GE ML1600 Switch User Manual

Multilink ML1600
Ethernet Communications Switch
Chapter 8: Access using TACACS+
GE Consumer & Industrial
Access using TACACS+
8.1 Introduction to TACACS+
8.1.1 Overview
TACACS+, short for Terminal Access Controller Access Control System, protocol provides
access control for routers, network access servers and other networked computing
devices via one or more centralized servers. TACACS+ provides separate authentication,
authorization and accounting services.
TACACS allows a client to accept a username and password and send a query to a TACACS
authentication server, sometimes called a TACACS daemon (server) or simply TACACSD. This
server was normally a program running on a host. The host would determine whether to
accept or deny the request and sent a response back.
The TACACS+ protocol is the latest generation of TACACS. TACACS is a simple UDP based
access control protocol originally developed by BBN for the MILNET (Military Network).
XTACACS is now replaced by TACACS+. TACACS+ is a TCP based access control protocol.
TCP offers a reliable connection-oriented transport, while UDP offers best-effort delivery.
TACACS+ improves on TACACS and XTACACS by separating the functions of authentication,
authorization and accounting and by encrypting all traffic between the Network Access
Server (NAS) and the TACACS+ clients or services or daemon. It allows for arbitrary length
and content authentication exchanges, which allows any authentication mechanism to be
utilized with TACACS+ clients. The protocol allows the TACACS+ client to request very fine-
grained access control by responding to each component of a request.
The MultiLink switch implements a TACACS+ client.
1. TACACS+ servers and daemons use TCP port 49 for listening to client requests.
Clients connect to this port to send authentication and authorization packets.
2. There can be more than one TACACS+ server on the network. The MultiLink
Switch Software supports a maximum of five TACACS+ servers.