What Is TACACS+? Security Definition
On This Page
What do you want to do?
Quick Definition
TACACS+ is a security protocol used by network devices like routers and switches to check if a user is allowed to log in and what commands they can run. It works by sending login details to a central server that makes the decision. Unlike some other systems, TACACS+ encrypts the entire conversation between the device and the server.
Common Commands & Configuration
aaa new-modelEnables the AAA (Authentication, Authorization, and Accounting) security services globally on a Cisco device. This command must be issued before any other AAA configuration commands.
This is the first step in any TACACS+ configuration. Exam questions often test that you know this command is required. Without it, TACACS+ does not work.
tacacs-server host 192.168.1.10 key Cisco123!Specifies the IP address of the TACACS+ server and the shared secret key used for encryption and authentication between the device and the server.
The key must match exactly on both ends. Exams may ask you to identify the correct syntax for defining a TACACS+ server with a key.
aaa authentication login default group tacacs+ localConfigures authentication for login (e.g., console or SSH) to first try TACACS+ servers in the default group, and if none respond, fall back to the local username database.
This demonstrates the fallback mechanism. A common exam scenario asks how to ensure admin access if the TACACS+ server is down. The answer is 'local' as the secondary method.
aaa authorization commands 15 default group tacacs+ localAuthorizes all commands at privilege level 15 (enable mode) using TACACS+ first, then local if no response. This enforces per-command approval.
This is a key differentiator from RADIUS. Exams test that TACACS+ can authorize individual commands, while RADIUS cannot. The '15' refers to privilege level.
aaa accounting exec default start-stop group tacacs+Enables accounting for all EXEC shell sessions (user logins/logouts), sending start and stop records to the TACACS+ server.
Accounting ensures audit trails. The 'start-stop' keyword records both the beginning and end of a session. This appears in CCNA and Security+ questions about logging user activity.
debug tacacsEnables debugging output for TACACS+ packets and events on the Cisco device. Used for troubleshooting authentication or authorization issues.
You may be asked to identify the correct debug command for TACACS+. Be aware that debug commands can be resource-intensive; use with caution in production.
test aaa group tacacs+ admin CiscoPass123 legacyTests TACACS+ authentication manually from the command line, simulating a login with username 'admin' and password 'CiscoPass123'. The 'legacy' keyword specifies the TACACS+ protocol.
This is a practical tool for verifying configuration. Exams may include scenario-based questions where you need to diagnose why authentication fails, and this command helps isolate the issue.
TACACS+ appears directly in 33exam-style practice questions in Courseiva's question bank — one of the most-tested concepts on Cisco CCNA. Practise them →
Must Know for Exams
TACACS+ is a significant topic across multiple IT certification exams, especially in the security and networking domains. For the CompTIA Security+ exam, which covers fundamental security concepts, TACACS+ appears as a core AAA protocol. Candidates should understand how it compares to RADIUS, the protocol it is most often confused with. Exam questions on Security+ might ask about the differences in encryption (TACACS+ encrypts entire payload, RADIUS only encrypts password) or the separation of AAA functions. You should know that TACACS+ is typically used for device administration, not end-user network access. The exam objectives explicitly list TACACS+ under identity and access management.
For the Cisco CCNA, TACACS+ is a native Cisco technology, so it appears more prominently. CCNA candidates must understand the configuration and operation of TACACS+ on Cisco devices, including how to specify a TACACS+ server, configure authentication for login and enable modes, and set up command authorization. The exam may present scenarios where you need to choose between TACACS+ and RADIUS based on the requirements. For example, if the need is for command-level authorization and detailed accounting, TACACS+ is the correct answer. CCNA questions often include configuration snippets where you must identify the correct syntax or diagnose a configuration error.
