Request Demo

How Does TACACS Work?

Table of Contents

Categories
Back to the Blog

How does TACACS work?

TACACS (Terminal Access Controller Access-Control System) is a protocol used for authentication, authorization, and accounting (AAA) in network environments—primarily for managing and securing access to network devices like routers, switches, and firewalls.

There are two versions:

  • TACACS (the original, now obsolete)
  • TACACS+ (current and widely used, developed by Cisco)

Here’s how TACACS+ works:

1. Authentication

When a user tries to log into a network device (like via SSH or console), the device (called a NAS – Network Access Server) sends the login request to the TACACS+ server.

  • The user enters their username and password.
  • The device sends this to the TACACS+ server.
  • The server verifies the credentials (usually checking against an internal database or a connected directory like LDAP/AD).
  • If it checks out, access is granted.

TACACS+ encrypts the entire payload of the packet (unlike RADIUS, which only encrypts the password), making it more secure.

2. Authorization

Once authenticated, TACACS+ checks what the user is allowed to do.

  • For example, a junior admin might only get read-only access, while a senior engineer gets full CLI access.
  • You can define command-level access, letting you control individual commands that users can or cannot run.

3. Accounting

This is all about logging activity.

  • TACACS+ can track when users log in or out.
  • It can record what commands they run.
  • These logs can help with auditing and security investigations.

Typical Flow Diagram:

User -> Device (NAS) -> TACACS+ Server

       |                 |

       |—- Auth Req –>|

       |<— Auth OK —-|

       |—- AuthZ Req –>|

       |<— AuthZ OK —-|

       |—- Accounting —->

 

Feature TACACS+
Protocol TCP (usually port 49)
Encryption Full payload encryption
Use Case Network device administration
Vendor Cisco-developed, but many vendors support it
AAA Support Yes – Authentication, Authorization, Accounting

Is TACACS obsolete?

No, TACACS is not obsolete—especially when we’re talking about TACACS+, which is the modern, actively used version of the protocol.

In fact, TACACS+ is a go-to solution in many enterprise and government environments where secure, granular control over administrative access to network devices is essential. Here’s why it’s still highly relevant—and in many cases, preferred:

Modern Benefits of TACACS+

Full Encryption

Unlike RADIUS, which only encrypts the password in authentication packets, TACACS+ encrypts the entire payload—including usernames, commands, and other sensitive data. This makes it a much better fit for securing administrative access.

Command-Level Authorization

TACACS+ allows fine-grained control over what users can do once logged in. You can define access policies down to specific CLI commands, so users can view but not configure, or run only approved operations.

For example: You can allow a junior tech to view interface status but prevent them from restarting a router.

Separation of AAA Functions

TACACS+ separates Authentication, Authorization, and Accounting, making policies more flexible and customizable. Each step can be managed independently, giving you more control over user access and audit trails.

Robust Accounting

Everything can be logged—login/logout times, commands entered, session durations. This is critical for compliance, auditing, and security incident investigation.

Centralized Access Control

TACACS+ lets you centralize control over all your network devices (Cisco, Juniper, etc.) via a single server or cluster. That means fewer local accounts, easier provisioning/de-provisioning, and more consistent policy enforcement.

Still the Standard for Network Admin Access

TACACS+ is widely used in:

  • Enterprise networks
  • Government and defense systems
  • Financial institutions
  • Anywhere that needs tight control over who can do what on critical infrastructure

So no—TACACS isn’t obsolete. In fact, with the increasing need for Zero Trust, role-based access, and auditability, TACACS+ is more relevant than ever.

What does TACACS+ keep track of?

TACACS+ keeps track of a lot of useful information—especially in environments where security, accountability, and compliance matter. This is mostly handled through its accounting and authorization features.

Here’s a breakdown of what TACACS+ typically logs and tracks:

What TACACS+ Keeps Track Of

User Logins

  • Who logged in
  • When they logged in (timestamp)
  • From where (IP address or terminal)
  • Which device they accessed

Session Details

  • Session start time
  • Session end time
  • Duration of the session
  • Session ID (unique identifier for tracking)

Commands Executed

  • Every command the user types into the CLI
  • Whether the command was permitted or denied
  • Useful for auditing and incident response

Example: show running-config, reload, interface shutdown—TACACS+ can log them all.

Authorization Decisions

  • What access level the user was granted
  • Whether they had read-only or full access
  • Specific privilege levels or command sets assigned

Failed Access Attempts

  • Invalid logins
  • Unauthorized command attempts
  • Denied sessions or permission checks

Policy Changes

  • Configuration changes made by users
  • Identity of the user making the change
  • Command details for traceability

Why This Matters

Tracking this kind of detail helps with:

  • Audit trails (who did what and when)
  • Security monitoring
  • Compliance with standards like PCI-DSS, HIPAA, or NIST
  • Forensics in case of a breach or misconfiguration

TACACS+ gives you deep visibility into who accessed your network devices, what they did, and how long they were there. It’s your first line of defense and your last line of accountability.

Does TACACS use TCP or UDP?

TACACS+ uses TCP, not UDP.

Protocol Details:

  • Protocol: TCP (Transmission Control Protocol)
  • Port: 49 (default)
  • Direction: Client (NAS) initiates the connection to the TACACS+ server

Why TCP?

  • Reliable Delivery: TCP ensures that all data packets arrive in order and are acknowledged—important for critical authentication and authorization traffic.
  • Encrypted Payload: TACACS+ encrypts the entire payload, and using TCP helps ensure that encryption-sensitive data is transmitted intact.
  • Session-Based: Since TACACS+ can track sessions and log command-level activity, it benefits from TCP’s connection-oriented nature.

Comparison with RADIUS:

Feature TACACS+ RADIUS
Protocol TCP (Port 49) UDP (Port 1812)
Payload Encryption Entire payload Only password
Use Case Network admin access User access (VPN, Wi-Fi)

So yep—TACACS+ runs over TCP, which makes it more robust for securing and managing access to critical network infrastructure.