tacacs+ authentication

Reply
L2 Linker

tacacs+ authentication

Hi All,

 

i need to undersatnd if tacacs+ is cisco properiety , so how come juniper and paloalto use it ?

 

second question here , tacacs+ used mainly for cisco command authorization , so what is the need for that inside paloalto ?

L4 Transporter


i need to undersatnd if tacacs+ is cisco properiety , so how come juniper and paloalto use it ?

 

So I think the key definer here is server vs client. officially, TACACS+ server is a Cisco product. So in theory, if you want to employ TACACS+, you'd need to buy a server from Cisco (though I believe there are knockoffs out there). In terms of being a client, however, Cisco would only encourage that from other vendors because it only helps them sell more ACS/ISE servers.

second question here , tacacs+ used mainly for cisco command authorization , so what is the need for that inside paloalto ?

 

Need is a strong word. Since Palo Alto is RBAC-based (and continues to be so for TACACS+ as I understand it), the benefit isn't immediately clear, especially since both ACS and ISE support RADIUS. So all I can offer is the fundamental differences between the two, which is that TACACS+ is TCP oriented and also encrypts the entire payload vs RADIUS which only encrypts the password.

--
CCNA Security, PCNSE7
L2 Linker

Thank you

 

 

L3 Networker

TACACS+ is not a Cisco proprietary protocol.  It was developed by Cisco as an extension to TACACS, but they did so openly, submitting a draft RFC and releasing a development kit to allow others to adopt the protocol.  There is a more current IETF draft under way as well - https://datatracker.ietf.org/doc/draft-ietf-opsawg-tacacs/

 

TACACS+ can be used for Authentication, Authorization, and Accounting - a common use case is for command-level authorization on Cisco devices, but that's due more to how long Cisco has been implementing and pushing the standard rather than because that's all it's good for.  In many customer environments, it is replacing or has replaced RADIUS as the AAA standard.

 

In the case of a Palo Alto Networks firewall or Panorama, we can leverage TACACS+ to authenticate a user, as well as authorize the user to perform specific functions though the use of a role, all without needing to define each individual user in Panorama or on the firewall.  This is exactly the same use case as RADIUS, it's just another (and much more secure) option for doing so.

 

 

L7 Applicator

TACACS+ is basically a Cisco solution.  The vast majority of the deploys and usage is done by Cisco using enterprises.  

 

The reason other vendors like Juniper and Palo Alto Networks support using TACACS+ for authentication is that a large number of companies have TACACS+ deployed as their primary AAA solution.  Nework vendors don't want to lose out on an RFC for equipment just because they don't support a AAA solution that is in place on the network.  By the nature of this type of solution enterprises only want to deploy one central AAA repository.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!