AAA and 802.1X Authentication

Hello Harshi

TACACS+ and RADIUS are two different families of protocols that perform similar functions. Some details about each:

  • TACACS+ is Cisco proprietary but started out as an authentication for UNIX systems in the 1980s
  • TACACS+ can be run on a VM, and there are versions that can be run on Windows as well
  • TACACS+ uses TCP
  • RADIUS is a protocol standardized by the IETF
  • RADIUS can run on most Linux and Windows platforms
  • RADIUS uses UDP by default but can also be configured to use TCP

Both fundamentally do the same thing but each has some specialisations that the other may not cover. As far as ISE goes, it uses TACACS+ for network device management and auditing, but it also supports RADIUS for standard AAA services and integrates with external RADIUS servers as well. You can find more info about ISE at this Cisco Datasheet.

As far as RADIUS and TACACS+ clients go, these can be any devices, either network devices or hosts, that support these protocols. The vast majority of consumer grade devices will support RADIUS, but a smaller, but substantial subset will also support TACACS+.

In a configuration similar to that in the lesson, the windows PC is the supplicant, the authenticator is the switch, and the authentication server is the external TACACS+/RADIUS server. So the authenticator will do the authentication, but will use the credential information found in the database of the authentication server to authenticate or deny the supplicant. However, if you configure the switch to have the local database as a backup, the role of the authentication server will be taken over by the switch in the event of a failure in communication with the authentication server.

So authentication is done locally at the switch with the response from the server.

I hope this has been helpful!

Laz

1 Like