Terminal Access Controller Access-Control System (TACACS, ) refers to a family of related

protocols Protocol may refer to: Sociology and politics * Protocol (politics), a formal agreement between nation states * Protocol (diplomacy), the etiquette of diplomacy and affairs of state * Etiquette, a code of personal behavior Science and technology ...

handling remote authentication and related services for network access control through a centralized server. The original TACACS protocol, which dates back to 1984, was used for communicating with an authentication server, common in older

UNIX Unix (; trademarked as UNIX) is a family of multitasking, multiuser computer operating systems that derive from the original AT&T Unix, whose development started in 1969 at the Bell Labs research center by Ken Thompson, Dennis Ritchie, and ot ...

networks including but not limited to the

ARPANET The Advanced Research Projects Agency Network (ARPANET) was the first wide-area packet-switched network with distributed control and one of the first networks to implement the TCP/IP protocol suite. Both technologies became the technical fou ...

MILNET In computer networking, MILNET (fully Military Network) was the name given to the part of the ARPANET internetwork designated for unclassified United States Department of Defense traffic.DEFENSE DATA NETWORK NEWSLETTEDDN-NEWS 26 6 May 1983 MILNE ...

and BBNNET. It spawned related protocols: * Extended TACACS (XTACACS) is a proprietary extension to TACACS introduced by

Cisco Systems Cisco Systems, Inc., commonly known as Cisco, is an American-based multinational corporation, multinational digital communications technology conglomerate (company), conglomerate corporation headquartered in San Jose, California. Cisco develo ...

in 1990 without backwards compatibility to the original protocol. TACACS and XTACACS both allow a remote access server to communicate with an authentication server in order to determine if the user has access to the network. * TACACS Plus (TACACS+) is a protocol developed by Cisco and released as an open standard beginning in 1993. Although derived from TACACS, TACACS+ is a separate protocol that handles authentication, authorization, and accounting (AAA) services. TACACS+ has largely replaced its predecessors.

History

TACACS was originally developed in 1984 by BBN, later known as

BBN Technologies Raytheon BBN (originally Bolt Beranek and Newman Inc.) is an American research and development company, based next to Fresh Pond in Cambridge, Massachusetts, United States. In 1966, the Franklin Institute awarded the firm the Frank P. Brown ...

, for administration of ARPANET and MILNET, which ran unclassified network traffic for

DARPA The Defense Advanced Research Projects Agency (DARPA) is a research and development agency of the United States Department of Defense responsible for the development of emerging technologies for use by the military. Originally known as the Adv ...

at the time and would later evolve into the

U.S. Department of Defense The United States Department of Defense (DoD, USDOD or DOD) is an executive branch department of the federal government charged with coordinating and supervising all agencies and functions of the government directly related to national secur ...

NIPRNet The Non-classified Internet Protocol (IP) Router Network (NIPRNet) is an IP network used to exchange unclassified information, including information subject to controls on distribution, among the private network's users. The NIPRNet also provide ...

. Originally designed as a means to automate authentication – allowing someone who was already logged into one host in the network to connect to another on the same network without needing to re-authenticate – it was first formally described by BBN's Brian Anderson TAC Access Control System Protocols, BBN Tech Memo CC-0045 with minor TELNET double login avoidance change in December 1984 in

IETF The Internet Engineering Task Force (IETF) is a standards organization for the Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster or requirements and a ...

RFC 927.

began supporting TACACS in its networking products in the late 1980s, eventually adding several extensions to the protocol. In 1990, Cisco's extensions on top of TACACS became a proprietary protocol called Extended TACACS (XTACACS). Although TACACS and XTACACS are not open standards, Craig Finseth of the University of Minnesota, with Cisco's assistance, published a description of the protocols in 1993 as

RFC 1492 for informational purposes.

