TACACS+ is an authentication protocol that allows a network access server to communicate with an authentication server to determine if a user has access to the network.
TACACS+ is a new protocol developed by Cisco that replaces two earlier industry standards—TACACS and XTACACS (Extended). TACACS+ is not compatible with the two older protocols. Cisco has submitted TACACS+ protocol specification in a draft RFC to the IETF for development of a standard and for those customers interested in developing their own TACACS+ software.
TACACS+ server services are maintained in a database on a TACACS+ daemon running on a Windows 2000/NT or UNIX host. Cisco’s servers supporting TACACS+ include CiscoSecure ACS for Windows, CiscoSecure UNIX, and Cisco Access Registrar. Cisco Access Servers (Cisco Secure ACS) can implement both TACACS+ and RADIUS. The underlying architecture of TACACS+ protocol complements the AAA architecture.
TACACS+ fully supports the AAA architecture by separating the authentication, authorization, and accounting. This allows the flexibility of using another service, such as Kerberos, for authentication, while still using TACACS+ for authorization and/or accounting.
TACACS+ uses TCP for connection-oriented transport between clients and servers. TCP port 49 is reserved for TACACS+. The acknowledgments (TCP ACK) provide indications that a request has been received. This same TCP process uses RST packets to provide immediate indication of a failed (or offline) authentication server. TCP keepalives can be used to watch for failed servers and to facilitate rapid failover between multiple connected authentication servers. TCP scales better and adapts better to growing and/or congested networks.
TACACS+ supports bidirectional challenge/response, like CHAP, between the two network access servers.
In addition to supporting SLIP and PPP encapsulation protocols, TACACS+ supports the following protocols:
Novell Asynchronous Services Interface (NASI)
X.25 PAD connection
Net BIOS Frame Protocol Control protocol
AppleTalk Remote Access protocol (ARAP)
TACACS+ encrypts the entire data payload of the packet, leaving only the standard TACACS+ header in cleartext. While it’s possible for debugging purposes to leave the body of the packets unencrypted, normal operation will fully encrypt the body for more secure communications. A field in the header indicates whether the body is encrypted.
TACACS+ supports two methods for controlling the authorization of router commands on either a per-user or per-group basis.
Assign commands to privilege levels and have the router use TACACS+ to verify that the user is authorized at the specified privilege level.
Explicitly define on the TACACS+ server the commands allowed on a per-user or per-group basis.