Ccna Security Ch7 Implementing Aaa Using Ios ACS Server

Chapter 7: Implementing AAA Using IOS and the ACS
Server
I. Foundation Topics
1. Using the local database does not scale well with multiple routers and switches.
ACS server takes care of AAA for administrators as well as for users of the network.
II. Cisco Secure ACS, RADIUS, and TACACS

1. Why Use Cisco ACS?
1. ACS can be the center for AAA, either using it's own local database or Microsoft
Active Directory.
2. What Platform Does ACS Run On?

1. Windows, VM, physical appliance
3. What is ISE?
1. ISE is an identity and access control policy platform, checking that requirements are
met for access nodes. ISE is not a full replacement of ACS. Usually ACS is used
for AAA and ISE is used in conjunction for the identity and access control.
4. Protocols Used Between the ACS Server and the Client (the Router)
1. TACACS+ and RADIUS protocols are used between the ACS server and the client.
2. TACACS+ - Terminal Access Control Access Control Server Older versions
existed but we only use TACACS+ now. TACACS+ packets are encrypted before
sent back and forth with the ACS server.
3. RADIUS Remote Authentication Dial-In User Service Open standard, only
passwords are encrypted
III. Configuring Routers to Interoperate with an ACS Server

1. TACACS+ has very granular command authorization, while RADIUS does not.
TACACS+ will most likely be used for AAA for administrators needing CLI access,
while RADIUS, open IETF standard, will be used for authentication and
authorization for end users to send their packets through the router.
2. Both TACACS+ and RADIUS can be used simultaneously between ACS and router.
Table 7-2 TACACS+ Versus RADIUS
TACACS+
RADIUS
Functionality
Separates AAA functions into

distinct elements. Authentication
is separate from authorization,
and both of those are separate
from accounting
Combines many of the functions

of authentication and
authorization together. Has
detailed accounting capability
when accounting is configured
for use
Standard
Cisco proprietary, but very well

known
Open standard, and supported by

nearly all vendors' AAA
implementation
L4 protocol
TCP
UDP
Replacement coming
None officially planned
Possibly Diameter (named to

imply that RADIUS is only half
as much, pun intended)
Confidentiality
All packets are encrypted

between ACS server and the
router (which is the client).
Only the password is encrypted

with regard to packets sent back
and forth between the ACS
server and the router
Granular command by command This is supported, and the rules

authorization
are defined on the ACS server
about which commands are
allowed or disallowed
No explicit command
authorization checking rules can
be implemented
Accounting
Provide accounting support, and

generally acknowledged as
providing more detailed or
extensive accounting capability
than TACACS+
Provides accounting support
3. CLI and CCP can be used

