Long time ago, back in the days of dial up, now I'm talking about even before PCs, we would have big mainframe systems like compuserve, and stuff like that. And people would want to access the services. So what they would do is they would sit at their house with a terminal or whatever it might be. And using dial up, they would connect to these big services. Now, at work fine, and they had authentication. For example, within this system, you would have usernames and passwords, and it could do authentication, like chap and stuff like that, and life was good.
The problem was, is that over time, we began to have thousands of people 10s of thousands, hundreds of thousands of people accessing these systems. And what you end up having were these big banks of modems, that all had to do authentication. And that was a big problem when you had 10,000 of these people. So we needed to come up with a better way to do authentication for the masses. First of all, obviously, it had to be centralized. So what we would do is we'd have some fairly align this up a little bit better.
So you're As the person dialing in, here's how they're getting into the system. And then there would be some server back here with all the usernames and passwords. So it didn't matter where the people were connecting, they would have one centralized place for the usernames and passwords. That's good. The second thing is, is we had to handle authorization better. In these types of situations, you're just letting people have access to a system.
But once they have access to a system, what can they do within the system. And with pure authentication, you didn't even have that feature. Third, was accounting, we had to keep track of what people were doing and when, in order to understand what was taking place in order to stand to deal with problems. So we needed to come up with a complete system that took care of authentication, authorization and accounting. And those are known generically as triple A. Now there are two very different ways to do that.
Well, not that different. They have a lot of similarity, and they're called radius and two cactus. So let's take a look at both. First, let's talk about remote authentication dial in user service, better known as radius. Now, this is a radius setup. Now, keep in mind that radius based on its name was designed to support dial in networking.
So the main parts of radius are going to look like this. First of all, you're going to have a RADIUS server. Now this RADIUS servers sitting inside whatever network or system you're trying to get to, on this system are going to be a bunch of usernames and passwords. Now these can be stored by themselves. These could be a SQL database, this could be a Active Directory domain, it doesn't really matter where the usernames and passwords are, in fact, they don't even have to physically sit on the server. The server himself simply has to be able to get to that stack of usernames and passwords.
And then he can go ahead and authenticate on that. The next part is going to be what we call the radius client. The radius client is not really the person who's trying to get authenticated, the radius client is really The gateway that separates that which we want to get authenticated from from those who are trying to get authenticated way on the end here is the radius supplicant. A supplicant is the person the system whatever it is, that's actually trying to get authenticated. So this is the basic setup for radius. So what will happen is that this device will go to the radius client, and then the radius client knows the IP address of the RADIUS server sends the credentials over and the RADIUS server decides whether that person can be authenticated or not.
Now dial ups long dead no doubt about that, but radius lives on Well, in the world of wireless networks. If you want serious authentication in a wireless network, I'm not talking about WPA two personal shared key and stuff like that. You will use a RADIUS server. Every wireless network in the world is designed to support RADIUS servers. So to do this, you end up having to buy a RADIUS server Juniper sells steel belted radius Microsoft Off sells internet authorization server, you can get open radius, which is a Linux based tool, configure this, you then go into your wireless access points. And pretty much every wireless access point in existence has a setting in there that says, Yes, I want to use radius.
And all you do here is type in the IP address for this guy. And then these guys don't even really see any of this happening, they would have to enter a username and password which could be done automatically. But they do have to go through that process. So when you're talking about radius, there's two things I want you to remember. Number one radius is really used more for network access than anything else. Secondly, you need to remember that radius can use up to four different UDP ports 181218131645 and 1646.
Now, I'm going to add one more thing while I'm at it. The downside if you want to call it that to radius is radius doesn't really handle authorization. It gets you authenticate. Just fine. But the whole idea behind accessing the network is that we'll let you get in. And then there's other stuff later, like domain controllers and stuff like that, that'll actually decide what you get to do.
But we're going to see with the next one, that that can sometimes be an issue. Next, let's talk about terminal access controller. Access Control System, better known as to cactus plus now to cactus plus is also a form of triple A, but it does a few things that are very different, in particular, to cactus plus is really, really good at managing a bunch of devices. So if you've got a bunch of routers, and switches and stuff all over the place, and people have to log into them to be able to do stuff with them to cactus plus is where you go. now in this situation, what I have are a bunch of Cisco devices. These are different Cisco switches and routers, and I've got somebody over here who wants to access these remotely so he's going to use SSH or something like that, to get into them.
Now, the challenge you have in these types of situations is that authentication isn't that bad and to CAC has has a CAC a server, but we're to CAC is really shines over radius is that to CAC is really takes care of the authorization aspect really well see if you talk about what's happening on these little switches and routers is that it really depends on who you are that you want to determine what they can do. So to CAC, as we say it decouples the authentication from the authorization with radius, it's all kind of done in one big lump. You're either you're in or you're not in, but with the cactus, not only are you in, but it also defines in real time what you can do with these individual devices. Here I have 10s of thousands of unique individual commands that I can send to them.
But the trick is, is that I may not want everybody to do certain groups of commands and I want to have certain groups to do certain stuff. That is worth to CAC is plus really shines because it decouples the authorization from the authentication Oh, and by the way for the security plus, make sure you know that the CAC is plus uses TCP port 49. So those are the two big differences between the two most popular versions of triple A radius into cactus plus. Now, the one thing that they both do really, really well is auditing. They can actually go through auditing accounting really the last days the same either way, they can go through and keep track of who's doing what when they're doing it, they generate log files, and that's really what the third part of triple A is all about. Make sure you know all this stuff because you know what, it's on security, plus