AAA and RADIUS vs TACACS+

Поділитися
Вставка
  • Опубліковано 21 сер 2024
  • AAA and RADIUS vs TACACS+ or TACACS PLUS
    I
    In this video we are going to learn about AAA, RADIUS & TACACS+
    The AAA Model
    =============
    The AAA is a system, not a protocol. The AAA system was designed to authenticate users, authorize them & to see what they did on the network or device when given access.
    As AAA stands for Authentication, Authorization & Accounting, lets look at each one.
    AAA Authentication: This is the phase that governs what you are allowed to do once you are inside the network or an administrative device
    AAA Authorization: This phase comes into play after authentication, basically this phase dictates WHAT you are allowed to do in the network based on your identity.
    AAA Accounting: This phase occurs after authentication and authorization have been completed. Accounting allows administrators of the network to collect information about users & essentially what they did when they were given access to the network or to the administrative device..
    AAA Protocols
    Now there are three types of protocols that can enforce the AAA system, namely RADIUS, TACACS+ & Diameter.
    Diameter, that is because it’s commonly used in the Mobile world & with Mobile service Providers.
    Diameter is essentially a better version of RADIUS & is meant to replace it. but in this video we will be focusing on RADIUS & TACACS+ as they are the one’s commonly used in Data Networks.
    How can RADIUS or TACACS+ run?
    Now these protocols require a separate dedicated or a Virtual Server that provide the RADIUS or TACACS+ functionality & often both services like in the Cisco’s ISE.
    RADIUS vs TACACS+ Point#1
    ========================
    Radius uses the UDP protocol with the port numbers 1812 & 1813 respectively. Port 1812 is used for both Authentication & Authorization, so it kind a combines the two. On the other hand, port 1813 is used for accounting alone.
    As for TACACS+, it uses TCP & uses the TCP port 49 for all of it’s communications. But unlike Radius, it separates all the AAA functions effectively, that means you have more granular control here especially when it comes to authorization. But Radius has the flexibility to authenticate a user in a wide variety of ways as it supports different authentication protocols like EAP, PAP & CHAP.
    Question#1
    ==========
    I am Confused with the Radius Port Numbers 1812 & 1813, aren't they 1645 & 1646 or all of them?
    When the Radius protocol was first launched, it was indeed allotted UDP port 1645 for Authentication & Authorization & 1646 for Accounting. But according to the following RFC 2865 by Carl,Allan,welliam & Steve in the year 2000 for RADIUS, stating that:
    “ The early deployment of RADIUS was done using UDP port number 1645, which conflicts with the "datametrics" service. The officially assigned port number for RADIUS is 1812."
    In the other RFC numbered 2866 for RADIUS Accounting, the same is said for the accounting port as it contradicts with the "sa-msg-port"
    “The early deployment of RADIUS Accounting was done using UDP port number 1646,which conflicts with the "sa-msg-port" service. The officially assigned port number for RADIUS Accounting is 1813.
    Now although the RFC’s state that the port Numbers are no longer in use for radius, the confusion mainly arises because Cisco devices still default to the old ports 1645 & 1646
    Cisco AAA servers like Cisco ISE listen’s to both these pairs of ports. If you ask Cisco, they too recommend using the officially assigned ports.
    Question#2
    =========
    “What do you mean by combining the Authentication & Authorization” of radius?
    In radius when an authentication query is made to the radius server, the reply not only contains the authentication response, but also an authorization response in the form of Attribute Value pairs or AVP’s for example the AVP could contain a Privilege Level for the user or a DACL for a network user.
    On the other hand, TACACS+ separates these functions allowing more granular control especially on the commands when it comes to authorization.
    RADIUS vs TACACS+ Point#2
    ========================
    When it comes to communication over the wire, RADIUS sends the username of the user in clear text, but the password is hashed.

КОМЕНТАРІ • 51

  • @zosmanovic9763
    @zosmanovic9763 3 місяці тому +5

    this should be on the homepage for everyone

  • @carlosmalovini5319
    @carlosmalovini5319 2 роки тому +13

    I'm preparing for my CCNA exam - you're one of my teachers.Thank you for your excellent work and for helping me to succeed.

    • @doctor.networks
      @doctor.networks  2 роки тому +1

      You will get your CCNA Soon Carolos! And you are Indeed Welcome! Fills my heart to see such comments :)

    • @SheilaHearns
      @SheilaHearns Рік тому

      =from ⁴ in on the, b.

