securitya-plusIntermediate22 min read

What Is Terminal Access Controller Access-control System? Security Definition

Also known as: TACACS+, AAA protocol, network security, Cisco TACACS+, authentication authorization accounting

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security

This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.

On This Page

Quick Definition

TACACS+ is a security protocol that controls who can log into network devices like routers and switches. It uses a central server to check usernames and passwords, decide what commands each user can run, and keep a log of all actions. Think of it like a security guard at a building entrance who checks your ID, tells you which rooms you can enter, and writes down everywhere you go.

Must Know for Exams

TACACS+ appears in several CompTIA certification exams, including A+, Network+, and Security+. In the Network+ exam (N10-008 or N10-009), it is tested under domain 3.0 Network Operations, specifically objective 3.3 which covers remote access methods and AAA protocols. You are expected to know that TACACS+ uses TCP port 49, encrypts the entire packet body, and separates authentication, authorization, and accounting. A typical question might ask you to identify which protocol provides per-command authorization, or to compare TACACS+ with RADIUS.

In the Security+ exam (SY0-601 or SY0-701), TACACS+ is covered in domain 3.0 Implementation, specifically objective 3.1 which deals with secure network protocols. The exam expects you to understand the AAA framework and the differences between TACACS+, RADIUS, and Diameter. You may face questions that present a scenario: a company wants to control which commands each network administrator can run on routers. The correct answer is TACACS+ because of its authorization capabilities.

For the A+ exam (220-1102), the coverage is lighter but still present. In domain 2.0 Networking, you may encounter a question about remote access protocols. TACACS+ might appear as a distractor or as a correct answer in a question about centralized authentication for network devices.

Exam questions about TACACS+ often include a comparison with RADIUS. Key points to remember for the test: TACACS+ uses TCP, while RADIUS uses UDP. TACACS+ encrypts the entire packet body, while RADIUS only encrypts the password. TACACS+ has three separate functions, while RADIUS combines authentication and authorization. TACACS+ is Cisco proprietary but widely supported, while RADIUS is an open standard. These comparison points are common exam traps.

Simple Meaning

Imagine you work in a large office building with many locked doors. Some doors lead to the server room, some to the finance department, and some to the general workspace. You have a badge that opens certain doors but not others. Now imagine there is a central security office that manages all the badges. When you swipe your badge at any door, the door does not decide if you can enter. Instead, it sends a message to the security office asking, "Is this person allowed to open this door?" The security office checks its database, sends back a yes or no, and the door either unlocks or stays locked.

TACACS+ works exactly like this for computer networks. Instead of doors, you have network devices like routers, switches, and firewalls. Instead of a badge, you have a username and password. When you try to log into a router, the router does not check your password itself. It sends a message to a central TACACS+ server, which checks your credentials and responds with either permission to log in or a denial.

But TACACS+ goes further than just logging in. It also controls what you can do after you get in. The same central server can tell the router, "This user is allowed to run 'show' commands but not 'configure' commands." This is like having a badge that opens the front door but not the server room door. TACACS+ also keeps a detailed record of everything you type, creating an audit trail. This is like the security office recording every door you opened and every room you entered.

The key feature that makes TACACS+ powerful is that it separates three distinct jobs into separate messages. First, it checks the username and password for authentication. Second, it checks what commands the user is allowed to run for authorization. Third, it records all activity for accounting. This separation gives administrators very fine control over security.

Full Technical Definition

TACACS+ is a Cisco-developed security protocol that provides centralized authentication, authorization, and accounting (AAA) services for network devices. It is an enhancement of the original TACACS protocol and is entirely separate from RADIUS. TACACS+ uses TCP port 49 by default, which ensures reliable packet delivery. The protocol encrypts the entire body of each packet but leaves the standard TCP header unencrypted.

In terms of architecture, TACACS+ follows a client-server model. The network device, such as a router or switch, acts as the client. The TACACS+ daemon running on a server, often a Unix or Linux system, acts as the server. When a user attempts to log into a network device, the device sends an authentication packet to the TACACS+ server. The server can respond with an accept, reject, or challenge. The challenge mechanism supports multi-factor authentication, including token-based systems.

For authorization, TACACS+ uses attribute-value pairs (AV pairs) to define precise permissions. These can control which commands a user can execute, which interfaces they can access, or which times of day they can be active. The protocol allows for per-command authorization, meaning the server can be asked for permission every time the user types a command. This granularity is a major advantage over RADIUS, which does not support command-level authorization.

