NETMG5

• Uses UDP
• Combines authentication and authorization
• Intended for user access control
• Encrypts only the password in the access-request packet, form the client to the server. The remainder of the packet is unecrypted

• Encrypts the entire body of the packet but leaves a standard TACACS+ header. Within the header is a field that indicates whether the body is encrypted or not
• Provides two methods to control the authorization of router commands on a per-user or per-group basis and is suitable for device management
• Uses TCP
• Seperates authentication, authorization, and accounting

TACACS+ is the right one, because of per-command control (command authorization) access to the device. RADIUS is not suitable due to one-time transfer of authorization information at initial authentication only.

In large networks, many devices require a lot of network administrators with verying levels of access, Cisco Secure ACS allows a centralized database where administrator accounts can be managed at single location.

• In the example, where AAA Server failed, authentication goes by locally configured user-ID/password
• Example: AAA authentication login mymethod group tacacs+ local enable

• Enable AAA - aaa new-model
• Create local user account - username localadmin password cisco
• Identify the AAA Server Host IP and secret key password
• Specify to use loopback interface as source for TACACS+ - ip tacacs+ source-interface loopback 0
• Specify Authentication(Required) - Refer to 5.
• Authorization/Accounting as optional