RADIUS
- Centralized authentication
- AAA communications protocol
- Authentication, Authorization, Accounting
- Clients (switch, router, WAP, WLC, firewalls, etc.)
- Servers (Microsoft Network Policy Server, FreeRADIUS, ect)
- Sets up the radius server interface and gives you the tool to go ahead and control it
- Ports can vary:
- UDP 1645,1546 // Legacy ports
- UDP 1812,1813. // Newer ports
- Depends on your devices, ideally the new standard is the best option
- Intermediate filtering must allow this ports, make sure your firewall is inspecting them
AAA
| Component | Operation | Mechanism |
|---|---|---|
| Authentication | Who you are | Password, / MFA |
| Authorization | What you can do | Global, Group, User |
| Accounting | What you've done | Local or central logging |
Centralized vs Localized
| Centralized AAA | Localized AAA |
|---|---|
| Single point of administration | Many points of administration |
| Reliant upon underlying protocols | Self-reliant |
| Easily scalable | Not scalable |
| Smart network admission control | Simple network admission control |
| Requires dedicated component | Built-in capability |
| RADIUS, TACACS+, LDAP, AD |
- In localized you do not need any servers, so there is no protocols, everything is local
- In Centralized AAA you have protocols that help you with administration
RADIUS vs. TACACS
- To the device or through
- To the device: TACACS
- Through the device: RADIUS
- Administrators or users
- ISP
- Network traffic logs
- SNP, RADIUS and TACACS
- Command logs
- Every time an admin logs, TACACS compares that command to the list of good commands
- TACACS is used for administrative access
- RADIUS is for managing users
- Why not both?
- You can totally use both of this
/CAP/Network+/Visual%20Aids/Pasted%20image%2020250123133348.png)
- Supplicant: Client/User
- Authenticator: Router/Firewall
- Asks the AAA server for if we should authorize this user.
- Authentication Server: RADIUS