Terminal Access Controller Access Control System or TACACS is a protocol used for AAA (Authentication, Authorization, and Audit). TACACS is created in 1984 .TACACS is heavily used by the Cisco and Cisco created some extended version of TACACS named
TACACS+. TACACS is defined with the IETF RFC 927 in 1984 and then updated with RFC 1492 in 1993.
AAA (Authentication, Authorization, Audit )
TACACS is a complete protocol designed and updated to meet IT world AAA (Authentication, Authorization, and Audit). Let’s learn what AAA means
- `Authentication` is the process which is used to authentication given identity whether is or not. For example, while signing in a web page we provide the user name, password in order to authenticate ourself. We need the username and password for authentication but also private key, dongle or similar things can be used for authentication.
- `Authorization` is the process of providing some right to the authenticated user. Generally, some roles are used for the given identity to operate. For example, if we authentication with a user which have Administrator role providing the Administrator rights named as Authorization.
- `Audit` is taking some logs about the actions of the users and roles. This is very useful to audit and analyze the actions later for different purposes like incident, compliance, etc.
TACACS is a protocol which is served by a server service. TACACS server handles all request related AAA and response to these requests. TACACS works on server TCP port number 49 by default but it can be changed according to needs. UDP 49 also used for TACACS according to the situation.
XTACACS is the Extended TACACS which provides a lot more features than TACACS protocol. The most visible difference between TACACS and XTACACS is the authentication, authorization and audit processes are separate processes. So the authentication, authorization and audit processes can be done by different XTACACS servers.
TACACS+ is a completely new protocol which is different than TACACS and XTACACS and is not compatible with them. TACACS+ is Cisco designed extension to the TACACS which adds encryption and granular command control.
As TACACS is a protocol a TACACS service can be served from a different type of systems. Cisco provides the product ISE which provides AAA with a different protocol where it also supports TACACS and TACACS+ . For Linux distributions, TACACS+ can be installed with the
tac_plus package name. Below there is a simple TACACS+ configuration which restricts commands for different user groups.
TACACS vs TACACS+ vs RADIUS
Well TACACS is a very old protocol which does not provide features for today needs. TACACS+ is designed by the Cisco which can provide very useful and up to date features for today AAA. Radius also provides similar functions to the TACACS+ and popular in IT too.
Cisco TACACS Configuration
As Cisco is the creator of the TACACS+ protocol we will configure a Cisco device like a switch, router to use a TACACS+ server. Below we will set the TACACS+ server IP address or hostname if the hostnames can be resolved via DNS.
Router(config)# tacacs-server host 192.168.10.100
In the following line, we will configure a key which will be used to authentication and encryption with the communication of the TACACS+ server.
Router(config)# tacacs-server key 34ASDFA^+SDG3F+GAF
Now we can configure a new aaa for the cisco device and set the TACACS+ server and key.
Router(config)# aaa new-model Router(config)# aaa authentication ppp default if-needed group tacacs+ local Router(config)# aaa authorization network default group tacacs+ Router(config)# tacacs-server host 192.168.10.100 Router(config)# tacacs-server key mysecrettacacskey Router(config)# interface serial 0 Router(int)# ppp authentication chap default