4. Plan for Configuration
a. Administrators/users who are accessing the router via the vty lines, regardless if
they are using Telnet or Secure Shell (SSH), the router should check with a
TACACS+ server (the ACS server using TACACS+ to communicate with this
router) for the authentication check (username/password)
b. Authenticated users need to be authorized to have access to a CLI (EXEC)
session, including the privilege level they should be placed into. The
authorization check should be done by the router referring to the ACS server,
using TACACS+.
5. Example
R1(config)# aaa new-model
(required to enable AAA on the router, by default on most IOS systems it's disabled)
R1(config)# aaa authentication login AUTHEN_via_TACACS group tacacs+ local
(authentication, custom method list using TACACS+ first, and if fails use the local database)
R1(config)# aaa authorization exec Author-Exec_via_TACACS group tacacs+ local
(authorization, custom method list using tacacs+ first, and if fails due to lack of an ACS server, use the
local database)
R1(config)# username admin privilege 15 secret cisco
(create local database username and password as a backup in case the ACS server is not available)
R1(config)# tacacs-server host 192.168.1.252 key cisco123
(Configure ACS server connection settings and password)
R1(config)# line vty 0 4
R1(config-line)# authorization exec Author-Exec_via_TACACS
R1(config-line)# login authentication AUTHEN_via_TACACS
Example 7-2 Verifying AAA
R1# debug tacacs
TACACS access control debugging is on
! Telnet to an IP address on the local router.
R1# telnet 10.0.0.1
Trying 10.0.0.1 ... Open
TPLUS: Queuing AAA Authentication request 102 for processing
TPLUS: processing authentication start request id 102
TPLUS: Authentication start packet created for 102()
TPLUS: Using server 192.168.1.252
TPLUS(00000066)/0/NB_WAIT/6812DC64: Started 5 sec timeout
User Access Verification
! Timing out on TACACS+ regarding authentication because no server is
responding
TPLUS(00000066)/0/NB_WAIT/6812DC64: timed out
TPLUS(00000066)/0/NB_WAIT/6812DC64: timed out, clean up
TPLUS(00000066)/0/6812DC64: Processing the reply packet
! Now moving to the local database on the router
Username: admin
Password: cisco
! Timing out on TACACS+ regarding authorization due to no server responding.
TPLUS: Queuing AAA Authorization request 102 for processing
TPLUS: processing authorization request id 102
TPLUS: Protocol set to None .....Skipping
TPLUS: Sending AV service=shell
TPLUS: Sending AV cmd*
TPLUS: Authorization request created for 102(admin)
TPLUS(00000066)/0/NB_WAIT/6812DC64: Started 5 sec timeout
TPLUS(00000066)/0/NB_WAIT/6812DC64: timed out
TPLUS(00000066)/0/NB_WAIT/6812DC64: timed out, clean up
TPLUS(00000066)/0/6812DC64: Processing the reply packet
! After timing out, the router again uses its local database for
! authorization and appropriate privilege level for the user.
! If we exit, and change the debugs slightly, and do it again, it will give
! us yet another perspective.
From the Library of Joshua E Johnson
Chapter 7: Implementing AAA Using IOS and the ACS Server
R1# debug aaa authentication
AAA Authentication debugging is on
R1# debug aaa authorization
AAA Authorization debugging is on
Telnet
R1# telnet 10.0.0.1
Trying 10.0.0.1 ... Open
AAA/BIND(00000067): Bind i/f
! Notice it shows using the authentication list we assigned to the VTY
! lines
AAA/AUTHEN/LOGIN (00000067): Pick method list 'AUTHEN_via_TACACS'
! Not shown here, but indeed the ACS server is timing out, due to not yet
! being configured, which causes the second entry in the list "local" to be
! used.
User Access Verification
Username: admin
Password: cisco
! Now the authorization begins, using the method list we configured for the
! lines
AAA/AUTHOR (0x67): Pick method list 'Author-Exec_via_TACACS'
R1#
AAA/AUTHOR/EXEC(00000067): processing AV cmd=
AAA/AUTHOR/EXEC(00000067): processing AV priv-lvl=15
AAA/AUTHOR/EXEC(00000067): Authorization successful
R1#
!
Table 7-3 Configuring the Router to Use ACS via TACACS+
Task
How to Do It
Decide what the policy should be (for example,
which vty lines should require
authentication/authorization, and which methods
(ACS, local,none) should be used
This step is done way before you even begin

configuring the router, and is based on your
security policy for your network. It is the concept
of what you want to accomplish for authentication
and authorization
Enable the ability to configure AAA
Aaa new-model is not enabled by default. If you

want to use the services for ACS, you must enable
the feature of AAA as the very first step of
configuration on a new router
Specify the address of an ACS server to use
Use the tacacs-server host command, including

the IP address of the ACS server and the password
Create a named method list for authentication and Each method list is created in global configuration
another for authorization, based on your policy
mode, specifying which methods this list uses, in
order, from left to right.
Apply the method list to the location that should
use those methods
In vty line configuration mode, specify the

authentication and authorization method lists that
you created in the preceding step
6. Using CCP to implement the same as above:

a. Configure > Router > AAA > AAA Servers and Groups > Servers > Add
a. Provide relevant information below, then press okay
b. As shown by the fields on the GUI, you are adding a TACACS+ server to the
configuration.
c. To create a method list

a. Configure > Router > AAA > Authentication Policies > Login, click Add
1. This method list is for login Authentication
1. Add methods to the method list
2. There's also an option to move methods up and down through the list.
Top is priority, bottom is less priority.
d. You can see all authentication method lists here
7. You can create an authorization method list

a. Configure > Router > AAA > Authorization Policies > EXEC Command
Mode click Add
a. Same as before, add methods to the method list. Top has priority.
8. List of authorization method lists
9. Apply method lists to vty lines

a. Configure > Router > Router Access > VTY click Edit
a. After clicking edit, you can select the authentication and authorization
method lists.
b. Click okay and any confirmation buttons until config is sent to router
b. Shows a summary of configuration

c. This demonstration has not yet created a local account for administration, and if
the ACS server is not reachable and you have not created a local account, then
you will run into trouble
10. Create a local user account

a. Configure > Router > Router Access > User Accounts/View click Add
IV. Configuring the ACS Server to Interoperate with a Router

