1. Tacacs + Overview 1.1 What is TACACS +
TACACS + (terminalaccess Controller access control system, Terminal Access Controller Control Protocol) is a feature-enhanced security protocol based on the TACACS protocol. The protocol is similar to the RADIUS protocol and uses client/server mode for communication between NAS and TACACS + servers.
Uses of 1.2 Tacacs +
The TACACS + protocol is primarily used for PPP and VPDN (Virtual private dial-up network, VPN) access to users and end-user AAA. AAA is authentication, Authorization, Accounting (authentication, authorization, billing) abbreviation, is a network security management mechanism, provides authentication, authorization, billing three kinds of security functions.
Authentication: Verify the identity of the remote user who is accessing the network and determine if the visitor is a legitimate network user.
Authorization: Assign different permissions to different users and restrict the services that users can use. For example, when a user successfully logs on to a server, an administrator can authorize users to access and print files on the server.
Billing: Records all the operations of the user using the network service, including the type of service used, start time, data traffic, etc., it is not only a means of billing, but also the network security has played a role in monitoring.
2. Tacacs + Protocol Introduction 2.1 TACACS + basic Message interaction flow
is the basic information interaction process for the TACACS + protocol:
Taking the Telnet user authentication process as an example, the basic message interaction process is as follows:
(1) Telnet user requests to log on to the device.
(2) when the TACACS + client receives the request, it sends the authentication start message to the TACACS + server.
(3) The TACACS + server sends the authentication response message, requesting the user name.
(4) When the TACACS + client receives the response message, it asks the user for the user name.
(5) User input user name.
(6) After the user name is received by the TACACS + client, the authentication continuous message is sent to the TACACS + server, which includes the user name.
(7) The TACACS + server sends the authentication response message and requests the login password.
(8) The TACACS + client receives a response message and asks the user for the login password.
(9) User input password.
(Ten) The TACACS + client receives a login password and sends an authentication continuation message to the TACACS + server, which includes the login password.
(one) the TACACS + server sends an authentication response message instructing the user to pass the authentication.
() The TACACS + client sends an authorization request message to the TACACS + server.
(e) The TACACS + server sends an authorization response message instructing the user to pass the authorization.
The TACACS + client receives an authorization response to the successful message, outputting the device's configuration interface to the user.
() The TACACS + client sends a billing start message to the TACACS + server.
(+) The TACACS + server sends a billing response message indicating that the billing start message has been received.
(17) The user requests to disconnect.
The TACACS + client sends a billing end message to the TACACS + server.
The TACACS + server sends a billing end message indicating that the billing end message has been received.
2.2 TACACS + Message type
By 2.1, there are 7 types of messages from TACACS +:
1, Authentication_start
2, Authentication_contiune
3, Authentication_reply
4, Authorization_request
5, Authorization_response
6, Accounting_request
7, Accounting_reply
Since we only care about the certification process, only the above 1, 2, 3 types of messages and TACACS + headers, a total of four types of messages, the following respectively, the message structure is described.
2.3 TACACS + Message structure 2.3.1 Tacacs + header
All TACACS + packets use a 12-byte-long header with the following structure:
Each of the fields is described below:
1) major:tacacs+ major version number, value is 0x0c
2) minor:tacacs+ minor version number for backward compatible extensions, typically 0.
3) Packet Type: Defines the types of packages, taking values:
#define TAC_PLUS_AUTHEN 1//Authentication Certification
#define TAC_PLUS_AUTHOR 2//authorization indicates authorization
#define TAC_PLUS_ACCT 3//Accounting means billing
4) Sequence No: The packet sequence number in the current session. The first TACACS + packet sequence number in the session must be 1, followed by each packet sequence number plus 1. Therefore, the client sends only the odd sequence number packets, and the TACACS + daemon sends only the even sequence number packets. When the serial number reaches 255, the session restarts and the serial number is reset back to 1.
5) Flags: Used to show special conditions such as non-encryption (0x01), support for single-connection multi-session (0X04), etc.
6) session_id: The ID of the TACACS + Session, which is a random number.
7) Length: In addition to the head of the TACACS + message
2.3.2 Authentication News
TACACS + Authentication has three types of packets: Start, Continue (CONTINUE), and Reply (REPLY). The client sends the start and continue packets, and the service side (daemon) sends the reply packets.
At the beginning of authentication, the client sends a start message to the server that describes the type of authentication to be performed, possibly including the user name and some authentication data. The start packet is only the first message that starts with the TACACS + session or the conversation is reset (the session reset may be initiated by the service-side reply package). The sequence number of the starting packet is always equal to 1. The server sends a reply package in response to the start package. The reply package Indicates whether the authentication has ended or continued. If authentication continues, the reply package will indicate the new authentication information that is required. The client extracts the relevant information and returns it as a continue packet. The server responds with the reply package to the start package or the continue package until the client is instructed to abort in the continue package, at which point the session is aborted immediately.
2.3.2.1 Authentication Start message Format:
1) Action: Authentication operation, the legal value is:
Tac_plus_authen_login = Ox01 (chinaware)
TAC PLUS altthen chpass=ox02 (change password)
TAC PLUS authen sendpass=ox03 (send password, deprecated)
TAC PLUS authen sendauth=ox04 (send authentication)
2) Priv lVl: Authentication permission level, the range is 0-15, can be set in the NAS client, the default value is:
TAC PLUS PRIV LVL max=oxof (highest level)
Tac_plus_priv_lvl_root=oxof (ROOT User level)
TAC PLUS PRIV LVL user=ox01 (normal user level)
TAC PLUS PRIV LVL min=ox00 (lowest level)
3) Authen_type: Authentication type, the legal value is:
Tac_plus_authen_type_ascii = Ox01 (ASCII value)
TAC_PLUS_AUTHEN_TYPE_PAP = Ox02 (PAP injury ix)
Tac_plus_authen_type_chap = Ox03 (CHAP Association IX)
Tac_plus_authen_type_arap = Ox04 (ARAP protocol)
TAC PLUS authen typemschap=ox05 (Microsoft CHAP protocol)
4) Service: Authentication services, legal values are:
Tac_plus_authen_svc_none = ox00c No service)
Tac_plus_authen_svc_login = Ox01 (login)
Tac_plus_authen_svc_enable =ox02 (ENABLE service)
TAC_PLUS_AUTHEN_SVC_PPP = Ox03 (PPP protocol)
Tac_plus_authen_svc_arap = Ox04 (ARAP Co IX)
TAC PLUS authen SVC pt=ox05 (load type)
TAC PLUS authen SVC rcmd=ox06 (remote command)
tac_plus_authen_svc_x25 = Ox07 (x. 25 HS IX)
Tac_plus_authen_svc_nasi = Ox08 (NASI service)
TAC_PLUS_AUTHEN_SVC_FWPROXY=OX09 (firewall proxy)
Where the Enable service refers to obtaining administrative privileges, similar to the "su" command in a Linux system. None of the services are filled in without any other services.
5) User: username, optional value.
6) Port: The ports used by client authentication, specified by the client.
7) Rem addr: Remote address, optional value, specified by the client.
8) Data: payload.
2.3.2.2 Certified reply message Format:
1) Status: The current status of the authentication, the legal value is:
Tac_plus_authen_status_pass = Ox01 (VIA)
Tac_plus_authen_status_fail = Ox02 (failed)
TAC PLUS authen statusgetdata=ox03 (get Data)
TAC PLUS authen statusgetuser=ox04 (get username)
TAC PLUS authen statusgetpass=ox05 (get password)
TAC PLUS authen statusrestart=ox06 (restart session)
Tac_plus_authen_status_error =ox07 (Error)
Tac_plus_authen_status_follow = Ox21 (using alternate Deamon)
2) Flags: This field includes the various bitmap format flags that define the values:
TAC PLUS REPLY FLAG noecho =ox01)
3) Server_msg: The server is returned to the user prompt information, optional.
4) Data: payload.
2.3.2.3 Certified Continue message Format
1) Flags: This field includes the various bitmap format flags that define the values:
TAC PLUS CONTINUE FLAG abort =ox01c abort)
2) user_msg: User input information for replying to server_msg.
3) Data: payload.
2.4 Various types of certification type detailed
The TACACS + authentication protocol supports five types of authentication such as ASCII value, PAP, CHAP, arap Protocol, MS-CHAP, and so on, which are analyzed separately.