For the CompTIA Network+ exam, TACACS+ is covered under network security and identity management. The focus is on understanding the protocol's role in AAA, its encryption properties, and its typical use cases. Candidates should be able to explain the difference between TACACS+ and RADIUS in simple terms. For the ISC² CISSP exam, TACACS+ appears in the Identity and Access Management (IAM) domain. The emphasis is on architectural differences, security considerations, and how TACACS+ supports access control policies. CISSP questions are more conceptual and may ask you to evaluate a scenario where a protocol's weakness or strength is relevant to a security policy. In all these exams, understanding that TACACS+ separates authentication, authorization, and accounting, and that it encrypts the entire packet payload, is critical. Common question types include multiple-choice comparing protocols, scenario-based selection of the appropriate protocol, and configuration troubleshooting.
Simple Meaning
Imagine you work in a large office building with many different rooms. Some rooms are open to everyone, but others require special permission to enter. To manage this, the building has a security desk at the entrance where you show your ID card. The security guard checks your ID, looks up whether you are allowed in the building, and then tells you which rooms you can access. This is very similar to how TACACS+ works for computer networks.
In a company, network devices like routers, switches, and firewalls are like the rooms in the building. They need to be protected so that only authorized people can log in and make changes. TACACS+ acts as the security guard. When you try to log into a router, the router sends your username and password to a central TACACS+ server. The server checks your credentials against a database and decides if you are allowed in. If you are allowed, the server also tells the router what commands you are permitted to run. For example, a junior network engineer might only be allowed to look at settings, while a senior engineer can change configurations.
What makes TACACS+ special is that it keeps authentication (who you are), authorization (what you can do), and accounting (what you did) completely separate. This is like having a security guard who checks your ID, a different person who tells you which rooms you can enter, and a third person who writes down everywhere you went. This separation gives network administrators very fine control over security. Also, TACACS+ encrypts all the information sent between the router and the server, so no one can snoop on your password or the commands you run.
Full Technical Definition
TACACS+ (Terminal Access Controller Access-Control System Plus) is a remote authentication protocol developed by Cisco Systems as an enhancement to the original TACACS protocol. It operates over TCP, typically on port 49, and provides separate authentication, authorization, and accounting (AAA) services for network access. Unlike RADIUS, which combines authentication and authorization in one packet, TACACS+ uses distinct packet types for each function, allowing greater flexibility and control in heterogeneous network environments.
The protocol works by establishing a TCP connection between a Network Access Server (NAS), such as a router or switch, and a TACACS+ server. The NAS acts as a client, forwarding user credentials to the server. The TACACS+ server then responds with one of three outcomes: accept, reject, or continue (for additional challenges like one-time passwords). The authentication process can use various methods including PAP, CHAP, or even token-based systems. Once authenticated, authorization requests are sent separately to determine the user's privileges, such as which commands they can execute or which interfaces they can access. Accounting messages track user activity, including start and stop times, command execution, and resource usage, for auditing and billing purposes.
TACACS+ encrypts the entire payload of its packets, including the username, password, and all other data, using a shared secret key. Only the TACACS+ header remains unencrypted. This is a significant security advantage over RADIUS, which only encrypts the password in Access-Request packets. The separate AAA architecture also allows administrators to use different back-end authentication sources (e.g., LDAP, Active Directory, or local databases) while maintaining a unified authorization and accounting policy. In enterprise deployments, TACACS+ is commonly used to manage administrative access to network infrastructure, providing granular command-level control and detailed audit logs. It is not typically used for end-user network access (such as Wi-Fi or VPN), where RADIUS is more common due to its integration with 802.1X and other authentication frameworks.
Real-Life Example
Think of TACACS+ like a VIP access system at a large concert venue. The concert has different zones: the general audience area, backstage, the sound booth, and the artist's dressing room. Each zone requires a different level of permission to enter. Instead of having a separate security guard at every door, the venue uses a central security office. When you approach any door, the door guard calls the central office to verify your identity and check your permission level.