1. f
Table 7-4 Key Components for Configuring ACS
Component of ACS
How It is Used
New device groups
Groups of network devices, normally based on routers or

switches with similar functions/devices managed by the
same administrators
Network devices (ACS

clients/routers/switches)
The individual network devices that go into the device

groups
Identity groups (user/admin groups)
Groups of administrators, normally based on users who

will need similar rights and access to specific groups of
network devices
User accounts
Individual administrator/user accounts that are place in

Identity groups
Authorization profiles
These profiles control what rights are permitted. The

profile is associated with a network device group and a
user/administrator identity group
2. For the below configuration, we are configuring the following ACS items:
a. Device group for border routers
b. A single router that belongs to the device group
c. Two groups, an Admin group and a Monitor group
d. Two users (an administrator belonging to the Admin group, and a help desk
account belonging to the Monitor group)
e. Two authorization policies (the first stating that members of the Admin group
who are accessing devices in the device group should get full privilege level 15
access, and the second policy stating that users who are members of the Monitor
group will only have privilege level 1 access to the devices in the device group)
3. Open a browser and type
a. https://x.x.x.x/acsadmin | the default password is default.
4. f
5. First step is to create a device group as shown above.

a. Network Resources > Network Device Groups > Device Type click Create
a. Fill it out and create the group, click Submit
6. Add a device so we can put it in the device group we just created:

a. Network Resources > Network Devices and AAA Clients click Create
a. Fill out the following:
1. Select device type to select device group.
2. Name and Description
3. IP Address
4. Select Protocol (TACACS+ and/or RADIUS)
5. Password
b. Review info and click Submit
7. Configure User group

a. Users and Identity Stores > Identity Groups click Create
a. Type in name of group and click Submit
1. Continue this until you have created all groups you need
8. Summary pops up after submitting a user group
9. Create user accounts

a. Users and Identity Stores > Internal Identity Stores > Users click Create
a. Fields
1. Name
2. Description
3. Enabled/Disabled
4. Identity Group Select the identity group
5. Password/Confirm Password
6. Enable Password/Confirm Password
7. Check-box Change password at next login
b. Click submit
10. Summary of what you configured
11. Create Authorization policies

a. Access Policies > Access Services > Default Device Admin > Authorization
click Create
a. Name the policy
b. Check box under Conditions next to Identity Group and click the Select
button to choose the admin group created earlier
c. Check the box next to NDG Device type and click the Select button to
indicate the device belongs to the group of routers device group that was
created earlier.
d. Click the select button next to Shell Profile.
12. You could assign one of the preconfigured profiles, or you could create your own
profile and assign it to this group of users. To create a custom profile, click the
Create button, and from the new window that is brought up name the profile in the
dialog box provided, and then display the Common Tasks tab and change the default
privilege level to Static, and assign the privilege level of 15, as shown in Figure 718.
13. Click Submit, and then confirm any dialog boxes presented to you from ACS until
the configuration is applied. By using these steps, any users in the Admin group
accessing any of the devices in the specified device group will not only be able to
authenticate but also be automatically authorized for and placed into privilege level
15 after successfully authenticating on those routers. We would repeat this process
for the Monitor group, assigning a static privilege level of 1.
14. After saving the changes, you can view a summary of the authorization profiles in
this same location.
V. Verifying and Troubleshooting Router-to-ACS Server Interactions

