From the course: CompTIA Network+ (N10-009) Cert Prep
RADIUS and TACACS+
From the course: CompTIA Network+ (N10-009) Cert Prep
RADIUS and TACACS+
- To understand how RADIUS works, what I want to start off with are these three blocks, and these three blocks are going to represent three different devices. Now, way over here on the right, we're going to have a RADIUS server. Now a RADIUS server is just a system that's running some type of RADIUS authentication software. There's Microsoft IAS. There's third-party tools like Steel Belted RADIUS. There are open source ones like Open RADIUS. So it's some type of authentication software that's running on a system here. Now the next thing you're going to have is a RADIUS client. Now, the RADIUS client is not who's actually being authenticated. His job is to handle authentication requests from RADIUS supplicants. So these are the guys who want to get authenticated. He's just the intermediary that makes the request to the server itself. So if we take a look at this, this is going to be a, let's say we have a wireless network, for example. So what I can do here, let's have a little fun. I'm going to put a little antenna into him. There you go. Now we've got a little wireless antenna to help us appreciate that this is a wireless access point. So he'll be set up as a RADIUS client and then this RADIUS server will be over here. So the supplicate, this will be just some laptop or somebody who's trying to get on, or a smartphone or something. He sends his RADIUS request to the RADIUS client who then forwards it to the RADIUS server itself. Now the important thing about a RADIUS server is that this RADIUS server is going to be using certificates or usernames and passwords or RSA tokens or something that's coming from the supplicant, but the actual database itself of usernames and passwords or any of that stuff doesn't have to physically be on this computer. In a lot of situations, this could be like a Windows domain controller or something like this, and the RADIUS server can actually go ahead and authenticate against domain names in a domain account or something like that. So this is a pretty standard setup for a RADIUS. Now the thing you need to remember about RADIUS is RADIUS is going to be running on UDP, it's going to be running on port 1812 or 1813 or 1645 or 1646. Now here's the big thing you need to keep in mind about all this. The challenge we're running into is that RADIUS is AAA, so it's authentication, authorization, and accounting. So it authenticates people, it authorizes, determines what they can do, and it keeps track of who does what. There is another version of AAA that is on the Network+ that you need to be aware of. It's called TACACS+. TACACS+ is actually a proprietary Cisco product, and it came to being because Cisco had a lot of customers who had lots of routers and switches, and people were going nuts, having to log in to all of these different routers and switches individually, and they wanted to come up with AAA situation that would allow people to handle management of a large number of routers and switches, and that's where Cisco came up with TACACS+. Now I want to do this again, except this time, let's put some TACACS+ stuff into the game. Okay, so first of all, TACACS is rarely used in a wireless network. I'm not saying it isn't used, but it's not very common. So I'm going to start off with the TACACS+ client. Now what I'm talking about here as a client is this is one of a bazillion different routers that are in an enterprise. It could be anything like that. Now, along with that is going to be a TACACS+ plus server, and this is going to be some computer within the enterprise itself that's keeping track of all these things. A TACACS+ user is really just somebody who's logging into the network and wants to get to a bunch of routers. So the whole idea of supplicant doesn't really come into play with TACACS+ like it does with RADIUS. Not to worry. The one thing you do need to remember, and this is going to be on the Network+, and that is that TACACS+ uses TCP port 49. So make sure you always can appreciate that TACACS+ uses TCP, and then RADIUS is going to use UDP. So the whole reason we really talk about RADIUS and TACACS+ at the same time is because the one thing they do have in common is they're both AAA. They both authenticate, they both authorize, and they both account, keeping track of who's doing what, when, and how.
Download courses and learn on the go
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.