TACACS and Friends (Building Internet Firewalls, 2nd Edition)

21.8. TACACS and Friends

TACACS might be an acronym for Terminal Access Controller Access Control System, or then again, it might not; its origins have been lost. TACACS is an old protocol. There are several newer versions of it, including XTACACS and TACACS+; TACACS+ currently appears to be the most popular.

All of these protocols, like RADIUS, are designed to provide authentication, authorization, and auditing services for dial-up users.

TACACS and XTACACS send all data, including usernames and passwords, in cleartext. TACACS+ uses MD5 to avoid sending passwords and usernames in a reusable form and normally also encrypts all data. Basically, this makes TACACS and XTACACS less secure than RADIUS, and TACACS+ more secure than RADIUS.

In order to support encryption, TACACS+ requires a secret key shared between the server and the client. This key must be stored on both the server and the client, and an attacker who has access to the key will be able to impersonate the server and to decrypt all data. This will not actually give the attacker access to passwords (the passwords are not sent in any decryptable form). Nonetheless, you should take reasonable steps to protect this key.

21.8.1. Packet Filtering Characteristics of TACACS and Friends

TACACS uses UDP port 49; it can also use TCP but does not necessarily use port 49 when using TCP. XTACACS uses UDP port 49. TACACS+ uses TCP port 49.

Direction
SourceAddr.
Dest.Addr.
Protocol
SourcePort
Dest.Port
ACKSet
Notes

In
Ext
Int
UDP
>1023
49
[142]

Request, external client to internal TACACS/XTACACS server

Out
Int
Ext
UDP
49
>1023
[142] Response, internal TACACS/XTACACS server to external client.

In
Ext
Int
TCP
>1023
49[143]

[144]

External client connecting to internal TACACS/TACACS+ server

Out
Int
Ext
TCP
49[143]
>1023
Yes
Internal TACACS/TACACS+ server responding to external client

Out
Int
Ext
UDP
>1023
49
[142]
Request, internal client to external TACACS/XTACACS server

In
Ext
Int
UDP
49
>1023
[142]
Response, external TACACS/XTACACS server to internal client

Out
Int
Ext
TCP
>1023
49[143]
[144] Internal client connecting to external TACACS/TACACS+ server

In
Ext
Int
TCP
49[143]
>1023
Yes
External TACACS/TACACS+ server responding to internal client.

Direction	SourceAddr.	Dest.Addr.	Protocol	SourcePort	Dest.Port	ACKSet	Notes
In	Ext	Int	UDP	>1023	49	[142]	Request, external client to internal TACACS/XTACACS server
Out	Int	Ext	UDP	49	>1023	[142]	Response, internal TACACS/XTACACS server to external client.
In	Ext	Int	TCP	>1023	49[143]	[144]	External client connecting to internal TACACS/TACACS+ server
Out	Int	Ext	TCP	49[143]	>1023	Yes	Internal TACACS/TACACS+ server responding to external client
Out	Int	Ext	UDP	>1023	49	[142]	Request, internal client to external TACACS/XTACACS server
In	Ext	Int	UDP	49	>1023	[142]	Response, external TACACS/XTACACS server to internal client
Out	Int	Ext	TCP	>1023	49[143]	[144]	Internal client connecting to external TACACS/TACACS+ server
In	Ext	Int	TCP	49[143]	>1023	Yes	External TACACS/TACACS+ server responding to internal client.

[142]UDP has no ACK equivalent.

[143]This may be any port for TACACS.

[144]ACK will not be set on the first packet (establishing connection) but will be set on the rest.

21.8.2. Proxying Characteristics of TACACS and Friends

TACACS+ is a straightforward TCP-based protocol that is well suited for use with generic proxy systems. However, note that TACACS+ supports encryption using a secret key shared between the server and the client, and there is no standard way to determine which key to use if different clients have different keys. Some implementations may use the source address to determine the encryption key, requiring a dedicated proxy that has its own encryption key.

TACACS and XTACACS are both normally UDP-based, so they require proxies that can deal with UDP. However, they have no additional complexities and should work with any generic proxy that supports UDP.

21.8.3. Network Address Translation Characteristics of TACACS and Friends

TACACS and XTACACS do not use embedded IP addresses and will work without modification through network address translation systems. TACACS+ should also work, but just as with proxying, you should note that TACACS+ supports encryption using a secret key shared between the server and the client, and there is no standard way to determine which key to use if different clients have different keys. Some implementations may use the source address to determine the encryption key, requiring static address mappings.

In addition, TACACS+ supports the negotiation of IP addresses for PPP clients. In the unlikely event that you construct a network configuration where a network address translation system is modifying TACACS+ packets that are eventually used to set remote IP addresses, you should be careful to configure the TACACS+ server so that the addresses it provides are valid. The network address translation system will not be able to modify those embedded addresses.

21.8.4. Summary of Recommendations for TACACS and Friends

Do not use TACACS or XTACACS across insecure networks (they transmit cleartext usernames and passwords); use TACACS+ instead.


21.7. Remote Authentication Dial-in User Service		21.9. Auth and identd