TACACS authentication
Updated: February 15, 2013
Applies To: Unified Access Gateway
Some of the Forefront Unified Access Gateway 2010 SP3 features discussed in this article may be deprecated and may be removed in subsequent releases. For a complete list of deprecated features, see Features Deprecated in Forefront UAG SP3.
Forefront Unified Access Gateway (UAG) supports user authentication using a Terminal Access Controller Access Control System (TACACS). The TACACS protocol allows a network access server (NAS) to offload the user administration to a central server. When the TACACS authentication scheme is applied, user connection requests are directed by the NAS to the TACACS authentication server, where user identity is compared against the server's user database, and users are granted or denied access accordingly.
Forefront UAG and the TACACS authentication server operate in a client-server mode, where Forefront UAG is configured as a client of the TACACS server.
The TACACS authentication scheme uses a secret key to encrypt the authentication request. This key must be identically configured in both the Forefront UAG and the TACACS authentication server.
Note
The TACACS authentication scheme was tested against the NTTacPlus authentication server.
TACACS authentication flow
The following figure illustrates the authentication process users pass through when the TACACS authentication scheme is implemented.
Note
The flow allows for three login attempts, after which login failure is final. The actual number of login attempts users are allowed is configurable.
TACACS Authentication Flow
.gif "ca463eec-44c2-4126-8334-99a5a8e55f38")