Introduction

TACACS+ (Terminal Access Controller Access-Control System) is a protocol for authentication, authorization and accounting (AAA). It thus provides access to the network for authorized users only, it regulates the rights of those users, and it is a logging mechanism to keep track of user actions. TACACS+ is an alternative to other AAA protocols such as RADIUS.

Important: TACACS+ is required in order to meet with PCI compliance (Payment Card Industry).

Modern networks with their numerous services and network components present a massive challenge in terms of controlling user access rights. In large installations in particular, the overhead would be enormous to keep user data consistent on all devices or for all services. For this reason, user data should be managed on a central server.

As a simple example, a user wishes to register at a router and sends the corresponding login details (user ID) to it. In this case the router functions as a Network Access Server (NAS): It does not check the user data itself; rather, the data is forwarded to the central AAA server, which responds by checking the data and answering with an accept or a reject.

The advanced TACACS+ functions include, among others, the option of requesting user to change their passwords after logging in for the first time, or if the password has expired. The corresponding messages are sent from the NAS to the user.

Important: Please note that LANconfig cannot process all of the messages in the extended login dialog. Should LANconfig reject a login attempt at a device even if the correct data is entered, please use an alternative method of configuration (such as WEBconfig or telnet).

TACACS+ is an alternative AAA server to the widespread RADIUS servers. The following table shows some of the major differences between RADIUS and TACACS+:

TACACS+	RADIUS
Connection-orientated data transfer via TCP	Connectionless data transfer via UDP
Fully encrypted data transfer	Password only encrypted, other content remains unencrypted
Complete separation of authentication, authorization and accounting possible	Authentication and authorization combined

TCP-based communication with TACACS+ is more reliable than RADIUS. Communications between the NAS and AAA server are confirmed, so the NAS is always informed if the AAA server is unavailable.
TACACS+ encrypts not only the password like RADIUS but the entire payload data (except for the TACACS+ header). This assures the confidentiality of information such as user names or the permitted services. TACACS+ encryption works with a one-time pad based on MD5 hashes.
The separation of the three AAA functions enables TACACS+ to operate with multiple servers. Whereas RADIUS always combines authentication and authorization, TACACS+ allows these to be separated. In this way, for example, TACACS+ servers can be employed for authentication only, in that only the users are managed but not the permissible commands.

Important: Please note: Even though TACACS+ is used to centrally manage user accounts on an AAA server, you should ensure that you set a secure password for root access to the device. If no root password is set, access to the device configuration can be blocked for security reasons if no connection is available to the TACACS+ server. In this case, the device may have to be reset to its factory settings in order to regain access to the configuration.