What Is Terminal Access Controller Access Control System Plus? Security Definition
Also known as: TACACS+, AAA protocol, TACACS+ vs RADIUS, network security, Cisco TACACS+
This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.
On This Page
Quick Definition
TACACS+ is a protocol used by network devices like routers and switches to check if a user is allowed to log in and what commands they can run. It works like a security guard for your network gear, using a central server to verify usernames, passwords, and permissions. Unlike some other systems, it keeps the checking of identity, the granting of permissions, and the logging of actions as three separate jobs.
Must Know for Exams
TACACS+ is a key topic in several major certification exams. In the CompTIA Network+ exam (N10-008 and later), it appears in Domain 4, Network Security. Candidates must understand the difference between TACACS+ and RADIUS, and know that TACACS+ separates AAA functions while RADIUS combines authentication and authorization. They may be asked which protocol is best for device administration versus user network access.
In the CompTIA Security+ exam (SY0-601 and SY0-701), TACACS+ is discussed under Domain 3, Implementation, specifically in the context of AAA protocols. Security+ expects you to know the purpose of AAA, the port numbers used by TACACS+ (TCP 49), and the fact that it encrypts the entire packet. You should be able to compare TACACS+ with RADIUS and Kerberos.
For the Cisco CCNA exam (200-301), TACACS+ is covered in depth. CCNA candidates need to know how to configure TACACS+ on a Cisco router or switch, including setting the server IP, shared secret, and applying it to VTY lines. They must understand the difference between local authentication and server-based authentication. The exam tests knowledge of the AAA configuration mode, and how to fall back to local authentication if the server is unreachable.
The CompTIA A+ exam may touch on TACACS+ only briefly, usually in the context of network security protocols. It is less likely to be a major topic, but you should still know the basic concept of AAA and that TACACS+ is a Cisco-developed protocol for device administration.
In the exam objectives for these certifications, TACACS+ is often tested alongside RADIUS and Kerberos. Common questions ask you to select the correct protocol for a given scenario, identify the port number, or explain the advantage of TACACS+ over RADIUS for device administration. Understanding that TACACS+ separates AAA functions, uses TCP, and encrypts the entire packet is essential for these questions.
Simple Meaning
Imagine you work in a large office building with many secure rooms, including a server room, a finance office, and a lab. Instead of having a different key for every door, the building uses a central security desk. When you want to enter any room, you first go to the security desk and show your employee badge. The desk checks if your badge is valid and if you are who you say you are. This is authentication, like proving your identity.
Now, let us say the security desk knows you are a network technician. That means you are allowed into the server room, but you are not allowed into the finance office. The security desk tells the door to the server room to let you in, but the finance door stays locked. This is authorization, which is about what you are allowed to do or see.
Finally, every time you enter a room, the security desk writes down the time, your name, and which room you went into. This is accounting, or keeping a log of what happened. TACACS+ works exactly like this security desk for network devices such as routers, switches, and firewalls. When a network administrator types a command on a router, the router does not decide on its own if the command is allowed. Instead, it sends a message to a central TACACS+ server, asking who the user is. The server checks the password. Then the router asks the server if that particular user is allowed to type that specific command. The server says yes or no. Finally, the server records every command that was typed. By separating these three jobs, TACACS+ gives network administrators very fine control over who does what on critical network equipment. This is much safer than letting each device manage its own list of users, because a central server is easier to protect and update.
TACACS+ uses encryption to protect the entire conversation between the network device and the server. This means that even if someone is listening to the network traffic, they cannot see the password or the commands being sent. The protocol was developed by Cisco and is widely used in enterprise networks that have many routers and switches, especially in environments that require strict security and detailed audit logs.
