What Is TACACS / XTACACS / TACACS+ (Terminal Access Controller Access Control System)?


Terminal Access Controller Access Control System or TACACS is a protocol used for AAA (Authentication, Authorization, and Audit). TACACS is created in 1984 .TACACS is heavily used by the Cisco and Cisco created some extended version of TACACS named XTACACS , TACACS+. TACACS is defined with the IETF RFC 927 in 1984 and then updated with RFC 1492 in 1993.

AAA (Authentication, Authorization, Audit )

TACACS is a complete protocol designed and updated to meet IT world AAA (Authentication, Authorization, and Audit). Let’s learn what AAA means

  • `Authentication` is the process which is used to authentication given identity whether is or not. For example, while signing in a web page we provide the user name, password in order to authenticate ourself. We need the username and password for authentication but also private key, dongle or similar things can be used for authentication.
  • `Authorization` is the process of providing some right to the authenticated user. Generally, some roles are used for the given identity to operate. For example, if we authentication with a user which have Administrator role providing the Administrator rights named as Authorization.
  • `Audit` is taking some logs about the actions of the users and roles. This is very useful to audit and analyze the actions later for different purposes like incident, compliance, etc.

TACACS

TACACS is a protocol which is served by a server service. TACACS server handles all request related AAA and response to these requests. TACACS works on server TCP port number 49 by default but it can be changed according to needs. UDP 49 also used for TACACS  according to the situation.

LEARN MORE  How To Create and Setup SSH Keys For Passwordless and Public Key Based Authentication In Linux?

XTACACS

XTACACS is the Extended TACACS which provides a lot more features than TACACS protocol. The most visible difference between TACACS and XTACACS  is the authentication, authorization and audit processes are separate processes. So the authentication, authorization and audit processes can be done by different XTACACS servers.

TACACS+

TACACS+ is a completely new protocol which is different than TACACS and XTACACS and is not compatible with them. TACACS+ is Cisco designed extension to the TACACS which adds encryption and granular command control.

TACACS Server

As TACACS is a protocol a TACACS service can be served from a different type of systems. Cisco provides the product ISE which provides AAA with a different protocol where it also supports TACACS and TACACS+ . For Linux distributions, TACACS+ can be installed with the tac_plus package name. Below there is a simple TACACS+ configuration which restricts commands for different user groups.

TACACS Server Configuration For Linux
TACACS Server Configuration For Linux

TACACS vs TACACS+ vs RADIUS

Well TACACS is a very old protocol which does not provide features for today needs. TACACS+ is designed by the Cisco which can provide very useful and up to date features for today AAA. Radius also provides similar functions to the TACACS+ and popular in IT too.

Cisco TACACS Configuration

As Cisco is the creator of the TACACS+ protocol we will configure a Cisco device like a switch, router to use a TACACS+ server. Below we will set the TACACS+ server IP address or hostname if the hostnames can be resolved via DNS.

Router(config)# tacacs-server host 192.168.10.100

In the following line, we will configure a key which will be used to authentication and encryption with the communication of the TACACS+ server.

Router(config)# tacacs-server key 34ASDFA^+SDG3F+GAF

Now we can configure a new aaa for the cisco device and set the TACACS+ server and key.

Router(config)# aaa new-model
Router(config)# aaa authentication ppp default if-needed group tacacs+ local
Router(config)# aaa authorization network default group tacacs+
Router(config)# tacacs-server host 192.168.10.100
Router(config)# tacacs-server key mysecrettacacskey
Router(config)# interface serial 0
Router(int)# ppp authentication chap default

Leave a Comment