1. f
Ping x.x.x.x
2. The above shows a ping. Make sure you have connectivity to the ACS server, you
being the router. This could entail routing protocols, spanning tree etc... use your
troubleshooting techniques.
R1# test aaa group tacacs+ admin cisco123 legacy
Attempting authentication test to server-group tacacs+ using tacacs+
User was successfully authenticated.
3. Test AAA authentication by indicating the group, username and password and the
keyword legacy.
4. The above is the product of the following, which is ACS reporting which may give
you some insight to what a particular issue might be.
a. Monitoring & Reports > Reports > Favorites
a. Click Authentications TACACS Today link
5. Common occurrence is that there are no reports to look at due to filtering somewhere
between the ACS and the router. Also ensure the right ip address is being used for
connection to the ACS server.
6. Also verify that AAA using the ACS server is working correctly by telneting to the
router from a remote workstation to ensure the user accounts are being authenticated
against the ACS by using debugging.
! Verifying what debugging is currently in place on the router
R1# show debug
General OS:
TACACS access control debugging is on
AAA Authentication debugging is on
AAA Authorization debugging is on
167
! on a remote machine, we telnet and authenticate as the user admin, and
! simply view the debug output on the console of the router receiving the
! telnet session
R1#
! the session came in on a VTY line, which triggered the authentication
! method list associated with that line
AAA/AUTHEN/LOGIN (00000083): Pick method list 'Login_Authen_via_TACACS'
! Sending a TACACS+ request to contact the server
TPLUS(00000083)/0/NB_WAIT/68BD742C: Started 5 sec timeout
TPLUS(00000083)/0/NB_WAIT: socket event 2
TPLUS(00000083)/0/NB_WAIT: wrote entire 33 bytes request

TPLUS(00000083)/0/READ: socket event 1
TPLUS(00000083)/0/READ: Would block while reading
TPLUS(00000083)/0/READ: read entire 12 header bytes (expect 16 bytes data)
R1#
TPLUS(00000083)/0/READ: read entire 28 bytes response
! Router got a message back from ACS
! Router will now prompt the user for their username
TPLUS(00000083)/0/68BD742C: Processing the reply packet
TPLUS: Received authen response status GET_USER (7)
R1#
TPLUS: processing authentication continue request id 131
TPLUS: Authentication continue packet generated for 131
TPLUS(00000083)/0/WRITE/68BD742C: Started 5 sec timeout
TPLUS(00000083)/0/WRITE: wrote entire 22 bytes request
! Router will now prompt user for the user password
TPLUS: Received authen response status GET_PASSWORD (8)
R1#
TPLUS(00000083)/0/WRITE/68BD742C: Started 5 sec timeout
! The ACS server said YES to the username/password combination.
TPLUS: Received authen response status PASS (2)
! The router now begins the authorization process for the user
! using the authorization methods in the list associated with the VTY lines
AAA/AUTHOR (0x83): Pick method list 'Exec_Authorization_via_TACACS'
TPLUS: Authorization request created for 131(admin)
TPLUS: using previously set server 192.168.1.252 from group tacacs+
TPLUS(00000083)/0/NB_WAIT/68BD742C: Started 5 sec timeout

! Got the reply from the ACS server saying yes to authorization
! and that the user should be placed at privilege level 15
TPLUS: Processed AV priv-lvl=15
TPLUS: received authorization response for 131: PASS
R1#
R1# show users
Line
User
2 vty 0
admin
169
Host(s)
Idle
Location
idle
00:00:51 10.0.0.25
! We could do the same test again, except this time, login as the user
! "help-desk"
! The results will be nearly identical, with the exception that the user
! will be provided with an exec shell (CLI) at privilege level 1
R1#
AAA/AUTHEN/LOGIN (00000084): Pick method list 'Login_Authen_via_TACACS'
TPLUS(00000084)/0/NB_WAIT/68793774: Started 5 sec timeout
R1#
TPLUS(00000084)/0/68793774: Processing the reply packet
TPLUS: Received authen response status GET_USER (7)
R1#
TPLUS(00000084)/0/WRITE/68793774: Started 5 sec timeout

TPLUS: Received authen response status GET_PASSWORD (8)
R1#
TPLUS(00000084)/0/WRITE/68793774: Started 5 sec timeout
TPLUS: Received authen response status PASS (2)
AAA/AUTHOR (0x84): Pick method list 'Exec_Authorization_via_TACACS'
TPLUS: Authorization request created for 132(help-desk)
TPLUS: using previously set server 192.168.1.252 from group tacacs+
TPLUS(00000084)/0/NB_WAIT/68793774: Started 5 sec timeout
TPLUS: Processed AV priv-lvl=1
TPLUS: received authorization response for 132: PASS
R1#
R1# show users
Line
User
Host(s)
2 vty 0
help-desk
idle
Idle
00:01:24Location
10.0.0.25
VI. Do I Know This Already? Quiz

