TACACS+ is an authentication protocol that allows a network access
server to communicate with an authentication server to determine if a user has
access to the network.
TACACS+ is a new protocol developed by Cisco that replaces two
earlier industry standards—TACACS and XTACACS (Extended). TACACS+ is not compatible with the two older protocols. Cisco has
submitted TACACS+ protocol specification in a draft RFC to the IETF for
development of a standard and for those customers interested in developing their
own TACACS+ software.
TACACS+ server services are maintained in a database on a TACACS+
daemon running on a Windows 2000/NT or UNIX host. Cisco’s servers supporting
TACACS+ include CiscoSecure ACS for Windows, CiscoSecure UNIX, and Cisco Access
Registrar. Cisco Access Servers (Cisco Secure ACS) can implement both TACACS+
and RADIUS. The underlying architecture of TACACS+ protocol complements the AAA
TACACS+ fully supports the AAA architecture by separating the
authentication, authorization, and accounting. This allows the flexibility of
using another service, such as Kerberos, for authentication, while still using
TACACS+ for authorization and/or accounting.
TACACS+ uses TCP for connection-oriented transport between clients
and servers. TCP port 49 is reserved for TACACS+. The acknowledgments (TCP ACK)
provide indications that a request has been received. This same TCP process uses
RST packets to provide immediate indication of a failed (or offline)
authentication server. TCP keepalives can be used to watch for failed servers
and to facilitate rapid failover between multiple connected authentication
servers. TCP scales better and adapts better to growing and/or congested
TACACS+ supports bidirectional challenge/response, like CHAP,
between the two network access servers.
In addition to supporting SLIP and PPP encapsulation protocols,
TACACS+ supports the following protocols:
Novell Asynchronous Services Interface (NASI)
X.25 PAD connection
Net BIOS Frame Protocol Control protocol
AppleTalk Remote Access protocol (ARAP)