Technical descriptions

TACACS

TACACS is defined in RFC 8907 (older RFC 1492), and uses (either TCP or UDP) port 49 by default. TACACS allows a client to accept a username and password and send a query to a TACACS authentication server, sometimes called a TACACS daemon. It determines whether to accept or deny the authentication request and sends a response back. The TIP (routing node accepting dial-up line connections, which the user would normally want to log in into) would then allow access or not, based upon the response. In this way, the process of making the decision is "opened up" and the algorithms and data used to make the decision are under the complete control of whomever is running the TACACS daemon.

XTACACS

Extended TACACS (XTACACS) extends the TACACS protocol with additional functionality. It also separates the authentication, authorization, and accounting (AAA) functions out into separate processes, allowing them to be handled by separate servers and technologies.

TACACS+

TACACS+ is a Cisco designed extension to TACACS that encrypts the full content of each packet. Moreover, it provides granular control in the form of command-by-command authorization. TACACS+ has generally replaced TACACS and XTACACS in more recently built or updated networks. TACACS+ is an entirely new protocol which is not compatible with its predecessors, TACACS and XTACACS. Because TCP is a connection oriented protocol, TACACS+ is able to detect and correct network transmission errors.

Comparison with RADIUS

TACACS+ uses TCP (while RADIUS operates over UDP). Because TCP is a connection-oriented protocol, TACACS+ has to implement transmission control. RADIUS, however, is not required to detect and correct transmission errors such as

packet loss Packet loss occurs when one or more packets of data travelling across a computer network fail to reach their destination. Packet loss is either caused by errors in data transmission, typically across wireless networks, or network congestion.Kur ...

or timeouts, etc., as it makes use of UDP which is

connectionless Connectionless communication, often referred to as CL-mode communication,Information Processing Systems - Open Systems Interconnection, "Transport Service Definition - Addendum 1: Connectionless-mode Transmission", International Organization for ...

. RADIUS encrypts only the users' password as it travels from the RADIUS client to RADIUS server. All other information such as the username, authorization, accounting are transmitted in clear text. Therefore, it is vulnerable to different types of attacks. TACACS+ encrypts all the information mentioned above and therefore does not have the vulnerabilities present in the RADIUS protocol.

Implementations

Client implementations * Arista EOS, a proprietary implementation *

Cisco IOS The Internetworking Operating System (IOS) is a family of proprietary network operating systems used on several router and network switch models manufactured by Cisco Systems. The system is a package of routing, switching, internetworking, and ...

, a proprietary implementation * Fortinet FortiOS, a proprietary implementation * Juniper Junos OS, a proprietary implementation * Palo Alto Networks PAN-OS, a proprietary implementation
Pam_tacplus
a TACACS+ protocol client library and PAM module Server implementations
FreeRADIUS TACACS+ module
an open-source implementation available since version 4.0
Tac_plus by Shrubbery
an open-source implementation for Linux

an open-source implementation for Linux
Tac_plus VM
tac_plus with an added webadmin in a VM (no longer updated)
Aruba ClearPass Policy Manager
a proprietary implementation

a proprietary implementation
Portnox TACACS+-as-a-Service
a proprietary implementation as a cloud-hosted service *

Pulse Secure Ivanti () is an IT software company headquartered in South Jordan, Utah, United States. It produces software for IT Security, IT Service Management, IT Asset Management, Unified Endpoint Management, Identity Management and Supply Chain Managemen ...

Pulse Policy Secure, a proprietary implementation
TACACS.net
a proprietary implementation of TACACS+ for Windows

Standards documents

* – TACACS User Identification Telnet Option * – An Access Control Protocol, Sometimes Called TACACS * – The Terminal Access Controller Access-Control System Plus (TACACS+) Protocol * RF
9105
– A YANG Data Model for Terminal Access Controller Access-Control System Plus (TACACS+)

References

External links

An Analysis of the TACACS+ Protocol and its Implementations
from a security standpoint, by

Openwall The Openwall Project is a source for various software, including Openwall GNU/*/Linux (Owl), a security-enhanced Linux distribution designed for servers. Openwall patches and security extensions have been included into many major Linux distribut ...

TACACS+ Benefits and Best Practices
{{Authentication APIs Authentication protocols Computer access control protocols Cisco protocols Computer network security