Accounting in TACACS+ generates detailed logs of user activity. Each accounting record typically includes the username, the command executed, the start and stop times, the device IP address, and the result of the command. These records are sent from the network device to the TACACS+ server as UDP or TCP packets and stored in a log file or database.

Implementation in real environments often involves configuring the network device with a list of TACACS+ server IP addresses and a shared secret key. The device and server use this key to encrypt the packet payload. Multiple servers can be configured for redundancy. If the primary server fails, the device attempts the next server in the list. A fallback method, often local authentication using the device's local username database, is configured in case all TACACS+ servers are unreachable.

TACACS+ is widely used in enterprise networks because it scales well, provides fine-grained control, and offers a complete audit trail. It is commonly integrated with directory services like Active Directory or LDAP, so that user accounts are managed centrally across the entire organization.

Real-Life Example

Imagine a bank vault that contains safe deposit boxes. The vault has multiple layers of security. First, there is the outer door that leads into the vault room itself. Second, inside the vault, there are rows of locked boxes. Third, there is a camera recording everything that happens.

Now imagine the bank hires a security company to manage access to the vault. This security company has three separate offices. Office One handles identification. When you arrive, you show your ID card to a clerk in Office One. The clerk checks your name against a list and stamps your hand with a special ink that glows under ultraviolet light. This is authentication.

Office Two handles permissions. After you get your hand stamp, you walk to Office Two. Here, a second clerk looks at your identity and decides which safe deposit boxes you are allowed to open. If you are the owner of box 102, you get a key for that box only. If you are a bank teller, you get a master key that opens all customer boxes but not the manager's personal box. This is authorization.

Office Three handles recording. As you move through the vault, cameras and sensors track your every action. Every time you insert a key, the time is logged. Every box you open is recorded. If you try a box that is not yours, an alarm sounds and the event is saved. This is accounting.

TACACS+ works exactly like this three-office system. The network device (the vault door) sends your login credentials to the TACACS+ server (Office One). The server says yes or no. If yes, the device next asks permission for each command you type (Office Two). Finally, every command you type is logged (Office Three). The beauty of this system is that the three offices can be managed by different teams and can have different rules, just like in the bank.

Why This Term Matters

In real IT work, TACACS+ is a cornerstone of network device security. Large organizations often have dozens or hundreds of routers, switches, and firewalls spread across multiple locations. Without a centralized AAA system, each device would need its own local username and password database. Managing hundreds of separate databases is a nightmare. When an employee leaves the company, you would have to change the password on every single device. With TACACS+, you change one record on the server, and access is revoked everywhere instantly.

For cybersecurity, TACACS+ provides an essential layer of defense. By separating authentication from authorization, it allows administrators to implement the principle of least privilege. A junior network engineer might be allowed only to run show commands for monitoring, while a senior engineer can make configuration changes. This prevents accidental or malicious damage. The accounting logs are invaluable for forensic investigations. If a router configuration changes unexpectedly, the logs tell you exactly who typed what command and when.

In cloud infrastructure, many organizations use TACACS+ to secure access to network devices that manage virtual networks. Even in hybrid environments where some devices are on-premises and some are in the cloud, TACACS+ can serve as a single control point. It integrates with existing identity management systems like Active Directory, so that network access is tied to the same credentials used for email and file servers.

System administrators and network engineers rely on TACACS+ for compliance. Regulations like PCI DSS, HIPAA, and SOX require strict access controls and detailed audit trails. TACACS+ provides exactly these capabilities. Auditors often ask to see TACACS+ logs as proof that only authorized users accessed critical network equipment.

How It Appears in Exam Questions

Exam questions about TACACS+ come in several formats. Scenario-based questions describe a network environment with specific security requirements. For example, a question might state: "A company wants to ensure that when a junior network administrator logs into a router, they can only run show commands and cannot make any configuration changes. Which protocol should they implement?" The correct answer is TACACS+ because it supports per-command authorization.

Configuration questions may ask you to identify the correct command or setting. For instance, you might see: "Which port does TACACS+ use by default?" with options like 49, 1812, 1813, or 1645. Another configuration question could be: "What must be shared between a network device and a TACACS+ server to encrypt packets?" The answer is a shared secret key.