  • @kaflean4014
    @kaflean4014 2 роки тому +5

    Without the illustrations I wouldn't have understood a thing. Thank you for making this so detailed

    • @doctor.networks
      @doctor.networks  2 роки тому +1

      Glad the illustrations helped you out in understanding this 😊 & you are welcome

  • @galacticaldread7234
    @galacticaldread7234 5 місяців тому +1

    i am preparing for my Security+ exam, thank you so much for the clear video on the difference between RADIUS and TACACS+ :')

    • @doctor.networks
      @doctor.networks  5 місяців тому

      Welcome, Glad that it helped you 😊

    • @nightlover6665
      @nightlover6665 Місяць тому

      sup dude ........what about ur exam .......did u cleared it yet or still preparing ........need help regarding it & suggestions i am also preparing for it

  • @Regulator596
    @Regulator596 3 місяці тому

    I don't know if you still read comments here. But I've been having trouble with the differences between TACACS+ and RADIUS. This video completely cleared up every question I had about it plus a few more I didn't even know I had. Thank you so much for the video! Great content!

    • @doctor.networks
      @doctor.networks  3 місяці тому +1

      I still read comments here brother 😀 You are very welcome. When I was making this video I didn't knew it would help so much people. I'm happy that it helped you.

  • @MuhammadKhan-yl7mt
    @MuhammadKhan-yl7mt 2 роки тому +1

    This is BEST explanation i have yet read through..
    Thank you.

    • @doctor.networks
      @doctor.networks  2 роки тому

      Thank You Mohammad Khan & you are most welcome, I remember this was one of my videos which took a lot of time to make. By your comment I guess it was worth it 🙂

  • @almccanuel3416
    @almccanuel3416 Рік тому +1

    Another one of many informational content in youtube. Thanks for sharing more videos to come.

    • @doctor.networks
      @doctor.networks  Рік тому

      Thanks man. I wish I had more time 😐 nothing is more fulfilling then making videos like these for my audience

  • @netanissimov526
    @netanissimov526 Рік тому

    2:51
    exactly the questation I had in mind!
    thank you!

  • @danielniki5953
    @danielniki5953 2 роки тому +2

    You are great sir! You have explained the concepts in a very clear way.

    • @doctor.networks
      @doctor.networks  2 роки тому

      Well I'm more then glad 😊 Thank you for such kind words

  • @jameskimuyu1317
    @jameskimuyu1317 Рік тому

    It is now well understood at long last. Youre the best.

  • @kso35
    @kso35 2 роки тому +1

    OHHHH This was so good!!! You are a great teacher!! Thank you!! Needed this to study for my security+ cert.

    • @doctor.networks
      @doctor.networks  2 роки тому

      Your comment just made my day ❤️ Thank you

  • @JEETENDERRSVP
    @JEETENDERRSVP Рік тому

    Good explanation will definitely help for my upcoming Network Security Interview.

  • @skeletron9505
    @skeletron9505 2 роки тому

    doctor you've healed my confusion!

  • @OPatron24
    @OPatron24 11 місяців тому

    Very thorough, thank you

  • @bikramshiwakoti
    @bikramshiwakoti Рік тому

    You made me clear on this topic.

  • @atillaattila8900
    @atillaattila8900 9 місяців тому +1

    👍👍👍

  • @aniswlidi2012
    @aniswlidi2012 Рік тому

    Great explanation

  • @Turanimo
    @Turanimo Рік тому

    Can you please tell me, which program did you use to create this video? :) that video was excellent

    • @doctor.networks
      @doctor.networks  Рік тому

      Bro it's not one program, I used Adobe illustrator for Icons creating, videoscribe for animation, Camtasia for video effects & adobe audition for audio. Takes a lot of time 😊

  • @jithinpc1461
    @jithinpc1461 Рік тому

    That was so precise 👍

  • @fpvshenanigans
    @fpvshenanigans Рік тому

    very informative and well made video, thanks for sharing

  • @prayagshah2992
    @prayagshah2992 3 роки тому

    Great Video with only useful information. Thank you

  • @PlanoFool
    @PlanoFool 2 роки тому

    TACACS+, while a proprietary protocol, has been implemented for, as far as I know, Juniper devices. So I think the statement at 6:19, "Only Works With Cisco Devices", isn't necessarily true.

    • @doctor.networks
      @doctor.networks  2 роки тому

      I know it is but believe me it's not fully functioning with juniper. They have implemented but not to the full extent that's why the RFC is there, once it becomes a standard everyone can can use it in their code to the full extent

  • @rafafilho11
    @rafafilho11 3 роки тому

    Great.!!! Congratulations

  • @synthc1786
    @synthc1786 3 роки тому

    its so great! thanks for explanation!

  • @specialbeamcharlie7250
    @specialbeamcharlie7250 2 роки тому

    Great video!

  • @smartinezs
    @smartinezs 4 місяці тому

    Great, diameter missing😢

    • @doctor.networks
      @doctor.networks  4 місяці тому

      Bro I don't think there is much use of it nowadays actually. You need to learn it for deployment or just for knowledge?

    • @smartinezs
      @smartinezs 4 місяці тому

      @@doctor.networks yes bro, At least in Latin America we still deploy 4G, Volte. Thanks for your answer 💪🏾