TACACS+ is a AAA Protocol (Authentication Authorization and Accounting Protocol) that allows secure user access to network devices by controlling who can access the device and what they are allowed to do, once they access it. Like RADIUS, AAA services are centralized (using a TACACS+ Server) and TACACS+ can even maintain individual command logs. Let us learn more about this protocol, in this article.
What is TACACS+ ?
TACACS+ stands for Terminal Access Controller Access Control Service + . TACACS and XTACACS were earlier implementations of the same protocol, but they are not compatible with TACACS+.
TACACS+ is similar to RADIUS protocol, but there are some noticeable differences. TACACS+ enables centralized AAA Services to be applied to Network devices.
Authentication – Verification of User-ID/ Password against a pre-populated database (Like Active Directory, LDAP, etc) before giving them permission to access a network device.
Authorization – Determining the access rights of the user – What they are authorized to do, and which devices are they authorized to access.
Accounting – Maintaining (and allowing access for) user logs and user activity.
TACACS+ is an open protocol initially developed by the US Department of Defense and then enhanced by Cisco. People think that only Cisco devices support this protocol, but actually most of the major Network Switch/ Router/ Firewall vendors support this protocol, as well.
RADIUS Servers are more commonly used in enterprises to provide AAA services to user devices. Though TACACS+ can be used to provide the same service, it is more popularly employed to provide AAA services to network devices. More precisely, it is used to control the administrative access to network devices like switches, routers, firewalls, etc.
So, when someone tries to gain administrative access to a TACACS+ compliant network switch (for example), the switch immediately contacts the central TACACS+ Server (this can be any server loaded with TACACS+ software in the network). The server then asks for the user-name and password, which needs to be provided by the user. This user-name and password is authenticated using a pre-populated centralized database (like AD, LDAP, etc), that can be accessed by the TACACS+ server.
Upon successful authentication, the user is allowed access to the network device. TACACS+ even allows administrators to apply granular access policies based on user, location, time of the day, subnet, device type, etc. The best thing about TACACS+ is, it stores a log of all the activities of each user accessing the network device, including all the commands executed by them.
It is possible to restrict the commands that can be executed by certain users – For example, junior administrator staff can be allowed to execute only view commands. So, before the execution of any command, TACACS+ Server can check if the user is authorized to use that command! TACACS+ can be implemented in both Windows and Unix environments.
From a security standpoint, it is better not to run other applications along with TACACS+ in the same server. It is also better to limit the communications from/to a TACACS+ server only with TACACS+ clients (network switches/ routers, etc that are compliant with the protocol). Both the user database and TACACS+ server can reside in the same system, for faster performance.
Differences between RADIUS and TACACS+ :
While both are used to provide AAA services, RADIUS protocol is very popular and has been implemented by most organizations for providing AAA services to user devices, connecting to the network. But TACACS+ has been more commonly used for providing AAA services to users (administrators) accessing network devices.
Other major differences include,
- RADIUS Uses UDP, which is based on best-effort delivery of network packets. But TACACS+ uses TCP which is a connection oriented protocol that is more reliable (and scalable under unreliable networks).
- RADIUS protocol uses lesser computational resources (like memory and CPU cycles) than TACACS+. So, their performance efficiency is higher.
- RADIUS is supported by almost every network device vendor and has more implementations. TACACS+, in comparison, is supported by lesser number of network device vendors.
- TACACS+ can separate each of the AAA services. So, authentication can be performed by KERBEROS (for example) and authorization can be performed by TACACS+, if required. RADIUS protocol cannot separate each of the AAA services, this way.
- RADIUS encrypts only the passwords, but TACACS+ encrypts user-names, passwords and other user information so that they cannot be extracted using packet sniffers.
If you want to implement TACACS+ in your network, have a look at the TACACS+ Server software provided by Tacacs.net and Shrubbery.net. There is even a blog that discusses TACACS+ related information/ news.
You could stay up to date on the latest computer networking/ IT technologies by subscribing to this blog with your email address in the sidebar box that says, ‘Get email updates when new articles are published’