In this analogy, your ticket and ID card are your username and password. The door guard is the network device (like a router) you are trying to access. The central security office is the TACACS+ server. When you present your ticket, the guard doesn't decide on their own whether to let you in. They radio the central office, which looks up your details in a database. The central office then tells the guard not only whether you are allowed in, but also which specific zones you can access. For example, a regular ticket holder might only be allowed into the general area, while a crew member can go to the sound booth and backstage, and the artist can go everywhere.
the central office keeps a log of every door you enter and every zone you access. This is the accounting function. If something goes wrong, like equipment goes missing from the sound booth, the venue can review the logs to see who entered that area and when. This entire communication between the door guards and the central office is encrypted with a special code, so no one can eavesdrop and steal your identity or learn the security procedures. This is exactly how TACACS+ secures network devices in a corporate environment, giving administrators precise control over who can access what, while maintaining a complete audit trail.
Why This Term Matters
In any organization that uses network devices like routers, switches, and firewalls, controlling who can log in and what they can do is critical for security and operational stability. TACACS+ matters because it provides a centralized, secure, and granular access control system that scales from a small office to a global enterprise. Without such a system, administrators would have to manage user accounts and passwords on every single device individually, which is time-consuming, error-prone, and insecure. If a network engineer leaves the company, their access would need to be revoked on dozens or hundreds of devices, a task that is often forgotten and can leave a security gap.
TACACS+ solves this by centralizing authentication. A network administrator can create, modify, or delete user accounts on a single TACACS+ server, and the change takes effect on all devices that use that server. This dramatically reduces administrative overhead and improves security. The separation of authentication, authorization, and accounting is another key reason why TACACS+ matters. It allows organizations to enforce the principle of least privilege, where users are given only the permissions they need to do their job. For example, a junior technician might be allowed to run 'show' commands to monitor the network but not 'configure' commands that can change settings. A senior engineer might have full access, while a compliance auditor might have read-only access to logs but no login access to devices at all.
the accounting logs provided by TACACS+ are invaluable for security auditing and incident response. If a router configuration is changed and causes a network outage, the logs can show exactly who issued the command, on which device, at what time. This accountability helps organizations quickly identify the cause of problems, whether they result from human error or malicious activity. For compliance with standards like PCI DSS, HIPAA, or SOX, detailed access logs are often mandatory. TACACS+ provides the necessary audit trail to meet these regulatory requirements. In practical IT operations, TACACS+ is a cornerstone of network device management security, and understanding it is essential for any network or security professional.
How It Appears in Exam Questions
In certification exams, TACACS+ questions typically fall into three categories: conceptual comparison, scenario-based selection, and configuration troubleshooting. Conceptual comparison questions directly ask you to differentiate TACACS+ from RADIUS. A typical question might state: 'Which of the following is a key difference between TACACS+ and RADIUS?' The correct answer would be that TACACS+ encrypts the entire packet payload, while RADIUS only encrypts the password. Another common angle is the separation of AAA services. For example: 'Which AAA protocol separates authentication, authorization, and accounting into independent services?' The answer is TACACS+.
Scenario-based selection questions present a business or technical requirement and ask you to choose the best protocol. For instance, 'A company needs to control which commands administrators can run on network devices, and must maintain a detailed audit log of all command executions. Which protocol should be used?' The correct answer is TACACS+ because it supports command-level authorization and detailed accounting. Another scenario: 'An organization is deploying 802.1X for wireless network access. Which AAA protocol is most commonly used?' The answer would be RADIUS, not TACACS+, because RADIUS is the standard for network access control. These questions test your ability to apply the protocol's features to real-world needs.
Configuration troubleshooting questions, especially on the CCNA, present a partial configuration or a debug output and ask you to identify the problem or the correct next step. For example, a configuration might show 'aaa new-model' followed by 'tacacs-server host 192.168.1.10 key mykey', but a user is unable to authenticate. A question might ask why, with options pointing to common mistakes like using the wrong port number (TACACS+ uses TCP port 49), missing 'aaa authentication login default group tacacs+' lines, or a mismatch in the shared secret key. Another type might ask you to interpret 'debug tacacs' output to determine if the server is reachable, if the authentication was accepted, or if there was an authorization failure. Understanding the flow of TACACS+ packets (open TCP, send authentication, receive accept/reject, send authorization, receive commands/timeouts) is key to answering these expertly.
