I know the packet flow when using CHAP without TACACS, and I know the TACACS packet flow, but I can't find anything documenting the actual authentication process when the two are combined. Here's a sample question I'm trying to sort out:
Router A dials Router B. Assuming default ppp authentication chap statement on both ends, either could attempt to initiate CHAP. Assume Router A sends the CHAP packet to Router B. Router A has to know the name of the remote router, so you still have to have the username definition in Router A for Router B, correct? (i.e., Router A can't go to the TACACS server and ask for the hash to send to Router B, can it?). As I understand it, Router B gets the hash, and sends it to the TACACS server for verification. The TACACS server sends back a yes or a no. How is this a three way authentication then? And can Router B get away with not having any usernames defined?
Does anyone know of a good technical description of the authentication process when combining CHAP and TACACS+?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...