||This article includes a list of references, related reading or external links, but its sources remain unclear because it lacks inline citations. (November 2013)|
Terminal Access Controller Access-Control System (TACACS, usually pronounced like tack-axe) refers to a family of related protocols handling remote authentication and related services for networked access control through a centralized server. The original TACACS protocol, which dates back to 1984, was utilized for communicating with an authentication server commonly used in older UNIX networks and spawned related protocols:
- Extended TACACS (XTACACS) is a proprietary extension to TACACS that was introduced by Cisco Systems in 1990 without backwards compatibility to the original protocol. TACACS and XTACACS both allow a remote access server to communicate with an authentication server in order to determine if the user has access to the network.
- Terminal Access Controller Access-Control System Plus (TACACS+) is a protocol developed by Cisco and released as an open standard beginning in 1993. Although derived from TACACS, TACACS+ is a separate protocol that handles authentication, authorization, and accounting (AAA) services. TACACS+ and other flexible AAA protocols have largely replaced their predecessors.
TACACS was originally developed in 1984 by BBN Technologies for administering MILNET, which ran unclassified network traffic for DARPA at the time and would later evolve into the U.S. Department of Defense's NIPRNet.
TACACS is defined in RFC 1492, and uses (either TCP or UDP) port 49 by default. TACACS allows a client to accept a username and password and send a query to a TACACS authentication server, sometimes called a TACACS daemon or simply TACACSD. TACACSD uses TCP and usually runs on port 49. It would determine whether to accept or deny the authentication request and send a response back. The TIP (routing node accepting dial-up line connections, which the user would normally want to log in into) would then allow access or not, based upon the response. In this way, the process of making the decision is "opened up" and the algorithms and data used to make the decision are under the complete control of whomever is running the TACACS daemon.
A later version of TACACS introduced by Cisco in 1990 was called Extended TACACS (XTACACS). The XTACACS protocol was developed by and is proprietary to Cisco Systems.
TACACS+ and RADIUS have generally replaced TACACS and XTACACS in more recently built or updated networks. TACACS+ is an entirely new protocol and is not compatible with TACACS or XTACACS. TACACS+ uses the Transmission Control Protocol (TCP) and RADIUS uses the User Datagram Protocol (UDP). Since TCP is connection oriented protocol, TACACS+ does not have to implement transmission control. RADIUS, however, does have to detect and correct transmission errors like packet loss, timeout etc. since it rides on UDP which is connectionless.
RADIUS encrypts only the users' password as it travels from the RADIUS client to RADIUS server. All other information such as the username, authorization, accounting are transmitted in clear text. Therefore it is vulnerable to different types of attacks. TACACS+ encrypts all the information mentioned above and therefore does not have the vulnerabilities present in the RADIUS protocol.
- List of authentication protocols
- An Access Control Protocol, Sometimes Called TACACS
- Overview of AAA Technology
- Cisco's TACACS+ RFC draft
- http://www.gazi.edu.tr/tacacs Database supported tacacs+
- http://rubyforge.org/projects/tacacs-plus/ A pure Ruby implementation of TACACS+
- TACACS+ client and PAM module
- An Analysis of the TACACS+ Protocol and its Implementations from a security standpoint, by Openwall
- https://sites.google.com/site/tacplusvm/ An implementation of tac_plus+webadmin from in a VM
- TACACS+ Benefits and Best Practices
- TACACS+ (Terminal Access Controller Access Control System)