TACACS+
Status: Scaffold — content in progress
TACACS+ (Terminal Access Controller Access Control System Plus) is a Cisco-developed AAA protocol primarily used for network device (router, switch) management authentication. It separates authentication, authorization, and accounting into independent transactions — unlike RADIUS which bundles them.
TACACS+ vs RADIUS
| Feature | TACACS+ | RADIUS |
|---|---|---|
| Protocol | TCP 49 | UDP 1812/1813 |
| Encryption | Full packet (body) | Only password field |
| AAA separation | Full | Bundled |
| Device management | Primary use case | Secondary |
| User access | Less common | Primary use case |
| Vendor | Cisco-proprietary | Open standard (RFC 2865) |
Command Authorization
TACACS+ can authorize specific CLI commands — e.g., allow show commands but block configure. This is a key advantage for network device hardening.
Attack Surface
- TACACS+ server compromise → credentials for all network devices
- Shared secret theft → decrypt TACACS+ sessions
- Command authorization bypass via protocol downgrade
Cross-Links
| Topic | Link |
|---|---|
| RADIUS | radius |