version of Radius now supports authentication, authorization, and accounting. Like the TACACS and XTACACS systems, its server is only available as free source code with no vendor support.
The TACACS+ protocol includes all three components of network access security: authentication, authorization, and accounting. The data transport used is TCP, which provides a reliable connection between the client and server -- an important aspect for guaranteed network security and accountability. The NAS sends authentication requests to the TACACS+ server, which verifies the password provided by the user and returns a success or failure response to the NAS.
In the next issue of The Network Monitor, this article will conclude with an overview of TACACS+ and its key features.