English

TACACS

Updated on Nov 2, 2024 by
307

Definition

The Terminal Access Controller Access Control System (TACACS) is a protocol used in Unix networks to communicate with an identity authentication server, determining whether users have permission to access the network. Various vendors have extended TACACS. For example, Cisco developed TACACS+, while Huawei developed HWTACACS. Both TACACS+ and HWTACACS are proprietary protocols. They have gradually replaced TACACS and are no longer compatible with the original TACACS.

Background

TACACS is a protocol for managing user authentication, authorization, and accounting (AAA) that emerged in the 1980s. It is primarily used in Unix networks to facilitate secure communication with an authentication server and verify user access permissions.

In 1984, the TACACS protocol was initially introduced by a U.S. military research institute as detailed in RFC 927. It was designed for MILNET to simplify user identity verification, allowing users to seamlessly connect to multiple hosts within the network after logging into one. Over time, Cisco adopted and built upon TACACS in their network equipment, leading to an advanced version called Extended TACACS (XTACACS), outlined in RFC 1492. Unlike its predecessor, XTACACS separates the authentication, authorization, and accounting processes, allowing these functions to be managed on separate servers for finer control and management by administrators.

With the evolution of networks came the need for more versatile deployment options and better control over user commands. In response, vendors enhanced both TACACS and XTACACS. Cisco's TACACS+ is a notable example of these enhancements.

How TACACS Functions

  • Authentication: When a user tries to access a network device, TACACS handles verifying who they are. The user inputs their login details, usually a username and password, which are sent to the TACACS server. This server checks these details against its list of authorized users. If they match, the user is allowed access.

  • Authorization: After confirming the user's identity, TACACS decides what activities the user can carry out on the network device. This involves identifying which commands can be used and what resources are available to them. The TACACS server holds a record of user permissions and implements these rules to make sure users only do what they are permitted.

  • Accounting: TACACS logs all user actions on the network device, such as when they log in and out, which commands they use, and what resources they access. This information can be useful for audits, billing, or troubleshooting. By recording these activities, TACACS aids network administrators in monitoring and managing network usage effectively.

TACACS+ is an upgraded, more secure, and flexible version of TACACS, offering many key enhancements. It uses TCP for stable communication, encrypts all packet data except the header, and supports various authentication methods like PAP, CHAP, and MS-CHAP.

TACACS

TACACS+ vs. RADIUS

While both TACACS+ and RADIUS serve as protocols for managing network access, their primary uses differ significantly. RADIUS is primarily geared towards authenticating users who are accessing networks, while TACACS+ is mainly focused on managing network equipment like routers and switches. Aside from these roles, there are several other key distinctions between the two protocols.

Below is a table that highlights the most critical differences between TACACS+ and RADIUS.

RADIUS
TACACS+
RADIUS stands for Remote Authentication Dial-In User Service.
TACACS+ is an abbreviation of Terminal Access Controller Access-Control System Plus.
Documented in RFC 2865.
Described in RFC 1492.
RADIUS uses User Datagram Protocol (UDP) as Transport Layer Protocol.
TACACS+ uses Transmission Control Protocol (TCP) as Transport Layer Protocol.
RADIUS uses UDP port 1812 or 1645 for authentication and port 1813 or 1646 for accounting.
TACACS uses TCP port 49 to communicate between the client and server.
RADIUS provides no support for the external authorization of commands.
TACACS+ provides control over the authorization of commands, allowing granular control.
RADIUS encrypts passwords only, leaving other information unencrypted.
TACACS+ encrypts all packets.
RADIUS bundles authentication and authorization, making it impossible to perform them separately. Accounting can be used separately.
TACACS+ separates Authentication, Authorization, and Accounting, making it possible to use different protocols for authentication and authorization or accounting.
RADIUS does not support command accounting.
TACACS+ supports command accounting.
RADIUS is an open-standard protocol that works with virtually all modern devices.
TACACS+ is Cisco’s proprietary protocol and works with Cisco devices only.
RADIUS supports only one privilege level (limited to privilege mode)
TACACS+ supports multiple privilege levels.
RADIUS supports 802.1x. port-based network access control
TACACS+ does not support 802.1x port-based network access control.
RADIUS is mainly a network access protocol.
TACACS+ is mainly used for device administration using Access Control Server (ACS) servers.
RADIUS has no multiprotocol support – IP only.
TACACS+ has multiprotocol support (IP, Novell, NetBIOS, Apple, X.25).
RADIUS cannot authenticate network devices.
TACACS+ can authenticate network devices.

 

Videos
Global Delivery Service | FS
01:11
Jun 26, 2024
323
Global Delivery Service | FS
Related Topics
Solutions