2.4.1 Asii Value Authentication type
The ASII authentication process contains the start message, the reply message, and the continue message, in which the user name information can be carried in the start message or not carried (carried in the continue), the specific process is as follows:
Figure 2-4-1-1 Start message does not include user information authentication process
Figure 2-4-1-2 Start message contains user information authentication process
2.4.2 PAP protocol Authentication type
The PAP authentication type contains only one start message and one reply message, and the start message must contain the user name information and password information, where the user name information is stored in the start message in the User field, the password is stored in the data field of the start message, the information does not need to be encrypted, The certification process is as follows:
Figure 2-4-2-1 PAP protocol type authentication process
2.4.3 CHAP protocol Authentication type
The CHAP authentication type contains only one start message and one reply message, and the start message must contain the user name information and the data information, where the user name information is stored in the Start Message User field, the data stored in the Start Message field, The data information must contain session_id, challenge, and authentication.
session_id must occupy 1 bytes, authentication must use 16 bytes, challenge length, etc. with the total data length minus session_id length and authentication information length, authentication is by session_id , user passwords, and challenge are generated by MD5 encryption. The specific certification process is as follows:
Figure 2-4-3-1 CHAP protocol type authentication process
session_id |
Challenge |
Authentication |
1 byte |
|
BYTES,AUTH=MD5 (Se_id,usr_pwd,challenge) |
Figure 2-4-3-2 Start message data field data structure
2.4.4 MS-CHAP protocol authentication type
The MS-CHAP authentication type contains only one start message and one reply message, and the start message must contain the user name information and data information, where the user name information is stored in the Start Message User field, the data stored in the Start Message field, The data information must contain session_id, Ms-challenge, and Ms-authentication.
session_id must occupy 1 bytes, authentication must use 49 bytes, challenge length, etc. with the total data length minus session_id length and authentication length, the authentication information is by the user password, Challenge, etc. are generated by MD4 and DES encryption. The specific certification process is as follows:
Figure 2-4-4-1 MS-CHAP protocol type authentication process
session_id |
Challenge |
Authentication |
1 byte |
|
49bytes |
Figure 2-4-4-2 Start message data field data structure
MS-CHAPV1 Protocol Authentication composition |
NTHASH=MD4 (USER_PWD) |
Challengeresponse=des (Nthash[0-7], challenge) | | DES (nthash[7-14], challenge) | | DES (nthash[14-21], challenge); challenge is typically 8 bytes |
The challengeresponse is encapsulated in the [24-47] byte of authentication, and authentication the last byte (49 bytes) value is 1 |
Figure 2-4-4-3 Ms-chapv1authentication composition
2.4.5 arap Protocol Authentication type
Arap Authentication type contains only one start message and one reply message, the Start message must contain the user name information and data information, where the user name information is stored in the Start Message User field, the data stored in the Start Message field, The data information must contain Serverchallenge, Clientchallenge, and authentication.
Serverchallenge, Clientchallenge, and authentication all occupy only 8 bytes, and authentication are user passwords as Des_ Key is generated for DES encryption on Serverchallenge and Clientchallenge. The specific certification process is as follows:
Figure 2-4-5-1 ARAP Protocol certification process
Serverchallenge |
Clientchallenge |
Authentication |
8byte |
8 bytes |
8bytes |
Figure 2-4-5-2 Start message data field data structure
This type is not validated by code.
2.5 encryption of TACACS + packets
TACACS + supports encryption of all information except Baotou, which is encrypted as follows:
1) The session_id, secret key, version number and sequence numbers are MD5 together (where secret key is the shared secret between the TACACS client and the server) and the result is md5_1.
2) Subsequent MD5 operations incorporate the results of the last MD5 operation into the range of operations, as follows:
Md5_1 = md5{session_id, key,version, seq_no}
Md5_2 = md5{session_id, Key,version, Seq_no, Md5_1}
....
Md5_n = md5{session_id, Key,version, Seq_no, md5_n-1}
3) Connect all the results of the operation until the total length is greater than the length of the data that needs to be encrypted, and then truncate to the actual length of the data to get Pseudo_pad:
Pseudo_pad = {Md5_1 [, md5_2 [..., md5_n]]} truncated to Len (data)
4) Then the data that needs to be encrypted and the above Pseudo_pad for XOR operation, get ciphertext:
ENCRYPTED {Data} = = Data ^pseudo_pad
Because TACACS + encrypts the entire packet, privacy is better than radius, and eavesdroppers cannot guess the configuration of the network and the identity of the user based on the contents of the message.
3, TACACS + server environment configuration 1. Hard Software requirements
Hardware: Pentium IV processor, 1.8 GHz or higher
Operating systems: Windows $ server, Windows Server 2003, Enterprise Edition or standard
Edition (Service Pack 1)
Memory: 1GB Minimum
Virtual Memory: 1GB minimum
Hard disk space: The minimum 1GB free space, the actual size depends on the log file growth, replication and backup requirements.
2. Software Requirements
Browser: microsoftinternet Explorer 6 or later
Java Runtime Environment: Sun JRE 1.4.2_04 or later
TACACS + server: Installing Cisco ACS
TACACS + Certification Detailed research