What is AAA for?
To ensure network security, it is necessary to ensure control over access to various network elements by users. Such elements can be network devices, servers, computers, applications or even segments of the network itself.
There are two main types of AAA for networks:
- Network Device Administration: Manages who has access to log into a network device console, Telnet session, Secure Shell (SSH session), or other means.
- Network Access: Identifies a user or device before it is granted access to the network.
There are two main solutions for AAA in modern networks: Remote Authentication Dial-In User Service (RADIUS) and Cisco’s Terminal Access Controller Access-Control System Plus (TACACS+) protocols. There is a third AAA protocol known as DIAMETER, but it is typically used only by mobile operators. We will look at and compare RADIUS and TACACS+ to help you determine which is best for your network.
Basic AAA Concepts
Before we get acquainted with the RADIUS and TACACS+ protocols, let’s understand the basic concepts of the AAA mechanism. For example, we will use the process of legal entry into a room with access control.
Authentication – determining the identity of the person trying to enter the room. In our example, this could be a fingerprint scan, since each person has a unique fingerprint and can be a guarantor of identity confirmation. In the networked world, standard authentication involves using a login and password that are generated for each user and allow them to confirm their identity.
Authorization – the next step after successful authentication. It consists of checking the access rights to the room of the person who has passed authentication. Perhaps a person has the right to enter the first room, but is prohibited from going further. On network devices, access rights most often define a list of commands that an authenticated user can execute. For example, a network engineer with level 1 access is only allowed to view the device configuration using the show command, while an engineer with level 2 can make changes. On AAA servers of telecom operators, the right of access can determine the subscriber’s affiliation with a tariff plan.
Accounting is a parallel stage with authentication and authorization, which records in the log the success or failure of these processes, whether a person was able to enter the premises or not, whether the user gained access to the network device and, if so, what actions he performed on it. This process is important from the point of view of security and access control, as it allows you to identify potential threats and look for “holes” in the system.
In practice, the AAA process in telecom operator networks looks like this:
- The subscriber connects to the AGW (Access Gateway) or Network Access Server (NAS) access device and enters their login and password.
- AGW (NAS) generates and sends an authentication request to the AAA server and waits for a response.
- The AAA server contacts the DPI system or billing server via the RADIUS protocol to verify the subscriber’s login and password.
- The AAA server generates a response and sends it back to the AGW (NAS).
- If authentication is successful, the AGW (NAS) allows the subscriber into the network, but does not yet provide them with any services.
- If the user tries to access the Internet (enters a URL in the browser line), the AGW (NAS) generates a new request to the AAA server for authorization.
- The AAA server again contacts the DPI system or billing server to obtain information about the tariff plan and services connected to the subscriber.
- Having received a positive response from the billing, the AAA server sends a response to the AGW (NAS), and the subscriber gets access to the Internet in accordance with the settings set for the tariff plan.
RADIUS
The RADIUS protocol is an IETF standard for AAA. It has been in use since the early 1990s and was originally used for dial-up modem connections. It was originally used to extend Layer 2 of the Point-to-Point Protocol (PPP) between an end user and a Network Access Server (NAS), passing authentication traffic from the NAS to the AAA server. Authentication and authorization information is delivered in a single packet type, and accounting is handled by a separate process. RADIUS is widely used and supported by most device manufacturers and software developers.
A modern implementation of RADIUS uses ports 1812 (authentication) and 1813 (accounting) of the UDP protocol (ports 1645 and 1646 can also be used). UDP is fast, but has a number of disadvantages that must be taken into account when using it. When RADIUS was developed, security issues were not as pressing as they are now, so it supports a fairly small number of authentication types (Clear text and CHAP), encrypts only the password field, and overall has an average level of security.
TACACS+
This protocol was developed by Cisco and is an evolution of previous versions of TACACS and XTACACS. Despite the similarity of names, TACACS+ has been heavily modified and is not backward compatible with TACACS, which is now almost never used. The main area of TACACS+ use is the administration of network devices, but it can be used for some types of AAA when accessing the network. TACACS+ uses Transmission Control Protocol (TCP) port 49, rather than UDP, as it is more reliable and allows for early receipt of information about potential errors thanks to the TCP-RST packet. TCP is a slower protocol, but has additional advantages: the ability to separate authentication, authorization, and accounting as separate and independent functions, multiple authorizations after one authentication, encryption of the entire packet contents.
For clarity, we will combine the main characteristics in a table:
Main differences between RADIUS and TACACS+
The main differences are that TACACS+ encrypts the entire packet content, leaving only a simple header. This method protects against attackers who listen in on messages sent between devices. TACACS+ also implements AAA functions separately, which allows each of them to be placed on a separate server or even to use a different protocol (not TACACS+).
TACACS+ also offers closer integration with Cisco devices and allows for detailed management of routers (the authorization process). With a TACACS+ server, it is possible to implement command management using access levels (which are then configured on the devices themselves). RADIUS allows for some of this functionality, but not as well or as flexibly as TACACS+.
When using the TACACS+ protocol, there can be no firewall between the client and the server, since the server must receive a request from the client with its IP address, not the firewall address. With RADIUS, the client’s IP address is also contained in the packet itself, which allows the AAA server to get it from there.
But the biggest disadvantage of TACACS+ is that Cisco developed this protocol for its own needs, and therefore its network devices from this company received the widest support. However, the situation is gradually changing, and other manufacturers began to support TACACS+.
Which protocol to use for the AAA server must be chosen depending on the task. If it is device administration, then TACACS+ will be the best option, and if it is network access, then a more universal and faster one is RADIUS.
Starting with Stingray Service Gateway 6.0, authorization of IPoE sessions on RADIUS has become available, which has expanded the capabilities of the telecom operator to control subscriber access to the Internet and apply tariff plan policies and additional tariff options:
- assignment and modification of policies (tariff plans and options);
- redirection of users to Captive Portal (blocking);
- work at the L3 level;
- identification of users by IP or by Q-in-Q tag.
For more detailed information on the advantages of Stingray Service Gateway, its effective use on telecom operator networks, as well as on migration from other platforms, you can find out from the specialists of VAS Experts, the developer and supplier of the Stingray Service Gateway traffic analysis system.