Practise TACACS+ Questions
Test your understanding with exam-style practice questions.
Example Scenario
A mid-sized company, TechFlow Inc., has 50 network devices including routers, switches, and firewalls. Currently, each device has local usernames and passwords. The security team is concerned because when a network engineer leaves, they must manually delete accounts from every device, which often doesn't happen. Junior staff have full configuration access to all devices, even though they only need to monitor network performance. The company decides to implement TACACS+ to centralize access control.
You are the network administrator tasked with this project. You set up a TACACS+ server on a Linux machine running the 'tac_plus' daemon. You configure the server to authenticate users against a local database. You create user accounts: 'Alice' (senior engineer), 'Bob' (junior technician), and 'Charlie' (auditor). For authorization, you define a privilege level command set: Bob can only execute 'show' commands, Alice can execute all commands, and Charlie can only access accounting logs via a separate interface. You also enable accounting to log every command executed on every device.
On each Cisco switch and router, you configure 'aaa new-model', specify the TACACS+ server IP and key, and configure authentication login to use the TACACS+ group followed by local as a fallback. You also configure command authorization to use TACACS+. You test by asking Bob to log in to a core switch. He is prompted for his username and password, which the switch forwards to the TACACS+ server. The server authenticates him successfully and returns an authorization profile that allows only 'show' commands. When Bob tries to type 'configure terminal', the switch sends an authorization request to the server, which denies it. Bob receives a 'command not authorized' error. Alice logs in and is able to configure the device without issue. All login events and commands are logged on the TACACS+ server. After a month, when Bob leaves the company, you simply delete his account from the TACACS+ server, and he immediately loses access to all 50 devices. The incident response team later uses the accounting logs to trace a configuration change that caused an outage back to Alice, confirming a legitimate change. The implementation is a success.
Common Mistakes
Thinking TACACS+ and RADIUS are interchangeable and can be used for the same purposes.
TACACS+ is optimized for device administration (router/switch access), while RADIUS is optimized for network access (VPN, Wi-Fi, 802.1X). Using TACACS+ for 802.1X is not standard and may not work. Using RADIUS for command authorization is limited; RADIUS does not natively support command-level authorization.
Use TACACS+ for administrative access to network devices when you need command-level control. Use RADIUS for end-user network authentication (PPP, 802.1X, VPN).
Believing that TACACS+ encrypts only the password, similar to RADIUS.
TACACS+ encrypts the entire payload of the packet, including the username, password, and any data in authorization and accounting packets. Only the TACACS+ header is in cleartext. RADIUS only encrypts the password in the Access-Request packet.
Remember that TACACS+ uses full packet encryption, providing greater confidentiality than RADIUS.
Confusing the transport protocol and port numbers. Thinking TACACS+ uses UDP or port 1812.
TACACS+ uses TCP port 49. RADIUS uses UDP ports 1812 (authentication) and 1813 (accounting). Using the wrong protocol or port will prevent communication with the server.
Always configure TACACS+ with TCP and port 49. For RADIUS, use UDP and ports 1812/1813.
Assuming that once a user is authenticated by TACACS+, they automatically have full access to all commands.
Authentication only verifies identity. Authorization is a separate step that determines what the user is allowed to do. Without proper authorization configuration, a user may be authenticated but still unable to run commands.
Configure both authentication and authorization on the TACACS+ server and the network device to enforce the principle of least privilege.
Forgetting to configure a fallback method like local authentication, which can lock out administrators if the TACACS+ server is unreachable.
If the TACACS+ server goes down or becomes unreachable due to a network issue, and there is no fallback, administrators will be unable to log into any device that relies on TACACS+.
Always configure a fallback method (e.g., 'local') in the AAA authentication list on the device, and ensure that the local username/password on the device is documented and secure.
Exam Trap — Don't Get Fooled
{"trap":"A question states: 'Which AAA protocol provides separate accounting services and encrypts the entire packet payload?' The answer is TACACS+. A trap option might say 'RADIUS' because RADIUS also provides accounting, but it encrypts only the password."
