Network Authentication Radius Tacacs

Category: Network Security
Type: Network Concepts
Generated on: 2025-07-10 09:06:15
For: Network Engineering, Administration & Technical Interviews

Network Authentication Cheatsheet: RADIUS & TACACS+

What is it? RADIUS (Remote Authentication Dial-In User Service) and TACACS+ (Terminal Access Controller Access-Control System Plus) are network protocols used for centralized Authentication, Authorization, and Accounting (AAA). They allow network devices (like routers, switches, and wireless access points) to offload authentication and authorization to a central server.

Why is it important?

Centralized Management: Simplifies user management and access control across the entire network.
Enhanced Security: Enforces consistent security policies and reduces the risk of local credential compromise.
Scalability: Easier to manage a large number of users and devices.
Auditing: Provides detailed accounting information for tracking user activity and resource usage.
AAA: Authentication, Authorization, and Accounting. The core functions of these protocols.
- Authentication: Verifying the identity of a user or device.
- Authorization: Determining what resources a user or device is allowed to access.
- Accounting: Tracking resource usage (e.g., time connected, data transferred).
NAS (Network Access Server): The device (e.g., router, switch, VPN server, wireless AP) that initiates the authentication request. Acts as a client to the RADIUS or TACACS+ server.
RADIUS Server: A central server that authenticates users and authorizes access to network resources.
TACACS+ Server: Similar to RADIUS, but uses a different protocol and offers more granular authorization.
Shared Secret: A password configured on both the NAS and the RADIUS/TACACS+ server, used for encrypting communication between them. Crucial for security.
Attribute-Value Pairs (AVPs): Data elements used to convey information between the NAS and the server (e.g., username, password, IP address, service type).
Port Numbers:
- RADIUS Authentication: UDP port 1812 (legacy), 1645 (legacy), 1812 (new)
- RADIUS Accounting: UDP port 1813 (legacy), 1646 (legacy), 1813 (new)
- TACACS+: TCP port 49

RADIUS:

+-------+      RADIUS Request      +-----------+
|  NAS  |------------------------->| RADIUS    |
|       |      (UDP - 1812/1813)   | Server    |
+-------+      RADIUS Response     +-----------+
|       |<-------------------------|           |
+-------+                          +-----------+

User/Device Request: A user attempts to access a network resource via the NAS (e.g., attempts to SSH to a router).
Authentication Request: The NAS sends an Access-Request packet to the RADIUS server containing the user’s credentials (username, password) and other relevant information. This packet is encrypted using the shared secret.
Authentication Verification: The RADIUS server verifies the user’s credentials against its database (e.g., local user database, Active Directory, LDAP).
Authentication Response: The RADIUS server sends an Access-Accept or Access-Reject packet back to the NAS.
Authorization & Access:
- Access-Accept: The NAS grants the user access based on the authorization information received in the Access-Accept packet.
- Access-Reject: The NAS denies the user access.
Accounting: The NAS sends accounting packets (Start, Interim, Stop) to the RADIUS server to track resource usage.

TACACS+:

+-------+      TACACS+ Request     +-----------+
|  NAS  |------------------------->| TACACS+   |
|       |      (TCP - 49)         | Server    |
+-------+      TACACS+ Response    +-----------+
|       |<-------------------------|           |
+-------+                          +-----------+

User/Device Request: Similar to RADIUS.
Authentication Request: The NAS sends an authentication request to the TACACS+ server.
Authentication Verification: The TACACS+ server verifies the user’s credentials.
Authorization Request: The NAS sends an authorization request to the TACACS+ server, specifying the commands or privileges the user is requesting. This is a key difference from RADIUS, allowing for more granular control.
Authorization Response: The TACACS+ server responds with an indication of what commands or privileges are allowed.
Accounting: The NAS sends accounting packets to the TACACS+ server.

Key Differences between RADIUS and TACACS+:

Feature	RADIUS	TACACS+
Protocol	UDP	TCP
Port	1812/1813 (Authentication/Accounting)	49
Encryption	Only the password is encrypted.	Entire packet is encrypted (except the header).
Authorization	Limited authorization capabilities. Primarily tied to authentication success.	Fine-grained authorization, command-level control.
Device Support	Widely supported.	Primarily Cisco devices.
Protocol	IETF Standard	Cisco Proprietary
Challenge-Response	Supported (e.g., PAP, CHAP, EAP)	Supported (e.g., PAP, CHAP, EAP)

RADIUS Packet Format (Simplified):

+---------------------+
| Code (1 byte)       |  (1 = Access-Request, 2 = Access-Accept, 3 = Access-Reject, 4 = Accounting-Request, 5 = Accounting-Response)
+---------------------+
| Identifier (1 byte) |  (Used to match requests and responses)
+---------------------+
| Length (2 bytes)    |  (Total length of the packet)
+---------------------+
| Authenticator (16 bytes)| (Used for password encryption and integrity)
+---------------------+
| Attributes (Variable)| (AVPs: Username, Password, IP Address, etc.)
+---------------------+

