1
00:00:01,100 --> 00:00:08,720
When using a central authentication server, a client will login to a network device, they will be

2
00:00:08,720 --> 00:00:10,580
prompted for their credentials

3
00:00:10,910 --> 00:00:17,510
but that information is not checked against the local username and password database, but is forwarded

4
00:00:17,810 --> 00:00:26,870
to an authentication server such as Cisco ACS using two protocols, Radius and Tacacs.

5
00:00:27,470 --> 00:00:34,400
So the username and password information is forwarded in encrypted format to the authentication server

6
00:00:34,670 --> 00:00:41,450
and a response is sent back from the triple A server either saying that the login is accepted or not.

7
00:00:42,110 --> 00:00:49,070
That is then passed to the client so the client knows whether the authentication attempt was successful

8
00:00:49,070 --> 00:00:49,550
or not.

9
00:00:50,210 --> 00:00:56,480
Now radius is an open standard protocol that combines authentication and authorization into a single

10
00:00:56,480 --> 00:00:57,100
process.

11
00:00:57,590 --> 00:01:05,269
Once users are authenticated, they are also authorized radius users UDP for authentication and authorization.

12
00:01:05,840 --> 00:01:13,790
Tacacs is a proprietary protocol that separates the services of authentication, authorization and

13
00:01:13,790 --> 00:01:14,330
accounting.

14
00:01:14,960 --> 00:01:20,960
Because of that, you could separate authentication from your authorization and accounting services.

15
00:01:21,560 --> 00:01:25,280
Tacacs also uses TCP rather than UDP.

16
00:01:26,060 --> 00:01:33,830
Tacacs is often used for network devices, while Radius is used for users, Tacacs uses port

17
00:01:33,840 --> 00:01:38,060
number 49 and radius 1645.1812.

18
00:01:38,510 --> 00:01:43,340
Both protocols encrypt the password, but Tacacs encrypts the entire packet.

19
00:01:43,940 --> 00:01:49,850
Tacacs is great for use with network devices such as Cisco routers and switches because you can

20
00:01:49,850 --> 00:01:52,880
authorize a subset of CLI commands.

21
00:01:53,360 --> 00:02:00,560
In other words, you can centralize which users can issue commands on devices in your network.

22
00:02:01,070 --> 00:02:07,730
As an example, only certain users may be allowed to reload a router so you can limit who can do what

23
00:02:07,880 --> 00:02:10,160
on your network devices using Tacacs.

24
00:02:11,190 --> 00:02:17,880
The Cisco ACS server makes us very easy to do and as mentioned, allows you to centralize your authentication

25
00:02:17,880 --> 00:02:20,100
authorization and accounting services.