SAN JOSE, Calif., March 13, 1995 -- Cisco has enhanced itsimplementation of the Terminal Access Controller Access Control System(TACACS) protocol, which helps network administrators build completesecurity systems for dial-up access users. TACACS+, descended from aserver-based security protocol first proposed to the ARPA-Internetcommunity in 1984, includes support for independent user authentication,authorization and accounting processes.
Kevin Kennedy, product management director of Cisco's remote access products, said, "Network access security has become acritical issue withthe proliferation of individual users connecting to the corporate networkthrough portable or home computers. Host security that was good enough forterminal access is inadequate for remotely connected users who can roam thecorporate network at will. TACACS+ lets network administrators for thefirst time install a fine-grained, highly flexible security system based ona common protocol."
IETF Standardization Underway
TACACS+ will be included withNetwork access security systems consist of a protocol specification,protocol support within access servers and routers, and a centralizedsecurity database that supports the network access security protocol.TACACS+ is the protocol that defines the transfer of authentication,authorization and accounting information between an access server and acentralized database. Token authentication vendors including DigitalPathways, Enigma Logic, Secure Computing Corporation and SecurityDynamics currently support TACACS and are in the process of integrating TACACS+ withtheir products. Users will be able to implement token card systems fromthese vendors and use Cisco Access Servers with TACACS+ to forward tokenauthentication requests. TACACS+ also encrypts password information andforwards it over the network.
Multiprotocol Authentication
TACACS+ can translate password types for ARA, SLIP, PPP PAP and CHAP,and standard telnet. Network administrators can provide one user name andpassword with which the user can access the network from any protocol.Because TACACS+ supports multiple challenge and response demands fromthe security server, token card vendors such as Security Dynamics andEnigma Logic can implement such advanced features as returning a newtoken-generated number to the card after the original number has beenprocessed by a security server.
The authentication component provides complete server control of theauthentication process, including login and password query, challenge andresponse, and messaging. User authentication supports IP and telnet today(and IPX and ARA inthe future) to maintain a userprofile designating restrictions on network access or command-permission.
TACACS+ provides the security server with the authentication mechanismneeded to manage per-user access lists when a user connects to the network.IP access lists are supported today. ARA and IPX per-user access will besupported in the future. The feature allows network administrators toprovide limited dial-up access to the network for nonemployees such asconsultants and partners.
Accounting Information
TACACS+ uses the TCP protocol to transmit accounting information to adatabase. The accounting component contains the user's network address,username, service attempted, protocol used, time and date, and the packetfilter originating the log. Telnet connections also contain source anddestination port, action taken (communication accepted or rejected), logand alert type.Network managers can use the accounting component to track useractivity for a security audit trail or to collect billing information suchas connect time, user ID, connection location, and start and stop time.
Specification and Sample Code on the Internet
Starting in the second quarter of 1995 (as a maintenance release ofIOS 10.3), Internet users can accesssample TACACS+ server C code and the protocol specification from Ciscothrough the Cisco ConnectionOnlineservice (World Wide Web: http://www.cisco.com; telnet cco.cisco.com).
Posted: Mar 13 08:43:48 1995
