Forefront Unified Access Gateway (UAG) supports user authentication using a Terminal Access Controller Access Control System (TACACS). The TACACS protocol allows a network access server (NAS) to offload the user administration to a central server. When the TACACS authentication scheme is applied, user connection requests are directed by the NAS to the TACACS authentication server, where user identity is compared against the server's user database, and users are granted or denied access accordingly.

Forefront UAG and the TACACS authentication server operate in a client-server mode, where Forefront UAG is configured as a client of the TACACS server.

The TACACS authentication scheme uses a secret key to encrypt the authentication request. This key must be identically configured in both the Forefront UAG and the TACACS authentication server.

The TACACS authentication scheme was tested against the NTTacPlus authentication server.

TACACS authentication flow

The following figure illustrates the authentication process users pass through when the TACACS authentication scheme is implemented.

The flow allows for three login attempts, after which login failure is final. The actual number of login attempts users are allowed is configurable.

TACACS Authentication Flow