,"why_learners_choose_it":"Learners often associate AAA with RADIUS because RADIUS is more commonly used in general networking contexts (like 802.1X and VPN). They may memorize that RADIUS does accounting and encryption, but miss the critical detail that RADIUS encryption is limited to the password only."
,"how_to_avoid_it":"Focus on the specific keywords: 'separate accounting' hints at the separation of AAA functions, which is a feature of TACACS+. 'Encrypts the entire packet payload' is also unique to TACACS+. Create a mental checklist: TACACS+ = TCP, full encryption, command authorization.
RADIUS = UDP, password-only encryption, network access."
Commonly Confused With
RADIUS combines authentication and authorization in one packet, while TACACS+ separates them into three independent services. RADIUS encrypts only the password in the Access-Request packet, whereas TACACS+ encrypts the entire packet payload. RADIUS uses UDP ports 1812/1813, while TACACS+ uses TCP port 49.
For a VPN, RADIUS is the standard. For controlling who can configure a router and which commands they can run, TACACS+ is the better choice.
Kerberos is a ticket-based authentication protocol used primarily in Windows Active Directory environments. It does not provide separate authorization or accounting services natively, unlike TACACS+. TACACS+ is designed for network device access, while Kerberos is for single sign-on across services in a domain.
Logging into Windows workstations uses Kerberos for authentication. Logging into a Cisco switch to run 'show ip route' uses TACACS+.
LDAP is a directory protocol used for looking up and storing information about users and resources, but it does not provide AAA services directly. TACACS+ is an AAA protocol that can use an LDAP directory as a back-end source for authentication, but that is a configuration detail. TACACS+ itself handles the authentication, authorization, and accounting logic.
A company stores all employee accounts in an Active Directory (LDAP). The TACACS+ server can be configured to query AD to verify usernames and passwords, but the TACACS+ server still controls what commands the user can run on a router.
Step-by-Step Breakdown
Connection Establishment
When a user attempts to log into a network device (e.g., router, switch) via SSH or Telnet, the device forms a TCP connection to the TACACS+ server on port 49. The device acts as a client, initiating the session.
Authentication Request
The network device sends an authentication packet to the TACACS+ server containing the username and password (and optionally other data). TACACS+ encrypts the entire payload of this packet using a pre-shared secret key, ensuring confidentiality of credentials in transit.
Authentication Response
The TACACS+ server checks the credentials against its configured authentication sources (local database, LDAP, Active Directory, etc.). It then sends a response back: ACCEPT, REJECT, or CONTINUE (for multi-factor authentication challenges). If ACCEPT, the user is authenticated.
Authorization Request
After successful authentication, the network device sends a separate authorization request to the TACACS+ server. This packet includes the user's identity and the specific service or command the user is trying to access (e.g., 'shell' for privileged EXEC mode, or a specific command like 'configure terminal').
Authorization Response
The TACACS+ server evaluates the user's authorization profile and responds with either PASS or FAIL. If PASS, it may also return attributes that define the user's privileges, such as a privilege level, allowed command set, or access control lists. The device then enforces these privileges.
Accounting
The network device sends accounting packets to the TACACS+ server to record events such as login start, login stop, command execution, and session termination. The server logs these events, providing an audit trail for security monitoring and compliance.
Practical Mini-Lesson
TACACS+ is not just a theoretical concept; it is a practical tool that network and security professionals configure and troubleshoot regularly. In a typical enterprise environment, you will set up a TACACS+ server (often using open-source software like 'tac_plus' or a commercial product like Cisco ISE) and then configure your network devices to use it for AAA services. The first step is planning: decide which users will have access, what permissions they will have, and how accounting logs will be managed. You need to define groups and privilege levels on the server. For instance, you might have a 'network-admin' group with privilege 15 (full access) and a 'network-operator' group with privilege 1 (read-only).
