PDF datasheet

AuthAgent TACACS+

Tech Specification

Embedded Tacacs+ Client Library

AuthAgent TACACS+AuthAgent TACACS+ is a lean, embedded implementation of the Cisco TACACS+ protocol as specified in TACACS+ RFC draft (draft-grant-tacacs). It implements the client side of a client/server mechanism to carry authentication and authorization information between a network service granting privileges and a shared server that has the centralized user and node information required to decide whether such privileges should be granted. When used in conjunction with protocols that secure the network path, AuthAgent TACACS+ provides a powerful, yet simple mechanism to authenticate and authorize access to VPNs, gateway devices, dial-up concentrators, Ethernet switches and wireless networks.

The TACACS+ protocol specifies the information exchange between a device that provides network access to users (the “TACACS+ client”) and a device that manages authentication information and credentials for those users (the “TACACS+ server”). Having this separation of roles allows for centralized authentication and administration, which is especially attractive to embedded devices that need to verify user credentials and authorize users, without having the overhead of maintaining and administering a database of sensitive user information locally on the device. AuthAgent TACACS+ provides a library to build customized TACACS+ client applications, and facilitates this authentication on embedded devices.

TACACS+ Security
Security for the TACACS+ information exchange is enabled by means of a pre-configured shared secret known only to two parties: the client application enabled by AuthAgent TACACS+ (configured using its APIs), and to the TACACS+ server in use. All transactions between these two endpoints are encrypted using this shared secret, which itself is never sent out over the network. AuthAgent TACACS+ encrypts sensitive user data, such as passwords, with a stream derived from an MD-5 hash, so that only the two ends of a TACACS+ link can decode them.

Features & Benefits

  • Cisco draft-RFC compliant.
  • Includes PAP, CHAP, MS-CHAP and ENABLE client APIs.
  • Dynamic shutdown and restart (no reboot required).
  • Can be used standalone, or integrated with other security protocols and in TeamF1 production-ready solutions.
  • Support for multiple CPU types (x86, PowerPC, MIPS, ARM/Xscale).
  • Royalty-free full source code distribution.

Advanced Features

  • Robust interoperability-tested TACACS+ agent library.
  • OS-independent and modular.
  • Integrated into embedded devices with easy-to-use APIs.
  • Supports multiple server configurations.

Challenge Response Support
Besides supporting password authentication (PAP) logins, AuthAgent TACACS+ provides APIs to support challenge-response authentication. AuthAgent TACACS+ supports both CHAP and MS-CHAP authentication.

Usage Scenarios
AuthAgent TACACS+ is most commonly used to add authentication features to devices that may be deployed in environments using Cisco networking gear. AuthAgent TACACS+ can be used standalone or as an add-on for TeamF1’s network security protocols such as SSHield, V-IPSecure and others or as an authentication method in TeamF1’s SMBware™ turnkey solutions. It can also be combined with third-party security protocol implementations, allowing a common centralized back-end authentication server to hold and administer a user-directory that can be used across the board in an enterprise. Further, its made-for-embedded design and dynamic shutdown and restart capabilities make it easy to use with a provisioning system.

Built for OS independence
AuthAgent TACACS+ is designed from the ground up to work with different operating systems including Linux® 2.4 based kernels, 2.6 based kernels, Green Hills INTEGRITY® and various versions of VxWorks®, including VxWorks-based Platforms such as Wind River® Platform for Network Equipment and others. It has been extensively tested across many CPU architectures and against several open source and Cisco TACACS+ servers.

AuthAgent TACACS+ uses TeamF1’s AdaptOS library to abstract OS specific features making it easy to port to additional embedded operating systems that require its rich authentication functionality.

Customization Flexibility

  • Available in full source format.
  • Flexible APIs for configuring TACACS+ server settings including server name, retry count, timeouts and shared secrets on a server-specific basis.
  • Allows specification of multiple TACACS+ servers.
  • Can add new authentication methods.
  • Supports all authorization methods through flexible API.
  • Easily ported to new operating systems.
  • Modular architecture allows for easy exclusion of unneeded functionality.