RADIUS Attribute-Value Pair (AVP) Format:

+---------------------+
| Type (1 byte)       |  (e.g., 1 = User-Name, 2 = User-Password, 4 = User-Address)
+---------------------+
| Length (1 byte)     |  (Total length of the AVP)
+---------------------+
| Value (Variable)    |  (The actual value of the attribute)
+---------------------+

TACACS+ Packet Format (Simplified):

+---------------------+
| Header (12 bytes)   |  (Version, Type, Sequence Number, Length, Flags)
+---------------------+
| Body (Variable)     |  (Data: Username, Password, Arguments, etc.)
+---------------------+
| Message Authentication Code (MAC) (Optional)|  (Provides data integrity)
+---------------------+

TACACS+ Header:

+---------------------+
| Version (1 byte)    |  (0x0C = TACACS+, 0x0D = Extended TACACS+)
+---------------------+
| Type (1 byte)       |  (Authentication, Authorization, Accounting)
+---------------------+
| Sequence Number (1 byte)|  (Used to match requests and responses)
+---------------------+
| Flags (1 byte)      |  (Various flags for control)
+---------------------+
| Session ID (4 bytes)  |  (Unique identifier for the session)
+---------------------+
| Body Length (4 bytes)|  (Length of the body in bytes)
+---------------------+

Wireless Network Authentication (RADIUS): A wireless access point uses RADIUS to authenticate users connecting to the Wi-Fi network. Users enter their credentials, which are sent to the RADIUS server. If authenticated, the user is granted access to the network. Accounting data (time connected, data usage) is also tracked.
VPN Access (RADIUS): A VPN server uses RADIUS to authenticate remote users connecting to the corporate network.
Router/Switch Login (TACACS+): Network administrators use TACACS+ to authenticate to routers and switches. TACACS+ allows for granular control over which commands each administrator is allowed to execute. For example, one administrator might only be allowed to view configuration, while another can modify it.
802.1X Authentication (RADIUS): Used with wired or wireless networks to require authentication before granting network access. The supplicant (client) authenticates to an authenticator (switch or wireless AP) which then forwards the credentials to a RADIUS server.

Example Scenario: Authenticating to a Cisco Router using TACACS+

User attempts to connect to the router via SSH.
The router is configured to use TACACS+ for authentication.
The router sends the username and password to the TACACS+ server.
The TACACS+ server validates the credentials and sends an authorization request to determine what privileges the user should have.
The TACACS+ server returns authorization information (e.g., privilege level 15 for full access).
The router grants the user access with the specified privileges.

Shared Secret Mismatch: The most common issue. If the shared secret on the NAS and RADIUS/TACACS+ server don’t match, authentication will fail. Solution: Double-check the configuration on both devices.
Network Connectivity Issues: The NAS must be able to reach the RADIUS/TACACS+ server. Solution: Verify IP addresses, routing, and firewall rules. Use ping and traceroute to test connectivity.
Incorrect Configuration: Incorrect IP addresses, port numbers, or authentication methods can cause problems. Solution: Carefully review the configuration on both the NAS and the server.
Firewall Blocking Traffic: Firewalls may be blocking UDP ports 1812/1813 (RADIUS) or TCP port 49 (TACACS+). Solution: Configure firewall rules to allow traffic between the NAS and the server on the appropriate ports.
Server Overload: A RADIUS/TACACS+ server can become overloaded, leading to slow or failed authentication. Solution: Monitor server performance and consider adding more resources or load balancing.
Certificate Issues (EAP-TLS): If using EAP-TLS, ensure certificates are properly installed and configured on both the client and the server. Solution: Verify certificate validity, trust chains, and client configuration.
Authentication Method Mismatch: Ensure the authentication method configured on the NAS (e.g., PAP, CHAP, EAP) is supported by the RADIUS/TACACS+ server. Solution: Check the authentication methods on both the client and the server and verify that they are compatible.

Troubleshooting Tools:

Packet Capture (tcpdump, Wireshark): Capture network traffic between the NAS and the server to see the RADIUS/TACACS+ packets and identify any errors.
RADIUS/TACACS+ Server Logs: Check the server logs for authentication failures and error messages.
NAS Debugging: Many NAS devices have debugging commands that can provide more information about the authentication process.

