Centalized Authenticaton, Authorization and Accounting (AAA)

Centralized AAA using TACACS+

TCPWave appliances for network infrastructure services use TACACS+ for authentication, authorization and accounting. TCPWave has developed a unique methodology with which our appliances do not need a user to be defined as a local account on each appliance. Secure Shell (SSH) access to each appliance takes place by proxying the user’s credentials to a foreign AAA server. If the user is defined on the foreign AAA server and has permissions to enter the TCPWave appliance using SSH, access is granted. This approach dramatically reduces the operational overhead to define local accounts. When an administrator leaves the organization, there is no necessity to update all the TCPWave Appliances. Removing that user from the AAA server would do the job.

TCPWave has further enhanced the TACACS+ security by sending each keystroke typed by the users to the AAA logs. Multiple AAA servers can be configured into the TCPWave TACACS module so that the AAA process does not have a single point of failure.

Terminal Access Controller Access-Control System (TACACS+) is a remote authentication protocol that is used to communicate with an authentication server commonly used in UNIX networks. TACACS+ is a security application that provides centralized validation of users attempting to gain access to a router or network access server. TACACS+ services are maintained in a database on a TACACS+ daemon running, typically, on a UNIX workstation. The goal of TACACS+ is to provide a methodology for managing multiple network access points from a single management service.

TACACS+ Features:

  • Offers multiprotocol support
  • Allows a network administrator to define what commands a user may run. This fine grain level of control allows more controlled access for a greater number of users on a network.
  • Full support for IPV4 and IPV6
  • No limit on number of users, clients or servers
  • Allows control of  commands
  • Separates Authentication, Authorization and Accounting makes it more flexible
  • Encrypted username and passwords
  • Flexible external backend for user profiles

Benefits it provides to organization:

  • Centralized User Management
  • Flexible authorization policies
  • Multiple Data sources support
  • Auditing logs via TCPWave’s keystroke logger for enhanced security