Troubleshooting questions present a scenario where authentication is failing. For example: "A network administrator can log into a router using local credentials but cannot log in using TACACS+. All TACACS+ servers are reachable. What is the most likely cause?" Possible answers include incorrect shared secret, wrong port number, or a firewall blocking TCP port 49.

Comparison questions are very common. You might see: "Which of the following is a key difference between TACACS+ and RADIUS?" The correct answer could be that TACACS+ encrypts the entire packet body, while RADIUS only encrypts the password. Another comparison: "Which protocol separates authentication, authorization, and accounting into three distinct processes?" The answer is TACACS+.

Architecture questions test understanding of the client-server model. For example: "In a TACACS+ implementation, what role does the network device play?" The answer is client. Or: "Which protocol uses TCP for reliable communication?" The answer is TACACS+.

Finally, some questions combine multiple concepts. A question might describe a company that needs both command-level control and detailed logging, and ask which two features of TACACS+ meet these requirements. The answers would be authorization and accounting.

Practise Terminal Access Controller Access-control System Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

A medium-sized company called TechFlow Inc. has 15 routers and 30 switches spread across three office locations. The network team has five engineers, each with different skill levels. The senior engineer, Maria, needs full access to all devices. Two junior engineers, Alex and Ben, should only be able to run diagnostic commands like ping and traceroute. Two more junior engineers, Chloe and David, are in training and should not have any command access at all yet.

Without TACACS+, Maria would have to create local accounts on each of the 45 devices. She would need to remember to update each device when Alex gets promoted or when David finishes training. This is error-prone and time-consuming. Worse, if a new engineer joins, Maria must add them to every device manually.

With TACACS+, Maria configures a single TACACS+ server. She creates groups: senior, junior diagnostic, and trainee. She assigns each user to a group. She then defines authorization policies: the senior group can run any command, the junior diagnostic group can only run show and ping commands, and the trainee group gets no authorization. Every time any engineer logs into any router, the device sends the credentials to the TACACS+ server. The server authenticates the user, checks which group they belong to, and sends back the appropriate command permissions. Accounting logs record every command Alex types, so Maria can review them later. When David finishes training, Maria simply moves him from the trainee group to the junior diagnostic group in the server. The change takes effect immediately on all 45 devices. This is the power of centralized AAA with TACACS+.

Common Mistakes

Thinking TACACS+ uses UDP like RADIUS does.

TACACS+ uses TCP port 49 for reliable delivery. RADIUS uses UDP port 1812 (authentication) and 1813 (accounting). Confusing the transport protocols is a frequent error on exams.

Memorize: TACACS+ = TCP. RADIUS = UDP. Write it down, say it out loud, connect it to the idea that TACACS+ needs reliable delivery for command authorization.

Believing TACACS+ encrypts only the password like RADIUS.

TACACS+ encrypts the entire body of the packet, including the username, password, and any authorization data. RADIUS only encrypts the password portion of the packet. This makes TACACS+ more secure for sensitive data.

Remember: TACACS+ encrypts all. RADIUS encrypts password only. A simple acronym: TACAS means Total All Content, Always Secure.

Assuming TACACS+ and RADIUS are interchangeable for all purposes.

While both provide AAA services, they have different strengths. RADIUS is better for network access (like Wi-Fi or VPN) because it is an open standard and handles a large number of sessions efficiently. TACACS+ is better for device administration because it supports per-command authorization.

Think: RADIUS for user access to network, TACACS+ for admin access to devices. Match the protocol to its typical use case.

Thinking TACACS+ is an IETF standard like RADIUS.

TACACS+ is a Cisco proprietary protocol. While it is widely supported by many vendors for compatibility, Cisco originally developed it and controls the specification. RADIUS is an open IETF standard defined in RFC 2865.

Keep a mental note: TACACS+ = Cisco proprietary. RADIUS = Open standard. Exam questions often test this distinction.

Confusing TACACS+ ports with RADIUS ports.

TACACS+ uses TCP port 49. RADIUS uses UDP port 1812 for authentication and 1813 for accounting. Some older implementations use UDP port 1645 and 1646, but modern systems use 1812 and 1813.

Create a memory aid: TACACS+ starts with 'T' which is the 20th letter. But ignore that. Just remember 'T49' — T for TACACS, 49 for port 49. RADIUS 'R12' for port 1812.

Exam Trap — Don't Get Fooled

An exam question describes a scenario where a company needs to authenticate users connecting to a wireless network and also wants to log their activity. It asks which AAA protocol to use. The options include both TACACS+ and RADIUS.

