SecHard

8. TACACS

What is TACACS Access Management?

With the developments in digital technology, remote access systems are a frequently used tool in almost every sector and business world. Remote access systems provide many benefits such as making workflows sustainable, optimizing cost and increasing efficiency. Remote access essentially allows users to access a computer or network from a remote location. Remote access can be done in many different ways, such as a virtual private network (VPN), remote desktop protocol (RDP) or remote access service (RAS). However, most of the time, the access management model can create a number of problems, especially within the scope of cyber security.  Nevertheless, it is possible to minimize the problems and the impacts caused by these problems. SECHARD makes it possible to avoid these difficulties by using the TACACS Access Management module. The TACACS Access Management module is one of the reliable tools that provide a kind of remote access service.

SECHARD creates a privileged infrastructure from other tools and modules by configuring the relevant usernames and passwords with the TACACS protocol. At the same time, SECHARD, with the remote authentication feature in TACACS, allows you to store usernames and passwords on your IT network in a central server, in one place. When a user is added or deleted from your network, or when a user changes passwords, you can make changes on each individual network device using both protocols.

In addition, SECHARD ensures that even if you make only one change to the configuration on the server, the devices continue to access the server for authentication without the need to interfere with different components in the system. On the other hand, the most special function of TACACS is known as authentication, but authorization and account creation functions are also very successful and useful.

 

What is TACACS Access Management?

            Terminal Access Controller Access-Control System Plus (TACACS) remote access module offered by SECHARD is the most common and functional security protocols used to provide access to IT networks. TACACS is used to provide administrator access on network devices, routers and switches, or devices in the system. TACACS is the easiest and most effective method to determine user network access through remote authentication server communication. The TACACS protocol uses port 49 by default. In addition, TACACS provides Authentication, Authorization and Accounting (AAA) management for devices using this network that connect to the IT network. If we detail the features of AAA management consisting of these three main components;

 

Authentication: The authentication feature determines who is authorized to access the network. TACACS provides a username and password for authentication for privileged accounts.

Authorization: This feature determines which services and services the user can access during network access. With the authorization feature in the TACACS protocol, visitors are only authorized to access the online environment on the network and use the internet, while only the IT team is authorized to access the entire password database.

Accounting: The last feature allows for keeping a record of which user accessed which service and how long they accessed it. Accounting records record the identity, port, network address and a session identifier for the access process of a user who connects to the IT network. At the same time, this data is tracked by activity monitoring and included in the record made on behalf of the user. This feature records which user spends how much time in the system and the transactions made.

   How Does SECHARD TACACS Access Management Work?

TACACS Management consists of Authentication, Authorization and Accounting steps and works with the AAA management process. It consists of 9 steps under the headings of Authentication and Management. Network Admin, Network Specialist, Backbone Specialist are important resources in the working process shaped in these 9 steps. In addition, Active Directory (AD) ensures the completion of the Lightweight Directory Access Protocol (LDAP) phase in the last step of the process and supports the smooth operation of access management.

You can enable SECHARD TACACSI on your network devices as follows

Authentication

  1. Step: The user starts a CLI session for the device they want to access. Once the session is started, the person enters a username and password.

  2. Step: The device to be accessed forwards the username and password to the access manager of the TACACS+ module.

  3. Step: If the username and password are correct, the response is successful.

  4. Step: The device to be accessed sends the response to the user.

  5. Step: A CLI session is established between the user and the target device. After this step, the person can enter commands for device management.

Management

  1. Step: The person enters a command on the CLI screen, which is then transmitted to the device to be accessed.

  1. Step: The device to be accessed forwards the command to the access manager of the TACACS+ module.

  1. Step: The TACACS Access Manager checks whether the user requesting access has the privilege to execute this command. After checking, it gives an accept or reject response. After the response, it logs this command. 

  1. Step: If the TACACS Access Manager issues an accept notification to execute the command, the device to be accessed executes the command and transmits the response to the person. If the response is a rejection, the device to be accessed transmits a failed message to the contact.

 

 BENEFITS OF TACACS ACCESS MANAGEMENT MODULE WITH SECHARD

  • Clear visibility, detailed audit logs

  • Separation of duties and the principle of limited privilege

  • Define access restrictions based on time

  • Minimum privileges for each department isolated from the network

  • Simple administration with Active Directory (AD) usernames and passwords

  • Automatically lock user account after termination of employment

  • Support open protocol-based network devices

  • Support Attribute Value Pair (AVP) configuration

  • Support more than a thousand devices in a single instance

  • Full compliance with international regulations such as GDPR and ISO27001 with Active Directory group policies extended to network infrastructure

  • Direct access control to target devices

  • Multi-factor authentication

  • Eliminate weak and expired passwords

SecHard