Cisco Router (TACACS+ Example):

aaa new-model
!
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
!
tacacs server TACACS_SERVER
 address ipv4 192.168.1.10 key MY_SHARED_SECRET
!
line vty 0 4
 login authentication default
 authorization exec default
 accounting exec default

Explanation:

aaa new-model: Enables the AAA framework.
aaa authentication login default group tacacs+ local: Configures the router to use TACACS+ for login authentication. If the TACACS+ server is unavailable, it will try the local database.
aaa authorization exec default group tacacs+ local: Configures authorization to use TACACS+ first, then the local database if the TACACS+ server is unreachable.
aaa accounting exec default start-stop group tacacs+: Enables accounting using TACACS+.
tacacs server TACACS_SERVER: Defines a TACACS+ server named “TACACS_SERVER”.
- address ipv4 192.168.1.10: Specifies the IP address of the TACACS+ server.
- key MY_SHARED_SECRET: Sets the shared secret for communication with the TACACS+ server. IMPORTANT: Keep this secret secure!
line vty 0 4: Configures the virtual terminal lines (used for SSH and Telnet).
- login authentication default: Applies the default login authentication method defined earlier.
- authorization exec default: Applies the default authorization method defined earlier.
- accounting exec default: Applies the default accounting method defined earlier.

FreeRADIUS Configuration (Simplified):

Key configuration files:

/etc/freeradius/3.0/clients.conf: Defines the NAS devices that are allowed to connect to the RADIUS server.
/etc/freeradius/3.0/users: Defines the users and their passwords.
/etc/freeradius/3.0/mods-enabled/: Contains enabled modules for authentication (e.g., ldap, mschap).

Example clients.conf entry:

client my_nas {
  ipaddr = 192.168.1.1
  secret = my_radius_secret
  require_message_authenticator = no  # Set to yes for improved security
}

Example users entry:

testuser Cleartext-Password := "testpassword"

Important RADIUS Configuration Notes:

Shared Secret: The shared secret in clients.conf must match the configuration on the NAS.
Authentication Methods: Configure the appropriate authentication methods in the mods-enabled directory (e.g., ldap for Active Directory integration).
User Attributes: You can define various attributes for users in the users file or in an external database (e.g., VLAN assignment, access control lists).
What are RADIUS and TACACS+ and what are they used for?
- Answer: RADIUS and TACACS+ are AAA protocols used for centralized authentication, authorization, and accounting. They allow network devices to offload authentication to a central server.
What are the key differences between RADIUS and TACACS+?
- Answer: See the table in section 3. Key differences include protocol (UDP vs TCP), encryption (password only vs. full packet), authorization capabilities (limited vs. granular), and device support (wide vs. primarily Cisco).
Explain the AAA process.
- Answer: AAA stands for Authentication, Authorization, and Accounting. Authentication verifies the user’s identity, Authorization determines what resources the user can access, and Accounting tracks resource usage.
What is a shared secret and why is it important?
- Answer: A shared secret is a password configured on both the NAS and the RADIUS/TACACS+ server. It’s used to encrypt communication between them and prevent unauthorized access. It’s crucial for security.
What ports do RADIUS and TACACS+ use?
- Answer: RADIUS uses UDP ports 1812 (authentication) and 1813 (accounting) (legacy ports 1645/1646 may also be used). TACACS+ uses TCP port 49.
How would you troubleshoot a RADIUS or TACACS+ authentication failure?
- Answer: Check the shared secret, network connectivity, firewall rules, server logs, and NAS debugging information. Use packet captures to examine the RADIUS/TACACS+ packets.
When would you choose RADIUS over TACACS+, and vice versa?
- Answer: Choose RADIUS when you need wide device support and are primarily concerned with basic authentication and authorization. Choose TACACS+ when you need granular command-level authorization, especially in a Cisco environment. RADIUS is often preferred for wireless authentication due to its wide support.
What is the role of the NAS in RADIUS/TACACS+?
- Answer: The NAS (Network Access Server) acts as a client to the RADIUS/TACACS+ server. It receives authentication requests from users, forwards them to the server, and enforces the access policies based on the server’s response.
What are some common authentication methods used with RADIUS and TACACS+?
- Answer: PAP (Password Authentication Protocol), CHAP (Challenge Handshake Authentication Protocol), MS-CHAP (Microsoft CHAP), EAP (Extensible Authentication Protocol) (e.g., EAP-TLS, PEAP).
Explain how accounting works in RADIUS and TACACS+
- Answer: Accounting involves tracking resource usage, such as connection time, data transferred, and commands executed. The NAS sends accounting packets (Start, Interim, Stop) to the RADIUS/TACACS+ server to record this information.
802.1X: A port-based network access control protocol that often uses RADIUS for authentication.
EAP (Extensible Authentication Protocol): A framework for authentication protocols used with 802.1X and wireless networks.
Diameter: A more modern AAA protocol that is often used in mobile networks (4G/5G). It’s more robust and scalable than RADIUS.
Kerberos: A network authentication protocol that uses tickets to grant access to network resources.
LDAP (Lightweight Directory Access Protocol): A protocol for accessing and managing directory information. RADIUS and TACACS+ servers can use LDAP to authenticate users against a directory server.
TACACS (Terminal Access Controller Access Control System): The predecessor to TACACS+. It is less secure and less flexible than TACACS+.

This cheatsheet provides a comprehensive overview of RADIUS and TACACS+, covering key concepts, practical examples, and troubleshooting tips. Remember to always prioritize security best practices when configuring and managing these protocols.