Many learners choose TACACS+ because they remember it has strong accounting features, but the correct answer is RADIUS because it is the standard for network access services like Wi-Fi. Always match the protocol to the use case. If the question is about authenticating users for network access (Wi-Fi, VPN, dial-up), choose RADIUS.

If the question is about authenticating administrators for device management (routers, switches, firewalls), choose TACACS+. Read the scenario carefully to see if it describes users connecting to the network or admins managing the network.

Commonly Confused With

Terminal Access Controller Access-control SystemvsRADIUS

RADIUS is an open standard protocol primarily used for network access services like Wi-Fi and VPN. It combines authentication and authorization into one step and only encrypts the password. TACACS+ is Cisco proprietary, separates all three functions, encrypts the entire packet, and is used for device administration.

A user logging into a hotel Wi-Fi network is authenticated by RADIUS. A network engineer logging into a Cisco router to change its configuration is authenticated by TACACS+.

Terminal Access Controller Access-control SystemvsKerberos

Kerberos is a ticket-based authentication protocol used within a domain, such as in Microsoft Active Directory. It provides single sign-on and mutual authentication. TACACS+ is a password-based protocol for network device access. Kerberos does not provide command-level authorization or accounting for network devices.

When you log into your Windows work computer, Kerberos verifies your identity and gives you a ticket to access file servers. When you log into a network switch to change a VLAN, TACACS+ checks your credentials and logs your commands.

Terminal Access Controller Access-control SystemvsLDAP

Lightweight Directory Access Protocol (LDAP) is used to access and maintain directory services, like looking up user information in Active Directory. LDAP can be used for authentication, but it does not provide authorization for network commands or accounting logs. TACACS+ often uses LDAP as a backend to look up user credentials.

When you search for an employee's email address in a company directory, you are using LDAP. When the same directory is used to verify a network administrator's password before they can log into a router, TACACS+ may query the LDAP server behind the scenes.

Terminal Access Controller Access-control SystemvsDiameter

Diameter is an AAA protocol that evolved from RADIUS and is used in modern telecommunications and LTE networks. It uses TCP or SCTP, supports more error handling, and has built-in support for IP Multimedia Subsystems. TACACS+ is used for enterprise network device management and does not have the same carrier-grade features as Diameter.

A mobile phone connecting to a cellular network uses Diameter for billing and authentication. A network administrator logging into a corporate firewall uses TACACS+.

Step-by-Step Breakdown

1

User initiates connection

A network administrator opens a terminal emulator like PuTTY and connects to a router's IP address. The router is configured as a TACACS+ client. The user is prompted for a username and password.

2

Router sends authentication request

The router receives the credentials and realizes it is configured to use TACACS+. It creates an authentication packet containing the username and password. The entire packet body is encrypted using the shared secret key. The router sends this packet via TCP port 49 to the TACACS+ server.

3

TACACS+ server verifies credentials

The TACACS+ server receives the packet, decrypts it using the same shared secret key, and compares the username and password against its database. The database may be local or integrated with an external directory like Active Directory or LDAP. The server then decides whether to accept or reject the authentication.

4

Server responds with accept or reject

If the credentials are valid, the server sends an ACCEPT response packet back to the router. If they are invalid, it sends a REJECT. The response is also encrypted. The router reads the response. If ACCEPT is received, the user is granted login access. If REJECT, the user sees an access denied message and the connection is closed.

5

Authorization for each command

After the user is logged in, every time they type a command, the router can be configured to send an authorization request to the TACACS+ server. The request includes the username and the command they want to run. The server checks its authorization policies. For example, if the user is in the 'junior' group and tries a 'configure' command, the server sends a DENY. The router then refuses to execute the command.

6

Accounting for all actions

Each time the user executes a command, the router sends an accounting packet to the TACACS+ server. This packet includes the username, the command, the start time, and the result. The server logs this information. The logs can be used for auditing, troubleshooting, or compliance reporting. When the user logs out, an accounting stop record is sent with the session duration.

Practical Mini-Lesson

TACACS+ is a protocol that every network professional should understand, especially if they work in environments with Cisco or other enterprise-grade equipment. In practice, configuring TACACS+ involves several components. First, you need a server running TACACS+ daemon software. Popular implementations include Cisco's own ACS (Access Control Server), Cisco ISE (Identity Services Engine), and open-source solutions like FreeRADIUS with a TACACS+ module or tac_plus. These servers often run on Linux or Windows.