Full Technical Definition
TACACS+, which stands for Terminal Access Controller Access Control System Plus, is an authentication, authorization, and accounting (AAA) protocol used to manage access to network devices. It was developed by Cisco as an enhancement to the original TACACS and is defined in RFC 1492, though the Plus version is a proprietary Cisco protocol. TACACS+ separates the three AAA functions into distinct processes, allowing for granular control over administrative access to routers, switches, and other network infrastructure.
TACACS+ operates over TCP port 49 by default. The entire payload of a TACACS+ packet is encrypted, including the username, password, and all arguments. However, the TACACS+ header is not encrypted, which allows the receiving device to identify the packet type before decryption. This encryption ensures that credentials and commands are protected from eavesdropping on the network.
The authentication process in TACACS+ is flexible. It can use PAP, CHAP, or even a one-time password (OTP) mechanism. The network device, acting as the Network Access Server (NAS), sends an authentication request to the TACACS+ server. The server can either accept the request, reject it, or challenge the user for additional information, such as a token code. This challenge-response mechanism is a key feature that supports multi-factor authentication.
Authorization in TACACS+ is per-command or per-service. After successful authentication, the user requests authorization to execute a specific command or access a service. The NAS sends an authorization request to the server, which includes the username and the command. The server checks its policies and returns a response indicating whether the command is permitted. This allows administrators to define very specific permissions, such as allowing a junior technician to run only 'show' commands while a senior engineer can run configuration commands.
Accounting in TACACS+ records what users do. The NAS sends accounting packets to the server for events such as start of a session, end of a session, and each command executed. The accounting data is stored by the server in a log file or database. This provides an audit trail that is essential for security compliance, forensic analysis, and troubleshooting.
Implementation typically involves a dedicated TACACS+ server, which can be a software package like Cisco ISE, FreeRADIUS with TACACS+ support, or Aruba ClearPass. Network devices are configured with the IP address of the TACACS+ server and a shared secret key. The devices are configured to use TACACS+ for authentication on console, VTY (Telnet/SSH), and auxiliary lines. When a user attempts to log in, the device forwards the credentials to the server. If the server is unreachable, a fallback to local authentication on the device can be configured to maintain access during outages.
Real-Life Example
Think of a high-security office building that uses a sophisticated key card system. In this building, every employee has a key card that proves their identity. The card itself just has a number, but the building has a central security computer that knows which number belongs to which person. This is like the TACACS+ server. When you swipe your card at a door, the door reader sends your card number to the central computer, which checks if the card is active and valid. This is authentication: proving you are who you say you are.
Now, imagine you are a junior IT support person. Your card might allow you to enter the main office and the break room, but not the server room or the executive floor. The central security computer has a list of which doors each card can open. When you swipe at the server room door, the computer checks its list. It sees that your card is not allowed in the server room, so it tells the door to stay locked. This is authorization: determining what you are allowed to do.
Finally, every time you swipe your card at any door, the central computer records the time, the door, and your card number. At the end of the day, the security manager can review a report that shows exactly who entered which room and when. This is accounting: keeping a log of actions.
In the world of TACACS+, the network devices (routers, switches) are the doors. The user (a network engineer) is the person with the key card. The TACACS+ server is the central security computer. When the engineer types a command, the router sends that command to the TACACS+ server. The server checks if the engineer is allowed to use that command. If yes, the command runs. If no, the router rejects it. The server also logs every command. This gives the network administrator incredibly precise control, just like the building security manager who can decide exactly which doors each employee can open.
Why This Term Matters
TACACS+ matters because network devices are the backbone of every organization. If an attacker gains access to a router or switch, they can redirect traffic, steal data, or bring down the entire network. Using local usernames and passwords on each device is insecure and unmanageable. With dozens or hundreds of devices, updating passwords on each one individually is impractical. TACACS+ centralizes authentication, making it easy to add, disable, or change user accounts from one server.
The separation of authentication, authorization, and accounting is a major advantage. In many organizations, different teams need different levels of access. Network operations staff may need full configuration access, while help desk staff might only need read-only access to check interface status. TACACS+ allows granular command-level authorization. This principle of least privilege is a core security concept: give users only the permissions they need to do their job, nothing more.
