TACACS+ is a security application that provides centralized validation of users attempting to gain access to a router or network
access server. TACACS+ services are maintained in a database on a TACACS+ daemon running, typically, on a UNIX or Windows
NT workstation. You must have access to and must configure a TACACS+ server before the configured TACACS+ features on your
network access server are available.
TACACS+ provides for separate and modular authentication, authorization, and accounting facilities. TACACS+ allows for a single
access control server (the TACACS+ daemon) to provide each service--authentication, authorization, and accounting--independently.
Each service can be tied into its own database to take advantage of other services available on that server or on the network,
depending on the capabilities of the daemon.
The goal of TACACS+ is to provide a methodology for managing multiple network access points from a single management service.
The Cisco family of access servers and routers and the Cisco IOS and Cisco IOS XE user interface (for both routers and access
servers) can be network access servers.
Network access points enable traditional “dumb” terminals, terminal emulators, workstations, personal computers (PCs), and
routers in conjunction with suitable adapters (for example, modems or ISDN adapters) to communicate using protocols such as
Point-to-Point Protocol (PPP), Serial Line Internet Protocol (SLIP), Compressed SLIP (CSLIP), or AppleTalk Remote Access (ARA)
protocol. In other words, a network access server provides connections to a single user, to a network or subnetwork, and to
interconnected networks. The entities connected to the network through a network access server are called network access clients
; for example, a PC running PPP over a voice-grade circuit is a network access client. TACACS+, administered through the AAA
security services, can provide the following services:
The authentication facility provides the ability to conduct an arbitrary dialog with the user (for example, after a login
and password are provided, to challenge a user with a number of questions, like home address, mother’s maiden name, service
type, and social security number). In addition, the TACACS+ authentication service supports sending messages to user screens.
For example, a message could notify users that their passwords must be changed because of the company’s password aging policy.
Authorization--Provides fine-grained control over user capabilities for the duration of the user’s session, including but
not limited to setting autocommands, access control, session duration, or protocol support. You can also enforce restrictions
on what commands a user may execute with the TACACS+ authorization feature.
Accounting--Collects and sends information used for billing, auditing, and reporting to the TACACS+ daemon. Network managers
can use the accounting facility to track user activity for a security audit or to provide information for user billing. Accounting
records include user identities, start and stop times, executed commands (such as PPP), number of packets, and number of bytes.
The TACACS+ protocol provides authentication between the network access server and the TACACS+ daemon, and it ensures confidentiality
because all protocol exchanges between a network access server and a TACACS+ daemon are encrypted.
You need a system running TACACS+ daemon software to use the TACACS+ functionality on your network access server.
Cisco makes the TACACS+ protocol specification available as a draft RFC for those customers interested in developing their
own TACACS+ software.