Configuration on Cisco IOS devices requires several commands. First, enable AAA globally with 'aaa new-model'. Then, specify the TACACS+ server(s) using 'tacacs-server host [IP] key [secret]' or the newer style 'tacacs server [name]' commands. Next, create an authentication login list: 'aaa authentication login default group tacacs+ local'. This tells the device to try TACACS+ authentication first, and if the server is unreachable, fall back to the local database. Similarly, configure authorization: 'aaa authorization exec default group tacacs+ local' to control access to EXEC mode, and 'aaa authorization commands 15 default group tacacs+' to control commands at privilege level 15. For accounting: 'aaa accounting exec default start-stop group tacacs+' and 'aaa accounting commands 15 default start-stop group tacacs+'.
What can go wrong in practice? The most common issues are network connectivity problems to the TACACS+ server, firewall blocking TCP port 49, mismatched shared secret keys, and incorrect server IP addresses. Another frequent issue is that administrators forget to configure a fallback method and get locked out when the server is down. Always test your configuration by logging in from a different device or with a local user who has full privileges. Use debug commands like 'debug tacacs' and 'debug aaa authentication' to troubleshoot step-by-step. Monitor the accounting logs regularly to detect unusual activity. TACACS+ gives you powerful control, but it requires careful planning and robust fallback mechanisms to avoid operational outages.
TACACS+ Configuration Best Practices and Common Pitfalls
Configuring TACACS+ correctly is essential for secure network device management. One of the most common mistakes is misconfiguring the shared secret key. The key must match exactly on both the TACACS+ server and the client (network device).
If there is a mismatch, authentication fails silently or with unclear error messages. Always double-check that the key does not contain trailing spaces or invisible characters. Another best practice is to include a fallback authentication method, such as the local username database.
This prevents lockout if the TACACS+ server becomes unavailable due to network issues or maintenance. The fallback should be configured with a higher priority number so it is used only when the primary method fails. For example, using “aaa authentication login default group tacacs+ local” ensures that if the TACACS+ server does not respond, the device falls back to local authentication.
However, be cautious: if the server responds with a reject, the fallback is not used. This prevents security from being bypassed by an attacker who can block server responses. Command authorization should be used whenever possible to enforce the principle of least privilege.
On Cisco devices, you define privilege levels (0-15) and map commands to those levels. TACACS+ can override these levels by granting or denying specific commands on a per-user basis. This is configured on the TACACS+ server itself (e.
g., Cisco ISE or ACS). Ensure that the administrative accounts have full authorization (level 15) for troubleshooting, but limit other users to only the commands they need. Accounting logs should be sent to a centralized logging server for compliance and monitoring.
Use “aaa accounting exec” to log all user sessions and “aaa accounting commands” to log every command entered. These logs are invaluable for incident response. One pitfall is forgetting to configure the TACACS+ server IP address and key on the device.
Use the “tacacs-server host” command to specify the server and key. Multiple servers can be added for redundancy; the device tries them in order. Another common issue is not enabling AAA globally.
The command “aaa new-model” must be issued before any AAA commands take effect. Without it, TACACS+ will not be used. Also, ensure that the TACACS+ server is reachable via TCP port 49.
Firewalls must allow this traffic. Some organizations mistakenly use UDP port 49 (which is for older TACACS) and wonder why authentication fails. Always use TCP. For remote access, consider using SSH instead of Telnet, as TACACS+ can authenticate both, but SSH encrypts the entire session.
When testing your configuration, use the “debug tacacs” and “test aaa” commands to verify connectivity and authentication. These commands are often tested in exams to see if you can diagnose issues. Finally, keep in mind that TACACS+ servers typically require certificates for secure communication if using encryption extensions.
However, the standard implementation uses the shared key for encryption. Always follow vendor documentation for your specific TACACS+ server (Cisco ISE, ACS, or open-source like FreeRADIUS). A robust TACACS+ configuration includes: enabling AAA new-model, defining server hosts with matching keys, setting up authentication login with fallback, implementing command authorization, and enabling accounting.