Accounting logs are invaluable for incident response. If a configuration change breaks the network, you can look at the TACACS+ logs to see which user made the change, what command they ran, and when. This provides accountability and helps with troubleshooting. Many compliance frameworks, such as PCI DSS and HIPAA, require detailed logging of administrative access to network devices. TACACS+ directly helps meet these requirements.
Encryption of the entire TACACS+ session protects credentials and commands from being intercepted. This is critical when administrators manage devices over untrusted networks, such as the internet or a guest Wi-Fi. Without encryption, a simple packet capture could reveal a privileged password. TACACS+ protects this traffic.
In practice, TACACS+ is used in enterprises, service providers, and data centers. It integrates with other security systems like Identity Services Engine (ISE) and Active Directory. When a network device is configured for TACACS+, it checks with the server for every login attempt and every command. This provides a robust, scalable, and secure method for managing network device access.
How It Appears in Exam Questions
In certification exams, TACACS+ appears in several distinct question patterns. The most common is the comparison question. For example: Which protocol separates authentication, authorization, and accounting into three distinct processes? The answer is TACACS+. The same question might also offer RADIUS as a distractor because RADIUS combines authentication and authorization. Another variation asks which protocol is more suitable for managing access to network devices (routers and switches) as opposed to user network access.
Scenario-based questions are also frequent. A typical scenario describes a company that has multiple network administrators. The company wants to allow senior engineers to run all commands, but junior engineers should only be able to run show commands. The question asks which technology the administrator should implement. The correct answer is TACACS+, because it supports per-command authorization. A distractor might be RADIUS, which does not support per-command authorization well.
Configuration questions appear on the CCNA exam. You might be given a partial configuration snippet and asked to complete it. For instance, the question shows aaa new-model and tacacs-server host 10.1.1.1 key cisco123. Then it asks what command is missing to apply TACACS+ authentication to the VTY lines. The answer would be login authentication default or a similar aaa authentication login command.
Troubleshooting questions are common as well. A scenario might describe a network engineer who can no longer log into a router after configuring TACACS+. The question asks what the most likely cause is. Answers could include a misconfigured shared secret, a firewall blocking TCP port 49, or the TACACS+ server being down. You must know to check the server reachability and the shared secret first.
Port number identification questions are straightforward: What port does TACACS+ use? The answer is TCP 49. This is a common multiple-choice question in Network+ and Security+.
Finally, architecture questions ask about centralized management. For example: An organization wants to centrally manage authentication for all network devices and log all commands executed. Which protocol should they use? The answer is TACACS+. These questions test your understanding of its use case and features.
Practise Terminal Access Controller Access Control System Plus Questions
Test your understanding with exam-style practice questions.
Example Scenario
A medium-sized company, TechFlow Inc., has fifteen Cisco routers and switches across three offices. The network team consists of a senior engineer, Maria, and two junior technicians, Alex and Priya. Maria can configure routing protocols, change VLANs, and modify access lists. Alex and Priya are only allowed to check interface status, ping devices, and view the running configuration. The company wants to ensure that if one of the junior technicians accidentally types a dangerous command, it will be blocked. They also need a log of every command typed by anyone on any device for compliance purposes.
The IT manager decides to implement TACACS+. She installs a TACACS+ server on a Linux machine in the data center. She configures the server with three user accounts: one for Maria with full privileges, and two for Alex and Priya with limited permissions. On each router and switch, she enables AAA with the command aaa new-model. She configures the devices to point to the TACACS+ server. She also sets up a local username as a backup in case the server is unreachable. She then configures the VTY lines to use TACACS+ for login and command authorization.
