PrepAway - Latest Free Exam Questions & Answers

Which of the following statements are true regarding TACACS+? (Choose two.)

Which of the following statements are true regarding TACACS+? (Choose two.)

A. It combines authorization and authentication functions.

B. It encrypts the entire body of a packet.

C. It provides router command authorization capabilities.

D. It uses UDP for packet delivery.

E. It was developed as an IETF-standard protocol.

Explanation:
Terminal Access Controller Access-Control System Plus (TACACS+) encrypts the entire body of a packet and provides router command authorization capabilities. TACACS+ is a Cisco-proprietary protocol that uses Transmission Control Protocol (TCP) for transport during Authentication, Authorization, and Accounting (AAA) operations. TACACS+ provides more security and flexibility than other authentication protocols, such as Remote Authentication Dial-In User Service (RADIUS), which is an open-standard protocol commonly used as an alternative to TACACS+. Because TACACS+ can be used to encrypt the entire body of a packet, users who intercept the encrypted packet cannot view the user name or contents of the packet. In addition, TACACS+ provides flexibility by separating the authentication, authorization, and accounting functions of AAA. This enables granular control of access to resources. For example, TACACS+ gives administrators control over access to configuration commands; users can be permitted or denied access to specific configuration commands. Because of this flexibility, TACACS+ is used with Cisco Secure Access Control System (ACS), which is a software tool that is used to manage user authorization for router access.

RADIUS, not TACACS+, was developed as an Internet Engineering Task Force (IETF)-standard protocol. Like TACACS+, RADIUS is a protocol used with AAA operations. However, RADIUS uses User Datagram Protocol (UDP) for packet delivery and is less secure and less flexible than TACACS+. RADIUS encrypts only the password of a packet; the rest of the packet would be viewable if the packet were intercepted by a malicious user. With RADIUS, the authentication and authorization functions of AAA are combined into a single function, which limits the flexibility that administrators have when configuring these functions. Furthermore, RADIUS does not provide router command authorization capabilities.

Reference: https://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/13838-10.html#comparing


Leave a Reply