Avoid common pitfalls like key mismatches, lack of fallback, and forgetting global AAA enablement. By following these best practices, you ensure secure, auditable, and resilient network device access control.
Memory Tip
TACACS+ = Three A's are Totally Separated: Authentication, Authorization, Accounting. Plus, it encrypts everything (the 'Plus' in its name).
Learn This Topic Fully
This glossary page explains what TACACS+ means. For a complete lesson with labs and practice, see the topic guide.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
CISSPCISSP →200-301Cisco CCNA →N10-009CompTIA Network+ →SY0-701CompTIA Security+ →220-1102CompTIA A+ Core 2 →XK0-006CompTIA Linux+ →SC-900SC-900 →SOA-C02SOA-C02 →CDLGoogle CDL →ISC2 CCISC2 CC →Related Glossary Terms
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
5G is the fifth generation of cellular network technology, designed to deliver faster speeds, lower latency, and support for many more connected devices than previous generations.
An A record is a type of DNS resource record that maps a domain name to an IPv4 address.
A 2-in-1 laptop is a portable computer that can switch between a traditional laptop form and a tablet form, usually by detaching or rotating the keyboard.
Quick Knowledge Check
1.Which port and protocol does TACACS+ use?
2.What is a key advantage of TACACS+ over RADIUS?
3.When configuring TACACS+, which command must be enabled first?
4.If a TACACS+ server rejects authentication, what happens with a fallback method configured?
5.Which type of accounting logs every command entered by a user?
6.What does the 'group tacacs+' keyword reference in a TACACS+ configuration?
Frequently Asked Questions
What does TACACS+ stand for?
TACACS+ stands for Terminal Access Controller Access-Control System Plus. It is an enhanced version of the original TACACS protocol.
What port does TACACS+ use?
TACACS+ uses TCP port 49. It does not use UDP, which is a common point of confusion with RADIUS (UDP ports 1812/1813).
Can TACACS+ be used for wireless network authentication?
While technically possible, TACACS+ is not the standard for wireless network access. RADIUS is the standard protocol for 802.1X and wireless authentication because of its support for EAP methods and integration with access points.
How does TACACS+ handle encryption?
TACACS+ encrypts the entire payload of every packet using a shared secret key between the client and server. Only the TACACS+ header (which contains packet type and length) is sent in cleartext.
Is TACACS+ a Cisco proprietary protocol?
TACACS+ was developed by Cisco and is widely considered a Cisco proprietary protocol, even though the specification has been published. Most implementations are found in Cisco environments, though open-source TACACS+ servers exist.
What is the difference between TACACS+ and RADIUS for accounting?
Both protocols support accounting, but TACACS+ accounting packets are fully encrypted, whereas RADIUS accounting packets are only encrypted for the password field (which is often not present in accounting packets). TACACS+ also supports more granular accounting of commands.
Can TACACS+ integrate with Active Directory?
Yes, a TACACS+ server can be configured to use Active Directory as a back-end authentication source. The TACACS+ server will query AD to verify user credentials, while still managing authorization and accounting policies itself.
Summary
TACACS+ is an AAA protocol that separates authentication, authorization, and accounting into independent services, providing granular control over who can access network devices and what they can do. It encrypts the entire packet payload, operates over TCP port 49, and is primarily used for administrative access to network infrastructure like routers and switches. Its key differentiator from RADIUS is the separation of AAA functions and full packet encryption, making it the preferred choice for device management in Cisco-centric environments.
Understanding TACACS+ is crucial for IT professionals working with network security. It helps enforce the principle of least privilege, simplifies user management through centralization, and provides detailed audit logs for compliance and incident response. In certification exams such as CCNA, Security+, Network+, and CISSP, TACACS+ appears in questions comparing it to RADIUS, selecting the appropriate protocol for a given scenario, and troubleshooting configuration issues. The main exam takeaways are that TACACS+ uses TCP, encrypts everything, separates AAA functions, and is optimized for device administration. By mastering these points, you will be well-prepared to answer TACACS+ related questions and apply the protocol effectively in real-world networks.