TACACS+ (Terminal Access Controller Access-Control System Plus) is an AAA protocol created by Cisco. It helps manage secure access to network devices like routers, switches, and firewalls. While it was initially proprietary, TACACS+ is now widely supported by other vendors, making it a great choice for complex networks.
Purpose of TACACS+
TACACS+ is designed for detailed access control. Unlike other protocols, it separates the three AAA functions, which are Authentication, Authorization and Accounting to give administrators more control over user access, actions, and logs.
How TACACS+ Works
TACACS+ uses a client-server model with TCP on port 49 to ensure reliable and secure communication. Here’s how it works:
TACACS+ Client: The network device (example a router or switch) sends user login details to the TACACS+ server for verification.
TACACS+ Server: This is the central system that verifies user credentials, checks permissions, and logs all user actions.
Unlike RADIUS, TACACS+ encrypts all the data sent between the client and server, making it more secure for sensitive networks.
Answer the question below
In TACACS+, the authentication process is fully encrypted, which protects all user details during transmission.
Authentication Workflow
Here’s how TACACS+ authenticates a user:
Authentication Request: The network device (client) sends the user’s login details to the TACACS+ server.
Server Response: The server checks the credentials and replies with either:
Accept: The user is granted access.
Reject: Access is denied if the credentials are incorrect.
This encryption ensures no sensitive data is exposed, even if someone intercepts the communication.
Answer the question below
Authorization
TACACS+ provides granular control over user actions:
Command-Level Authorization: Every command a user tries to execute is checked against their permissions.
Example: A user might be allowed to run show run to view the configuration but not use configure terminal to make changes.
This ensures users can only perform tasks they are authorized for, improving both security and accountability.
Accounting
TACACS+ keeps detailed logs of all user actions:
Command Logging: Every command a user executes is recorded.
Session Details: Tracks when users log in, log out, and the results of their actions.
These logs create a full audit trail, making it easier to troubleshoot issues or review compliance.
Answer the question below
Setting up TACACS+ on a Cisco device involves defining the TACACS+ server, enabling AAA, and applying the configuration to user authentication. Here’s a step-by-step guide:
40 % Complete: you’re making great progress
Unlock the rest of this lesson
If you’d like to continue your CCNA journey, create your free account now.
Access all free CCNA lessons
Practice with quizzes and level test
Progress tracking in your dashboard
Made by network engineers - CCNP certified
Create your Free Account1151 learners continued their CCNA journey this month