TACACS+

What is TACACS+?

TACACS+ (Terminal Access Controller Access-Control System) is a AAA protocol that is developed by Cisco. After a while TACACS+ has became a standard protocol that is supported by all vendors. There is also another standard protocol called RADIUS. If you would like to learn more on RADIUS, you can check RADIUS Protocol lesson. You can also reach related rfc, here.

 

 

The main duty of TACACS+ is providing device administration. It can also used for netwok access. With this AAA Protocol, network administrators are authenticated to log in the network devices like router, switches, firewalls, etc. in the network.

 

 

AAA Protocols can encrypt the full packet or only the passwords. Here,TACACS+ provides a full packet encryption. It encrypts the whole packet. But RADIUS do not encrypt the full packet. It encrypts only passwords, not the full packets. This makes Terminal Access Controller Access-Control System more secure AAA Protocol than RADIUS Protocol.

 

 

TACACS+ is also a Client/Server protocol. For different duties (Authenticaiton , Authorization, Accounting), different messages are used between Server and Client. One side is the Client side and the other is the Server side. The messaging between these two end build the session.

 

TACACS+ uses TCP (Transmission Control Protocol) as a Trasnport Protocol. The TCP Port that is used for this protocol is 49.

 

 

TACACS+ provide a separate AAA ( Authentication, Authorization, Accounting). This is not separate in RADIUS. In Radius, Authentication and Authorization is combined. Only Accounting is separate.

 

Terminal Access Controller Access-Control System  uses command logging. We can determine that which user enter which command. This is especially very useful for troubleshooting issues.

 

 

As you know there are different priviledge levels for any user in a system. There are 15 privilege levels used with TACACS+.

 

Terminal Access Controller Access-Control System has three steps messaging. As we have talked about before, it has separate pahases for Authentication , Authorization and Accounting. These pahases are:

• Authentication
• Authorization
• Accounting

 

 

For these phases, request and reply messages are sent between Client and Server. This is the typical mechanism for a Client/Server Protocol.

In this article, we have talked about one of the imporant protocols of AAA (Authentication, Authorization, Accounting). If you would like to learn other important AAA Protocol, RADIUS, you can check RADIUS lesson. And you can also learn the similarities and differences of these two protocols on TACACS vs RADIUS lesson.

 

 

---

Frequently Asked Questions

How Does TACACS+ Differ From RADIUS?

RADIUS combines authentication and authorization and primarily secures only the password. While TACACS+ separates authentication, authorization and accounting. This provides more granular control over command permissions and ensures all communication is encrypted, not just the password.

 

---

Which Port Does TACACS+ Use?

TACACS+ uses TCP port 49 for communication between network devices and the AAA server.

 

---

Does TACACS+ Reliable?

Because TACACS+ is TCP-based, it ensures reliable delivery of authentication and authorization messages.

 

---

What are the Three Steps in TACACS+ Cmmunication?

TACACS+ follows a three-step messaging process:

• Authentication: Verify the user’s identity.
• Authorization: Determine what commands or actions the user is allowed to perform.
• Accounting: Record user activity for auditing and monitoring purposes.

 

---

Why Should Network Administrators Use TACACS+?

TACACS+ allows centralized and secure management of network devices, provides role-based access control, encrypts all AAA communications and offers detailed logging for auditing. It is especially useful in large enterprise networks where multiple administrators manage critical devices.