||It has been suggested that this article be merged with TACACS, XTACACS and TACACS+. (Discuss) Proposed since December 2011.|
TACACS+ (Terminal Access Controller Access-Control System Plus, usually pronounced like tack-axe) is an access control network protocol for routers, network access servers and other networked computing devices.
Unlike RADIUS and the predecessors of TACACS+ (TACACS and XTACACS), TACACS+ provides separate authentication, authorization and accounting services. Like RADIUS, TACACS and XTACACS, TACACS+ is an open, publicly documented protocol. TACACS+ uses the TCP protocol and encrypts the entire packet (except the header).
TACACS+ ultimately derives from (but is not backwards-compatible with) TACACS, developed in 1984 for MILNET by BBN, a contractor for the U.S. Department of Defense. Originally designed as means to automate logins, by which a person who was already authenticated on one host in the network could connect to another host on the same network without needing to authenticate again, TACACS is an open (quasi-)standard, described by BBN's Brian Anderson in Internet Engineering Task Force (IETF) RFC 927.
Cisco Systems began supporting TACACS in its networking products in the late 1980s, eventually adding their own extensions to the protocol, which the company then called 'XTACACS' ('eXtended TACACS'). In the simple (non-extended) form, Cisco's implementation was compatible with the original TACACS, while the extended form (XTACACS) was not. In 1993, with Cisco's assistance, Craig Finseth of the University of Minnesota published a description of Cisco's extensions in IETF RFC 1492.
The protocol continued to evolve over the following years, and in 1996 became what Cisco called 'TACACS+', in which the individual tasks of authentication, authorization and accounting were separate processes. Also, while the XTACACS and TACACS use UDP (port 49), TACACS+ uses TCP (but still port 49). Cisco's David Carrel and Lol Grant submitted TACACS+ v1.75 for IETF standards approval in October 1996, followed by a revised version 1.78 in January 1998. The IETF draft expired in September 1998 without becoming an approved standard.
TACACS+ and RADIUS have generally replaced the older protocols.
Authentication, Authorization and Accounting (AAA)
Whereas RADIUS combines authentication and authorization in a user profile, TACACS+ separates the two operations. Another difference is that TACACS+ uses the Transmission Control Protocol (TCP) while RADIUS uses the User Datagram Protocol (UDP).
The extensions to the TACACS+ protocol provide for more types of authentication requests and more types of response codes than were in the original specification.
TACACS+ offers multiprotocol support, such as IP and AppleTalk. Normal operation fully encrypts the body of the packet for more secure communications. It is a Cisco proprietary enhancement to the original TACACS protocol.
- Cisco's TACACS+ RFC draft
- http://www.gazi.edu.tr/tacacs Database supported tacacs+
- http://rubyforge.org/projects/tacacs-plus/ A pure Ruby implementation of TACACS+
- TACACS+ client and PAM module
- An Analysis of the TACACS+ Protocol and its Implementations from a security standpoint, by Openwall
- https://sites.google.com/site/tacplusvm/ An implementation of tac_plus+webadmin from in a VM
- TACACS+ Benefits and Best Practices
- TACACS+ (Terminal Access Controller Access Control System)