Table 7-1 Do I Know This Already? Section-to-Question Mapping
Foundation Topics Section
Questions
Cisco Secure ACS, RADIUS, and TACACS
1-3
Configuring Routers to Interoperate with an ACS Server
4-6
Configuring the ACS Server to Interoperate with a Router
7-8
Verifying and Troubleshooting Router-to-ACS Server Interactions
9-10
1. Which of the following are most likely to be used for authentication of a network
administrator accessing the CLI of a Cisco router? (Choose all that apply.)
a. TACACS+
b. Diameter
c. RADIUS
d. ACS
2. Which of the following allows for granular control related to authorization of
specific Cisco IOS commands that are being attempted by an authenticated and
authorized Cisco router administrator?
a. RADIUS
b. Diameter
c. TACACS+
d. ISE
3. Which devices or users would be clients of an ACS server? (Choose all that apply.)
a. Routers
b. Switches
c. VPN users
d. Administrators
4. On the router, what should be created and applied to a vty line to enforce a specific
set of methods for identifying who a user is?
a. RADIUS server
b. TACACS+ server
c. Authorization method list
d. Authentication method list
5. What is the minimum size for an effective TACACS+ group of servers?
a. 1
b. 2
c. 5
d. 6
6. With what can you configure AAA on the router? (Choose all that apply.)
a. ACS
b. CCP
c. CLI
d. TACACS+
7. Which statement is true for ACS 5.x?
a. User groups are nested in network device groups
b. Authorization policies can be associated with user groups that are accessing
specific network device groups
c. There must be at least one user in a user group
d. User groups can be used instead of device groups for simplicity
8. Where in the ACS do you go to create a new group of administrators?

a. Users and Identity Stores > Identity Groups
b. Identity Stores > Identity Groups
c. Identity Stores and Groups > Identity Groups
d. User and Groups > Identity Groups
9. From the router, which method tests the most about the ACS configuration, without
forcing you to log in again at the router?
a. Ping
b. traceroute
c. test aaa
d. telnet
10. Which of the following could likely cause an ACS authentication failure, even when
the user is using the correct credentials? (Choose all that apply.)
a. Incorrect secret on the ACS
b. Incorrect IP address of the ACS configured on the router
c. Incorrect routing
d. Incorrect filtering between the ACS and the router
VII. Review All the Key Topic

Table 7-5 Key Topics
Key Topic Description
Element
Page
Number
Text
Why use Cisco ACS -
140
Text
Protocols used between the ACS and the router -
141
Table 7-2
TACACS+ versus RADIUS -
142
Example 7-1 Using the CLI to configure IOS for use with ACS -
144
Table 7-3
Configuring the router to use ACS via TACACS+ -
148
Figure 7-6
Applying the newly created method lists -
152
Table 7-4
Key components for configuring ACS -
155
Example 7-4 Testing AAA between the router and the ACS -
165
VIII. Complete the Tables and Lists from Memory

Table 7-2 TACACS+ Versus RADIUS
TACACS+
RADIUS
Functionality
Separates AAA functions into distinct

elements. Authentication is separate
from authorization, and both of those
are separate from accounting
Combines many of the functions of

authentication and authorization
together. Has detailed accounting
capability when accounting is
configured for use
Standard
Cisco proprietary, but very well

known
Open standard, and supported by nearly

all vendors' AAA implementation
L4 protocol
TCP
UDP
Replacement coming None officially planned
Possibly Diameter (named to imply that

RADIUS is only half as much, pun
intended)
Confidentiality
All packets are encrypted between

ACS server and the router (which is
the client)
Only the password is encrypted with

regard to packets sent back and forth
between the ACS server and the router
Granular command
by command
authorization
This is supported, and the rules are

defined on the ACS server about
which commands are allowed or
disallowed
No explicit command authorization

checking rules can be implemented
Accounting
Provides accounting support
Provide accounting support, and

generally acknowledged as providing
more detailed or extensive accounting
capability than TACACS+
Table 7-4 Key Components for Configuring ACS

