Introduction to TACACS+

 Introduction to TACACS+

Cisco designed the AAA protocol TACACS+ (Terminal Access Controller Access-Control System). The primary function of TACACS+ is device administration. It can also be used for Internet access. This AAA Protocol authenticates network administrators to log in to network devices such as routers, switches, and firewalls.

AAA Protocols can encrypt the entire packet or just the passwords. TACACS+ offers full packet encryption. It encrypts the entire package. But RADIUS does not encrypt the entire transmission. It encrypts only the passwords, not the entire packet. As a result, the AAA Protocol is more secure than the RADIUS Protocol for Terminal Access Controllers.

 How TACACS+ Works ?

The Network Access Device will utilize the CONTINUE message to communicate with the TACACS+ server and acquire a username prompt. The user then inputs a username, and the Network Access Device contacts the TACACS+ server once more to acquire a password prompt (Continue message). The password prompt is displayed to the user, and the password is then submitted to the TACACS+ server. 

Introduction to TACACS+
Fig 1.1- TACACS+ Authentication

The server can respond with one of the following reply messages: 

  • If the credentials entered are valid then the TACACS+ server will respond with an ACCEPT message. 
  • If the credentials entered are not valid then the TACACS+ server will respond with a REJECT message. 
  • If the link between the TACACS+ server and NAS or TACACS+ server is not working properly then it will respond with an ERROR message. 
  • If TACACS+ authorization is required, the TACACS+ server is again contacted and it returns an ACCEPT or REJECT authorization response. If the ACCEPT message is returned, it contains attributes that are used to determine services that a user is allowed to do. 

 Features of TACACS+ 

Below are the features of TACACS+ when Cisco start using TACACS+ for their environment.
  • Cisco created a protocol for the AAA framework, which may be utilized between Cisco devices and the Cisco ACS server. 
  • It employs TCP as a communications protocol. 
  • It utilizes TCP port 49. 
  • If the device and ACS server use TACACS+, all AAA packets sent between them are encrypted. 
  • It splits AAA into independent pieces, namely authentication, authorization, and accounting. 
  • It provides more granular control (than RADIUS) by allowing users to choose which commands they are authorized to use. 
  • It has accounting support, but is less comprehensive than RADIUS. 

 Benefits of TACACS+ over RADIUS 

  • Provides more granular control than RADIUS.TACACS+ allows a network administrator to specify which commands a user may execute. 
  • Unlike Radius, all AAA packets are encrypted. 
  • TACACS+ uses TCP rather than UDP. TCP ensures communication between the client and the server.