Home / Cisco Security / Introduction to TACACS and TACACS+ (Terminal Access Controller Access Control System)

Introduction to TACACS and TACACS+ (Terminal Access Controller Access Control System)

Today I am going to talk about the TACACS and TACACS+ basics with you. I am sure most of you already knew TACACS and TACACS+ as many of you worked and configured the configuration on your devices whether it will Cisco, Juniper or any other vendor in your network.

Here in this article I am Just talk about TACACS and TACACS+ as follow.

What is TACACS and TACACS+ ?
Well all of you already listern this term so many times but many of you confuse what is TACACS and TACACS+.

Terminal Access Controller Access Control System or called as TACACS is a authentication protocol and is commonly used within the UNIX based networks that allows a remote access server to forward a user's logon password to an authentication server to determine whether access can be allowed to a given system.

TACACS and TACACS+
TACACS is a simple UDP-based access control protocol originally developed by BBN for MILNET. TACACS+ is an enhancement to TACACS and uses TCP to ensure reliable delivery.

Fig 1.1- TACACS and TACACS+ Server
TACACS+ is an enhancement to the TACACS security protocol. TACACS+ improves on TACACS by separating the functions of authentication, authorization, and accounting (AAA) and by encrypting all traffic between the Vendor device and the TACACS+ server. TACACS+ allows for arbitrary length and content authentication exchanges, which allow any authentication mechanism to be utilized with your device. 

TACACS+ is extensible to provide for site customization and future development features. The protocol allows the device to request very precise access control and allows the TACACS+ server to respond to each component of that request.

TACACS and TACACS+ Security

Let's talk about the TACACS and TACACS+ Security as a e security protocol for Terminal Access Controller Access Control System (TACACS) or TACACS+ to authenticate the following kinds of access to the device:
  • Telnet access
  • SSH access
  • Console access
  • Web management access
  • Access to the Privileged EXEC level and CONFIG levels of the CLI

The TACACS and TACACS+ protocols define how authentication, authorization, and accounting information is sent between a Brocade device and an authentication database on a TACACS or your TACACS+ server. TACACS or TACACS+ services are maintained in a database and typically on a UNIX workstation or PC with a TACACS or TACACS+ server running.

Below is the diagram showing the difference between the RADIUS and TACACS+ or TACACS

Fig 1.2- TACACS+ Vs RADIUS


Now I am going to talk about the basic configurations of TACACS and TACACS+. Below are the configurations of TACACS and TACACS+ on to the Brocade devices

Sample Basic Configuration of TACACS and TACACS+ for Brocade Devices

!
aaa authentication login default tacacs+ enable
aaa authentication login privilege-mode
aaa authorization commands 0 default  tacacs+
aaa authorization exec default  tacacs+
aaa accounting commands 0 default start-stop  tacacs+
aaa accounting exec default start-stop  tacacs+
aaa accounting system default start-stop  tacacs+
enable aaa console
hostname Fred
ip address 172.10.1.56 255.255.255.0
tacacs-server host 255.255.253.255
tacacs-server key 2 %d3KpZ0RVRFpJ
!