Component of ACS
How It Is Used
Network device groups
Groups of network devices, normally based on routers or switches

with similar functions/devices managed by the same administrators
Network devices (ACS

clients/routers/switches)
The individual network devices that go into the device groups
Identity groups (user/admin

groups)
Groups of administrators, normally based on users who will need

similar rights and access to specific groups of network devices
User accounts
Individual administrator/user accounts that are place in Identity groups
Authorization profiles
These profiles control what rights are permitted. The profile is

associated with a network device group and a user/administrator
identity group
IX. Define Key Terms

1.
2.
3.
4.
5.
6.
ACS RADIUS TACACS+ AAA server authentication method list authorization method list -
X. Command Reference to Check Your Memory

Table 7-6 Command Reference
Command
Description
Aaa new-model
Enable the configuration of method lists and other AAA-related elements,

including the use of ACS
Test aaa group tacacs+

admin cisco123 legacy
Allow verification of the authentication function working between the

AAA client (the router) and the ACS server (the AAA server)
Aaa authentication
login MYLIST1 group
tacacs+ none
Create an authentication method list, that when applied elsewhere in the

configuration, requests the services of an ACS server via TACACS+, and if
no server responds, the next method local (which is the local router
configuration) is checked to verify the credentials of the user
Aaa authorization exec Create an authorization method list, that when applied to a vty line,
MYLIST2 group tacacs+ requests the services of an ACS server (via TACACS+). If no server
none
responds , the second method none is used. This result in no username
prompt being provided to the user, and authentication is not required
Tacacs-server host
192.168.1.252 key
cisco123
Places a server into the group of ACS servers the router can use for
TACACS+ requests. It includes the IP address and the secret used to
encrypt packets between this router (the client) and the ACS server

Ccna Security Ch7 Implementing Aaa Using Ios ACS Server

Uploaded by

Copyright:

Available Formats

Ccna Security Ch7 Implementing Aaa Using Ios ACS Server

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ccna Security Ch7 Implementing Aaa Using Ios ACS Server

Uploaded by

Copyright:

Available Formats

Chapter 7: Implementing AAA Using IOS and the ACS

II. Cisco Secure ACS, RADIUS, and TACACS

2. What Platform Does ACS Run On?

III. Configuring Routers to Interoperate with an ACS Server

Separates AAA functions into

Combines many of the functions

Cisco proprietary, but very well

Open standard, and supported by

None officially planned

Possibly Diameter (named to

All packets are encrypted

Only the password is encrypted

Granular command by command This is supported, and the rules

Provide accounting support, and

Provides accounting support

3. CLI and CCP can be used

This step is done way before you even begin

Enable the ability to configure AAA

Aaa new-model is not enabled by default. If you

Specify the address of an ACS server to use

Use the tacacs-server host command, including

In vty line configuration mode, specify the

6. Using CCP to implement the same as above:

c. To create a method list

d. You can see all authentication method lists here

7. You can create an authorization method list

8. List of authorization method lists

9. Apply method lists to vty lines

b. Shows a summary of configuration

10. Create a local user account

IV. Configuring the ACS Server to Interoperate with a Router

Groups of network devices, normally based on routers or

Network devices (ACS

The individual network devices that go into the device

Identity groups (user/admin groups)

Groups of administrators, normally based on users who

Individual administrator/user accounts that are place in

These profiles control what rights are permitted. The

5. First step is to create a device group as shown above.

6. Add a device so we can put it in the device group we just created:

7. Configure User group

8. Summary pops up after submitting a user group

9. Create user accounts

10. Summary of what you configured

11. Create Authorization policies

V. Verifying and Troubleshooting Router-to-ACS Server Interactions

TPLUS(00000083)/0/NB_WAIT: wrote entire 33 bytes request

TPLUS(00000083)/0/READ: read entire 12 header bytes (expect 18 bytes data)

TPLUS(00000084)/0/READ: socket event 1

VI. Do I Know This Already? Quiz

Cisco Secure ACS, RADIUS, and TACACS

Configuring Routers to Interoperate with an ACS Server

Configuring the ACS Server to Interoperate with a Router

Verifying and Troubleshooting Router-to-ACS Server Interactions

8. Where in the ACS do you go to create a new group of administrators?

VII. Review All the Key Topic

Why use Cisco ACS -

Protocols used between the ACS and the router -

TACACS+ versus RADIUS -