Request Demo

Multi-vendor support with TACACS+

Table of Contents

Categories
Back to the Blog

Does TACACS+ offer multivendor support?

TACACS+ is an open protocol (despite being developed by Cisco), and many vendors support it across their device lines. You can use a single TACACS+ server to control access across gear from:

Networking Vendors

  • Cisco
  • Juniper
  • Aruba (HPE)
  • Arista
  • Extreme Networks
  • Dell Networking
  • Fortinet

Security & Infrastructure

  • Palo Alto Networks
  • Check Point
  • F5
  • SonicWall

🔧 Others

  • Linux/Unix systems (via PAM modules)
  • Virtual appliances with SSH/CLI access
  • Network management platforms and NAC solutions (like Portnox)

Caveat:

Each vendor may have slightly different syntax or attribute mappings in how they implement TACACS+ for command authorization, but authentication and accounting typically work consistently.

Most of the time, if your device supports external AAA via TACACS+, you can integrate it into a central policy—regardless of vendor.

TL;DR:

Yes—TACACS+ works across multiple vendors. It’s ideal for managing authentication and access policies across a mixed network environment.

Is TACACS multifactor authentication?

No, TACACS+ is not inherently multifactor authentication (MFA)—but it can be part of an MFA setup when integrated with the right tools.

What TACACS+ Does:

TACACS+ is a protocol for AAA (Authentication, Authorization, Accounting). It handles:

  • Username + Password Authentication
  • Authorization policies (like what commands a user can run)
  • Logging/accounting of access events and commands

But by default, TACACS+ is single-factor—usually just a username and password.

How to Add MFA to TACACS+

You can enable MFA by integrating TACACS+ with an identity provider (IdP) or external authentication source that supports MFA.

Common MFA Integrations:

  • TACACS+ + RADIUS proxy + MFA provider
    • E.g., TACACS+ server forwards auth to RADIUS, which talks to Duo, Okta, or Azure MFA.
  • TACACS+ server with LDAP/AD backend where MFA is enforced at the directory level.
  • Cloud-native NAC platforms (like Portnox) that sit in front of device access and apply MFA policies.

Example Workflow:

  1. User connects to switch via SSH
  2. Switch uses TACACS+ for AAA
  3. TACACS+ server forwards auth to an MFA-enabled IdP (e.g., Duo)
  4. User gets push notification or TOTP prompt
  5. Upon successful MFA, TACACS+ completes login and applies command authorization

TACACS+ is not MFA by itself, but it can support MFA when combined with an identity provider or secondary authentication method.

What is the authentication protocol for TACACS+?

The authentication protocol used by TACACS+ is its own proprietary protocol, designed specifically for centralized AAA (Authentication, Authorization, and Accounting). Unlike protocols like RADIUS (which often use PAP, CHAP, or EAP for authentication), TACACS+ uses a custom TCP-based protocol with built-in mechanisms for secure authentication exchanges.

Key Characteristics of TACACS+ Authentication:

Custom, TCP-Based Protocol

  • TACACS+ uses TCP port 49
  • TCP ensures reliable delivery and session-oriented communication (vs. RADIUS, which uses UDP)

Full Payload Encryption

  • Entire communication is encrypted (not just passwords)
  • This includes username, password, authorization data, and accounting records
  • Encryption is done using a shared secret between the TACACS+ client (e.g., a switch) and server

Flexible Authentication Flow

  • Supports plaintext passwords, hashed passwords, one-time passwords (OTP), or even forwarded authentication to LDAP, RADIUS, or Active Directory
  • This makes it adaptable for modern identity integrations

Separation of AAA

  • Authentication is handled as a distinct, modular phase from authorization and accounting
  • Great for implementing custom login policies or chaining external auth sources

TACACS+ uses its own encrypted TCP-based protocol for authentication, not standard protocols like PAP or CHAP. It’s secure, flexible, and designed for device-level access control.

What is the difference between TACACS and TACACS+?

TACACS and TACACS+ are related, but they’re very different in functionality and design. Here’s a quick breakdown to clear it up:

TACACS vs. TACACS+: What’s the Difference?

Feature TACACS (Original) TACACS+ (Modern)
Release Date 1984 1993 (developed by Cisco)
Protocol Type UDP TCP (port 49)
Encryption Password only Full payload encryption
AAA Separation Limited True separation of AAA
Extensibility Minimal Highly extensible
Support for Command Control No Yes (per-command authorization)
Standardized? Obsolete De facto standard (open spec)

In Plain English:

  • TACACS (original) was a simple protocol for remote authentication developed in the 1980s. It’s obsolete and no longer used.
  • TACACS+ is a completely new and much more secure protocol that supports:
    • Centralized authentication
    • Per-command authorization (e.g., on routers/switches)
    • Full accounting and logging
    • Modern encryption and policy enforcement

Despite the similar name, TACACS+ ≠ “TACACS but better” — it’s a totally redesigned protocol with enterprise-grade security features.

TACACS is dead. TACACS+ is the secure, modern standard. If you’re using “TACACS” today, it’s almost certainly TACACS+.