Now, when Maria connects to a router via SSH, the router sends her username and password to the TACACS+ server. The server authenticates her. Then, when Maria types the command configure terminal, the router asks the server if Maria is allowed to use that command. The server checks its policies and says yes. The command runs. When Alex types the same command, the router asks the server. The server checks Alex's policy and says no. The router rejects the command. The server logs everything. This scenario shows how TACACS+ provides secure, granular, auditable access control for network devices.
Common Mistakes
Thinking TACACS+ and RADIUS are the same protocol.
They are different. RADIUS combines authentication and authorization into one process, while TACACS+ separates them into three distinct functions. RADIUS uses UDP, while TACACS+ uses TCP. RADIUS only encrypts the password, while TACACS+ encrypts the entire packet.
Remember that TACACS+ is for device administration (routers, switches) and offers more granular control. RADIUS is for user network access (Wi-Fi, VPN).
Confusing the port numbers: thinking TACACS+ uses UDP 49 or RADIUS uses TCP 49.
TACACS+ uses TCP port 49. RADIUS uses UDP ports 1812 for authentication and 1813 for accounting. Some older RADIUS implementations use UDP 1645 and 1646, but the official ports are 1812 and 1813.
Memorize: TACACS+ is TCP 49. RADIUS is UDP 1812/1813. Associate the extra stability of TCP with TACACS+ needing reliability for command authorization.
Believing TACACS+ encrypts only the password, like RADIUS does.
TACACS+ encrypts the entire body of the packet, including the username, password, and all arguments. Only the header is unencrypted. This is a major security advantage over RADIUS.
Think of TACACS+ as wrapping the whole message in an envelope, while RADIUS only seals the password in a smaller envelope inside an open letter.
Assuming TACACS+ is an open standard like RADIUS.
TACACS+ is a proprietary Cisco protocol. While widely supported by many vendors, it is not an open standard. RADIUS is an open standard defined in RFCs 2865 and 2866.
Remember that TACACS+ was developed by Cisco and is most commonly found in Cisco-centric networks. RADIUS is vendor-neutral.
Thinking TACACS+ can be used for authenticating wireless users.
TACACS+ is designed for device administration, not for end-user network access services like Wi-Fi or VPN. RADIUS is the standard protocol for those use cases.
Match the protocol to the job: TACACS+ for router/switch admin, RADIUS for user network access.
Exam Trap — Don't Get Fooled
An exam question asks which AAA protocol encrypts the entire packet and uses TCP. The answer choices include TACACS+, RADIUS, Kerberos, and LDAP. A common trap is that learners choose RADIUS because it is more familiar.
The question may hint that the protocol is used for device administration. Learners might forget that RADIUS uses UDP and only encrypts the password, not the entire packet. Create a mental checklist: For TACACS+, remember three things: TCP port 49, full packet encryption, and separation of AAA functions.
For RADIUS, remember UDP, password-only encryption, and combined authentication and authorization. If the question mentions granular command-level control, it is definitely TACACS+.
Commonly Confused With
RADIUS combines authentication and authorization into one message, while TACACS+ separates them into three distinct processes. RADIUS uses UDP, while TACACS+ uses TCP. RADIUS only encrypts the password, but TACACS+ encrypts the entire packet. RADIUS is for user network access, while TACACS+ is for device administration.
Using RADIUS is like a hotel key card that opens your room door and also tells the system you are a guest. Using TACACS+ is like a security badge that first checks if you are an employee, then checks if you are allowed in the server room, and then logs your entry time.
Kerberos is a ticket-based authentication protocol that uses symmetric key cryptography and a trusted third party called a Key Distribution Center (KDC). It is primarily used for single sign-on in Windows Active Directory environments. TACACS+ does not use tickets; it uses direct requests and responses between the NAS and the server. Kerberos is not typically used for device administration; it is for user authentication to network services.
Kerberos is like a concert wristband that proves you paid once and lets you enter different areas. TACACS+ is like a security guard at each door who checks your ID and a separate list to see if you can enter.