To configure a network device as a TACACS+ client, you must specify the server's IP address and the shared secret key. On a Cisco IOS device, you would use commands like 'tacacs-server host 192.168.1.100 key MySecretKey' and then 'aaa new-model' to enable AAA. You then define authentication lists, authorization lists, and accounting lists. For example, 'aaa authentication login default group tacacs+ local' means the device tries TACACS+ first and falls back to local usernames if the server is unreachable.

What can go wrong? The most common issue is a mismatch in the shared secret key between the device and the server. If the keys do not match, the TACACS+ server cannot decrypt the packet and will reject the authentication. Another issue is network connectivity. If the router cannot reach the TACACS+ server because of a firewall blocking TCP port 49 or a routing problem, authentication fails. Administrators should always configure a local fallback method to avoid being locked out completely.

Integrating TACACS+ with Active Directory is a common practice. The TACACS+ server is configured to query Active Directory for user authentication. This means you can manage all user accounts in one place, and network device access is tied to the same credentials used for Windows login. Authorization is then handled by TACACS+ groups that map to Active Directory groups.

From a broader IT perspective, TACACS+ fits into the AAA framework, which is a core security concept. Understanding AAA helps in designing secure networks that meet compliance requirements. TACACS+ also relates to the principle of least privilege, because you can grant exactly the permissions needed for each role. Finally, it connects to monitoring and SIEM systems, as the accounting logs can be fed into tools like Splunk or ELK for real-time analysis.

Memory Tip

TACACS+ stands for the 'Three A's': Authentication, Authorization, Accounting. The plus sign means 'plus' all three functions are separate. Remember the port by its number: 49 is the year of the first computer protocol standard, making it the reliable choice for network security.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Legacy Exam Context

Older materials may mention these exam versions, but learners should use the current objectives for their target exam.

N10-008N10-009(current version)
SY0-601SY0-701(current version)

Related Glossary Terms

Frequently Asked Questions

What is the difference between TACACS+ and RADIUS?

TACACS+ uses TCP port 49, encrypts the entire packet, and separates authentication, authorization, and accounting into three processes. RADIUS uses UDP, only encrypts the password, and combines authentication and authorization. TACACS+ is best for device administration, while RADIUS is best for network access.

Is TACACS+ a Cisco proprietary protocol?

Yes, TACACS+ was developed by Cisco and is proprietary. However, many other vendors support it for compatibility with Cisco networks. RADIUS is an open standard.

What port does TACACS+ use?

TACACS+ uses TCP port 49 by default. The protocol uses TCP for reliable delivery, which is important for command-by-command authorization.

Can TACACS+ be used for Wi-Fi authentication?

It is possible, but not typical. RADIUS is the standard for Wi-Fi authentication because it is an open standard and handles many simultaneous sessions efficiently. TACACS+ is designed for network device administration.

How does TACACS+ handle encryption?

TACACS+ encrypts the entire body of each packet using a shared secret key that is configured on both the client device and the server. Only the standard TCP header remains unencrypted.

What happens if the TACACS+ server goes down?

Network devices are typically configured with a fallback method, such as local authentication using usernames stored on the device itself. This ensures that administrators can still log in even if the server is unreachable.

Does TACACS+ support multi-factor authentication?

Yes, TACACS+ supports challenge-response mechanisms that allow for multi-factor authentication, including one-time passwords and token-based systems. The server can send a challenge packet that prompts the user for additional information.

Summary

Terminal Access Controller Access-Control System, or TACACS+, is a critical protocol for securing network device administration in enterprise environments. It provides centralized authentication, authorization, and accounting services, all separated into distinct processes. This separation gives administrators fine-grained control over who can log into routers, switches, and firewalls, what commands they can execute, and what records are kept for auditing.

For IT certification exams, remember that TACACS+ uses TCP port 49, encrypts the entire packet body, is Cisco proprietary, and is primarily used for device management rather than network access. Avoid confusing it with RADIUS, which uses UDP, only encrypts the password, and is better suited for Wi-Fi and VPN authentication. The protocol's strength lies in its per-command authorization and comprehensive logging, making it essential for compliance and security in networks of all sizes.

Whether you are studying for A+, Network+, or Security+, understanding TACACS+ will help you answer questions about AAA frameworks, remote access protocols, and secure network operations. Practice distinguishing between protocols by their use cases, ports, and encryption methods.