Auerbach Publications © 2000 CRC Press LLC DATA SECURITY MANAGEMENT CENTRALIZED AUTHENTICATION SERVICES (RADIUS, TACACS, DIAMETER) Bill Stackpole INSIDE Key Features of an AAA Service; RADIUS: Remote Authentication Dial-in User Service; TACACS: Terminal Access Controller Access Control System; DIAMETER: Twice RADIUS? INTRODUCTION RADIUS, TACACS, and DIAMETER are classified as authentication, autho- rization, and accounting (AAA) servers. The Internet Engineering Task Force (IETF) chartered an AAA Working Group in 1998 to develop the authentication, authorization, and accounting requirements for network access. The goal was to produce a base protocol that supported a num- ber of different network access models, including traditional dial-in net- work access servers (NAS), Mobile-IP, and roaming operations (ROAMOPS). The group was to build upon the work of existing access providers like Livingston Enterprises. Livingston Enterprises originally developed RADIUS (Remote Authen- tication Dial-in User Service) for their line of network access servers (NAS) to assist timeshare and Internet service providers with billing infor- mation consolidation and connection configuration. Livingston based RA- DIUS on the IETF distributed security model and actively promoted it through the IETF Network Access Server Requirements Working Group in the early 1990s. The client/server design was created to be open and extensible so it could be easily adapted to work with other third- party products. At this writing, RADI- PAYOFF IDEA Got the telecommuter, mobile workforce, VPN, multi-platform, dial-in user authentication blues? Need a centralized method for controlling and au- diting external accesses to your network? Then RADIUS, TACACS, or DIAMETER may be just what you have been looking for. Flexible, inexpensive, and easy to implement, these centralized authen- tication protocols improve remote access securi- ty and reduce the time and effort required to man- age Remote Access Server (RAS) clients. 83-10-32