TACACS+ Overview

TACACS+ is an authentication protocol that allows a network access server to communicate with an authentication server to determine if a user has access to the network.

TACACS+ is a new protocol developed by Cisco that replaces two earlier industry standards—TACACS and XTACACS (Extended). TACACS+ is not compatible with the two older protocols. Cisco has submitted TACACS+ protocol specification in a draft RFC to the IETF for development of a standard and for those customers interested in developing their own TACACS+ software.

TACACS+ server services are maintained in a database on a TACACS+ daemon running on a Windows 2000/NT or UNIX host. Cisco’s servers supporting TACACS+ include CiscoSecure ACS for Windows, CiscoSecure UNIX, and Cisco Access Registrar. Cisco Access Servers (Cisco Secure ACS) can implement both TACACS+ and RADIUS. The underlying architecture of TACACS+ protocol complements the AAA architecture.

TACACS+ fully supports the AAA architecture by separating the authentication, authorization, and accounting. This allows the flexibility of using another service, such as Kerberos, for authentication, while still using TACACS+ for authorization and/or accounting.

TACACS+ supports bidirectional challenge/response, like CHAP, between the two network access servers.

In addition to supporting SLIP and PPP encapsulation protocols, TACACS+ supports the following protocols:

• Novell Asynchronous Services Interface (NASI)

• X.25 PAD connection

• Net BIOS Frame Protocol Control protocol

• AppleTalk Remote Access protocol (ARAP)