Remote Access: (2) TACACS, XTACACS & TACACS+

TACACS (Terminal Access Controller Access Control System)

Cisco’s old proprietary protocol for remote access which fit AAA model, it is hardly to see anyone using it now.

User connect to RAS server. RAS contact TACACS.

TACACS use UDP, not stable, thus TACACS+ was further designed as the replacement which use TCP.

TACACS+ (Terminal Access Controller Access Control System+)

Bear in mind that TACACS+ packet is not compatible with TACACS and XTACACS. Previous TACACS/X use one database for all AAA, TACACS+ use one for each. TACACS is the first version to offer secure communication between the TACACS+ client and server.

TACACS+ advantages:

Transport – TCP (more reliable connection)
Encryption – Both password and username is encrypted (RADIUS only encrypt password)
Protocols – Support AppleTalk and NetBios also
AAA – Can use different protocol for Access and Accounting (save bandwidth)
Compatibility – Better compatibility for multiple vendor than RADIUS

Vulnerabilities of TACACS+

  • Besides, TACACS + is designed with several cryptography weakness. Thus it is very vulnerable under sniffing activity.
  • Shared secret used between client and servers rarely change.
  • Lacking of integrity checking. There is no way to determined if the data is tempered.
  • Vulnerable to replay attack. TACACS+ sessions always start with sequence number of 1.
  • Session ID collision. TACACS+ is heavily depend on session_id. If multiple sessions get same session_id, it is vulnerable to frequency analysis attack. Consequently, it is possible to get TACACS+ server encrypt a replay packet using chosen session_id, which lead to further compromise of the tunnel encryption.
  • Session ID randomness with birthday attack. As the range of TACAS+ session ID isn’t very large. For an ISP handling 20,000 dialup sessions a day, there could be 100,000 session_id collisions in a year.
  • Lack of padding. As there is no fixed length for encryption. It is possible to revealing the length of the data (user password).
  • MD5 context leak. Due to theoretical vulnerability of MD5 hash, part of packet could be decrypted.

Detailed information could be found on An analysis of the TACACS+ Protocol and Its Implementation.


0 Responses to “Remote Access: (2) TACACS, XTACACS & TACACS+”

  1. Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

June 2008
« Apr   Aug »

%d bloggers like this: