CISSP - TACACS+

---

Hi,
I have a working knowledge of RADIUS but only academic knowledge of TACACS. In the second video for Identity and Access Management, Adam mentions that TACACS+ is open source. Is it open source or an open standard? And does that mean TACACS+ is not Cisco proprietary? My understanding is that all versions of TACACS (TACACS, XTACAC and TACACS+) required Cisco environments to implement but now questioning my understanding. Just want to make sure if I'm provided a description of an environment and requirements on the exam, I know what versions TACACS are deployable to what environment.
Thanks!

Jeff,

I hope all is well. Let's clarify for you. It is an "Open Standard" via an RFC published by Cisco, that does allow for development of your own implementation of a solution, one that is not tied to Cisco only infrastructure. There is a community out there does dabble in that approach, but it is not the same as a full blown Open Source maintained system or solution in the traditional sense.

You can see more here if interested:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_tacacs/configuration/15-mt/sec-usr-tacacs-15-mt-book/sec-cfg-tacacs.html

Keep in mind the following, since your questions have been focused around the CISSP specifically as of late.

You hear me speak often of the need to maintain and follow a "mile wide - inch deep" thought process with the CISSP exam, as the knowledge base across the eight domains is MASSIVE, and can become overwhelming to the point of distraction and ultimately failure if you chase rabbits down holes while preparing.

I DO NOT want to dissuade you from understanding at whatever level works for you, nor do I ever want to discourage curiosity or the pursuit of knowledge.

For the exam, stay at the appropriate level. What I mean by that is you are unlikely to be asked about something pertaining to TACACS, TACACS+ or XTACACS that is vendor specific. Rather, at most, as I point out in the episodes, you would want to identify that these are all examples of a RADIUS capability, and really nothing more than that would be necessary to be successful in this particular case.

Hope that helps. Good luck as you continue your studies !!

If I can answer any other questions for you along the way, please feel free to let me know directly:
adam@itpro.tv

Cheers,

Adam

I have heard and appreciate your constant reminders of "mile wide and inch deep". I also like your "yes, you are expected to know that, yes, you need to memorize it" because more often than not, I've already thought "they don't expect me to memorize this do they?!" It's kept me from going down an implementation level of detail many of times. I tried applying the mile high concept on this and was thinking if I was asked Company A wants to implement a remote authentication solution and they are in a Windows environment, which of the following should they consider?"

Jeff,

Well played !!

I like the thought process and the scenario.

If you were to come across a question such as the one you are proposing, let's discuss two possible ways it might play out:

1. Company A wants to implement a remote authentication solution and they are in a Windows environment, which of the following should they consider?" Choose all that apply

A. Radius
B. Diameter
C. IPSec
D. TACACS+

You would want to choose A, B and D. All three are capable of working in a Windows environment.

Same question, almost, but much more devious:

2. Company A wants to implement a remote authentication solution that uses TCP and they are in a Windows environment, which of the following should they consider?" Choose all that apply

A. Radius
B. Diameter
C. IPSec
D. TACACS+

You would want to choose B and D. Radius uses UDP, not TCP.

I would be more concerned about a question like #2, then I would about a question like #1. The thing you often hear me say as well is that the exam is Vendor Agnostic. This would mean, in this case, that Question #1 is really using Windows as the key pivot point for the question, which is not normally done, as opposed to Question #2, which tries to distract you with Windows, but really is using the TCP protocol as the pivot to decide what is right, and what is wrong.

Trust the guidance I give you, study as I suggest, be smart and critical in your assessment of your strengths and weaknesses and you will succeed.

Cheers,

Adam

@Adam-Gordon That was exactly what I was looking for!!! Thanks! And you've actually highlighted one of my major concerns with the exam. Radius with TLS does use TCP. But another thing you've pointed out is that you can't make assumptions about the environment and choice A didn't specify TLS. I happen to catch that one, but really concerned I'll get hung up on that kind of thing on the exam.

In my experience, you will see RADIUS used for user authentication (think VPN, One Time Password validation/2 Factor authentication, etc). And TACACS+ used for infrastructure device authentication (administrative users, service accounts between devices, etc.). While both are used as authentication mechanisms because they support AAA (authentication, authorization, accounting), TACACS+ tends to be used in times when higher security is required. TACACS+ encrypts the entire payload, also each part of AAA can be broken down into separate functions (i.e., authenticate once, authorize for many times for different administrative functions). RADIUS while capable of device administration, consolidates authentication and authorization together and accounting is separate (it even uses a different port)...effectively increasing the network load if you have an intensive authorization scheme. Also, RADIUS only encrypts the password field, not the entire payload.

TLDR: RADIUS is used for user authentication (typically) and TACACS+ is used for device authentication (typically).