|Read this whole guide offline with no ads, for a low price!|
Use coupon code "certiguide" to save 20%!
|Need more practice? 300 additional Security+ questions!|
|Get It Here!|
TACACS is the Terminal Access Controller
Access Control System, another client/server user authentication protocol
similar to RADIUS, which works similarly to RADIUS. For authentication,
it allows use of user/password information, Kerberos-style authentication
that does not require keys being passed over the wire, or even dynamic
password systems in which smart cards are used to generate one-time
Over the years, three generations
of TACACS have been developed:
- TACACS, the original, which performs authentication
- XTACACS, or Extended TACACS, which separates
the tasks of authentication, authorization and accounting/logging.
- TACACS+, developed by Cisco, which builds on
XTACACS by adding a two-factor user authentication (proving that a user
is who they say they are through both something they know, like a password,
and something they have, like a smart card), system and encrypting all
TACACS+ has some security vulnerabilities
that may concern you if end-users have access to the network over which
TACACS+ traffic travels:
- Since accounting information is sent in clear
text, and, the only verification performed is that the received accounting
record packet length = the length that was sent, someone could intercept
the communication and alter it or inject spurious accounting records.
- Encryption is potentially vulnerable due to the
small size of the session id key used for encryption.
- Lengths of user passwords can be determined by
watching traffic, because, the protocol provides for sending a password
only as long as there are characters in the password.
- Theoretical issues with MD5 hashes (see section
1.4.10 on Birthday attacks, and chapter 4 on cryptography)
A handful of overflow/resource hogging vulnerabilities in some popular
implementations of the protocol, which can lead to denial of service146
- TACACS+ uses a Kerberos-style authentication
mechanism that doesnt require keys to be sent over the wire, but
potentially leaves it vulnerable to similar exploits as Kerberos
A security vulnerability with TACACS+ is accounting information is sent in clear text, and the only verification performed on received data is a check that the packet length did not change during transmission. This means that someone could alter accounting records without detection.
146. Solar Designer, An Analysis of the TACACS+ Protocol and its Implementations, BugTraq mailing list, http://online.securityfocus.com/archive/1/62742
|If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!|
Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.