Protocols Used Between the ACS and the Router

The next couple of sections discuss how to configure the router to forward authentication questions to the ACS server and examine how to tell the ACS server to work with the router. But right now, you need to understand the “language of love” used to communicate between the ACS server and the router (with a router acting as a client to the ACS server).

Two main protocols may be used between the ACS server and its client (such as a router that is using the ACS server to verify authentication requests): TACACS+ (pronounced TACK-AXE, you do not need to say the +) and RADIUS (pronounced RAY-D-US).

TACACS+ stands for Terminal Access Control Access Control Server, and that is why we just use the acronym. There have been earlier versions of TACACS+, which had slightly varying names, such as XTACACS and TACACS (without the plus). Because the only version now used is TACACS+, any time we refer to the term pronounced TACK-AXE, it is accepted and understood that we are referring to the currently implemented TACACS+ (even without saying the + at the end). TACACS+ is Cisco proprietary, which means its primary usage will likely be seen as a protocol used between a Cisco device and a Cisco ACS server. If you configure the router and the ACS server to use TACACS+, all the AAA packets that are sent between the router and the ACS server use the TACACS+ protocol, which encrypts each packet before it is sent on the network.

The other possible protocol that could be used between the router and the ACS server for the purpose of AAA services is RADIUS, which stands for Remote Authentication Dial-In User Service. RADIUS is an open standard, which means that not only ACS supports it but also that other vendors’ implementations of AAA and their servers (such as Microsoft) can support communications with a client (such as a router) using this protocol. RADIUS encrypts only passwords, but not the whole packet being sent between the ACS server and the network device.