LDAP is a protocol for accessing and managing directory information, such as user accounts in Active Directory. It can be used for authentication by binding to the directory, but it does not provide authorization or accounting. TACACS+ is a full AAA protocol that includes authentication, authorization, and accounting. LDAP is often used as a backend database that a TACACS+ or RADIUS server queries.
LDAP is like a phone book that contains employee names and phone numbers. TACACS+ is like a security system that uses the phone book to verify who you are, then checks a separate rule book to see where you can go, and writes your movements in a log.
Diameter is the successor to RADIUS, designed for modern networks including 4G/5G and LTE. It uses TCP or SCTP and provides better reliability and security than RADIUS. However, TACACS+ is still the preferred protocol for device administration because of its granular command authorization. Diameter is more complex and is not typically used for router and switch access.
Diameter is like a high-tech passport control system for international airports, handling many advanced checks. TACACS+ is like a simple but very strict security checkpoint for a single office building.
Step-by-Step Breakdown
User Initiates Connection
A network administrator opens an SSH or Telnet session to a router or switch. The device is configured to use TACACS+ for authentication. The device prompts for a username and password.
Authentication Request Sent to Server
The network device (NAS) takes the credentials and sends them to the TACACS+ server in an encrypted packet over TCP port 49. The server checks the credentials against its user database.
Server Responds with Authentication Result
The server sends back a response. It can be an accept, a reject, or a challenge (for example, asking for a one-time password). If accepted, the user is logged into the device. If rejected, the session is terminated.
User Requests Authorization for a Command or Service
After a successful login, the user types a command, such as show running-config or configure terminal. The device does not execute the command immediately. Instead, it sends an authorization request to the TACACS+ server. This request includes the username and the command string.
Server Checks Authorization Policies
The TACACS+ server looks up the user's authorization profile. The profile defines which commands or command categories are allowed. For example, a junior admin might only be allowed show commands. The server decides whether to permit or deny the command.
Server Sends Authorization Response and Device Executes or Blocks the Command
The server sends a response. If the response is permit, the device runs the command. If the response is deny, the device rejects the command and may display an error message to the user.
Accounting Packet Sent for Each Action
After the command is executed (or rejected), the device sends an accounting packet to the TACACS+ server. This packet includes the username, the command, the time, and whether the command succeeded or failed. The server stores this information in a log file or database.
Session Termination and Final Accounting
When the user logs out or the session times out, the device sends an accounting stop packet to the server. This records the end time of the session and the total duration. The complete audit trail is now stored on the server.
Practical Mini-Lesson
To implement TACACS+ in a real network, you need two main components: a TACACS+ server and network devices configured as clients. The server can be a dedicated appliance like Cisco ISE, a software package like FreeRADIUS with the tac_plus module, or a commercial solution like Aruba ClearPass. The server must have a user database, which can be local or integrated with an external directory like Active Directory or LDAP.
Start by installing and configuring the TACACS+ server. Define user accounts, passwords, and authorization policies. For example, you can create a group called 'network-admin' with full access, and another group called 'network-operator' with access only to show commands and ping. Assign users to these groups. Set a shared secret key that will be used for encryption between the server and the network devices.
Next, configure each router and switch. On a Cisco device, the first step is to enable AAA globally with the command aaa new-model. Then configure the server details: tacacs-server host 10.1.1.1 key SharedSecret123. Define an authentication method list: aaa authentication login default group tacacs+ local. This tells the device to try TACACS+ first, and if the server is unreachable, fall back to local usernames stored on the device. This fallback is critical to prevent lockout.
For authorization, use the command aaa authorization commands 15 default group tacacs+ local. The number 15 refers to the privilege level. Cisco devices have privilege levels from 0 to 15, where 15 is full access. You can also define authorization for configuration mode: aaa authorization config-commands. Finally, set up accounting: aaa accounting commands 15 default start-stop group tacacs+.
Apply the authentication to the VTY lines: line vty 0 4, then login authentication default. For the console port: line con 0, then login authentication default. Now, when you connect via SSH, the device will send your credentials to the TACACS+ server.
Common issues include incorrect shared secret, firewall blocking TCP 49, DNS resolution problems, and the server not being reachable from the device. Always test by first using a local account, then testing TACACS+ authentication. Use debug commands like debug tacacs+ to see the conversation between the device and the server. Check the server logs for authentication failures.
Professionals should also consider redundancy. Configure multiple TACACS+ servers so that if one fails, the device falls over to a secondary server. Use the command tacacs-server host 10.1.1.2 key AnotherKey to add a second server. The device will try them in order.
TACACS+ integrates with broader IT concepts like identity and access management (IAM), zero trust architecture, and security information and event management (SIEM). The accounting logs can be sent to a SIEM system for real-time monitoring and alerting. TACACS+ is a foundational tool for securing network infrastructure.
Memory Tip
Think of TACACS+ as the 'Three A's Plus Security': Authentication (who you are), Authorization (what you can do), and Accounting (what you did), all wrapped in full encryption over TCP. TCP stands for Trusted Control Protocol for TACACS+.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
SY0-701CompTIA Security+ →200-301Cisco CCNA →220-1101CompTIA A+ Core 1 →220-1102CompTIA A+ Core 2 →SC-900SC-900 →CDLGoogle CDL →ISC2 CCISC2 CC →Legacy Exam Context
Older materials may mention these exam versions, but learners should use the current objectives for their target exam.
N10-008N10-009(current version)SY0-601SY0-701(current version)Related Glossary Terms
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
An A record is a DNS record that maps a domain name to the IPv4 address of the server hosting that domain.
Frequently Asked Questions
What is the difference between TACACS+ and RADIUS?
TACACS+ separates authentication, authorization, and accounting into three separate processes, while RADIUS combines authentication and authorization into one. TACACS+ uses TCP port 49 and encrypts the entire packet. RADIUS uses UDP and only encrypts the password. TACACS+ is primarily for managing device access, while RADIUS is for user network access.
What port does TACACS+ use?
TACACS+ uses TCP port 49. This is a common exam question, so memorize that it is TCP, not UDP.
Is TACACS+ an open standard?
No, TACACS+ is a proprietary protocol developed by Cisco. However, many other vendors support it because it is widely used in enterprise networks.
Can TACACS+ be used for wireless authentication?
Typically, no. TACACS+ is designed for administrative access to network devices. RADIUS is the standard protocol for authenticating wireless users.
What is the purpose of the shared secret in TACACS+?
The shared secret is a key used to encrypt the communication between the network device and the TACACS+ server. Both ends must have the same shared secret for the encryption to work.
What happens if the TACACS+ server is unreachable?
If the server is unreachable, the network device will fall back to its local authentication method if configured. This is why it is important to configure a local username and password as a backup.
Does TACACS+ support per-command authorization?
Yes, this is one of its key features. TACACS+ can be configured to authorize every single command a user types, allowing very granular control over what each administrator can do.
Summary
TACACS+ is a powerful AAA protocol that gives network administrators precise, centralized control over who can access network devices and what commands they can run. By separating authentication, authorization, and accounting into three distinct functions, it provides a level of granularity that RADIUS and other protocols cannot match. Its use of TCP ensures reliable delivery of messages, and full-packet encryption protects sensitive credentials and commands from eavesdropping.
For certification exams like CompTIA Network+, Security+, and Cisco CCNA, understanding the differences between TACACS+ and RADIUS is critical. You should know its port number (TCP 49), its proprietary nature, and its primary use case for device administration. In the real world, TACACS+ helps organizations enforce the principle of least privilege, maintain audit trails for compliance, and secure their network infrastructure against unauthorized changes.
Remember that TACACS+ is the protocol of choice when you need to manage who can type what on your routers and switches.