Request Demo

What is the Best TACACS+ Server Setup?

Table of Contents

Categories
Back to the Blog

What is the best TACACS Server setup?

Setting up a TACACS+ (Terminal Access Controller Access-Control System Plus) server properly is key to managing centralized authentication, authorization, and accounting (AAA) for network devices—especially in larger or security-conscious environments.

Here’s a “best practice” TACACS+ server setup for modern enterprise environments:

1. Choose the Right TACACS+ Server Software

  • Open Source Options:
    • tac_plus (by Marc Huber) – actively maintained, solid for Unix/Linux environments.
    • FreeRADIUS with TACACS+ module – if you’re already using RADIUS and want to consolidate services.
  • Commercial Options:
    • Portnox  – offers cloud-native TACACS+ and centralized AAA as part of a unified access control platform
    • Other enterprise NAC or IAM platforms – many modern platforms provide TACACS+ support or equivalent centralized AAA capabilities with improved scalability and visibility.

2. Run It on a Hardened Server

  • Use a dedicated VM or physical server (no shared services).
  • Harden OS (disable unused services, configure firewalls, patch regularly).

3. Enable Encryption

  • TACACS+ encrypts the entire packet (unlike RADIUS which only encrypts the password), but make sure:
    • You use strong shared secrets between network devices and the TACACS+ server.
    • Use IPsec or a VPN tunnel for additional transport-layer encryption if traffic crosses insecure networks.

4. Use Role-Based Access Control (RBAC)

  • Define user roles and permissions based on job function (e.g., network admin vs. read-only NOC tech).
  • Separate authentication (who you are) from authorization (what you can do).

5. Integrate with Directory Services

  • Integrate TACACS+ with LDAP, Active Directory, or SAML if possible.
  • That way, you manage credentials centrally—no local accounts to rotate or lose track of.

6. Logging & Accounting

  • Enable accounting to track:
    • Login/logout events
    • Command execution (especially on routers/switches)
  • Forward logs to a SIEM (e.g., Splunk, ELK, Graylog) for audit and anomaly detection.

7. Redundancy & High Availability

  • Deploy at least two TACACS+ servers in different availability zones or datacenters.
  • Configure device fallbacks (e.g., secondary/tertiary servers) on your switches, firewalls, etc.
  • Even better, choose a cloud-native platform so you can take advantage of their redundancy 

8. Test Regularly

  • Set up test accounts, audit policy mappings, simulate outages, and validate failover behavior.
  • Don’t forget to document everything—including shared secrets and backup procedures.

Is TACACS+ better than RADIUS? 

Yes—for network equipment, TACACS+ is generally better than RADIUS.

Here’s why:

1. Full Command Authorization (Per-Command Control)

  • TACACS+ allows granular control over which commands a user can run on a router, switch, firewall, etc.
  • RADIUS doesn’t natively support this level of authorization.

Perfect for environments where junior admins need access—but shouldn’t be allowed to wipe configs.

2. Full Packet Encryption

  • TACACS+ encrypts the entire payload, including usernames, passwords, and command logs.
  • RADIUS only encrypts the password field—other data (like username and attributes) are sent in plaintext.

3. Separation of AAA

  • TACACS+ separates authentication, authorization, and accounting—which makes it more flexible for policies.
  • RADIUS combines authentication and authorization, limiting fine-tuned control.

4. Purpose-Built for Device Access

  • TACACS+ was specifically designed for managing access to network infrastructure (routers, switches, firewalls).
  • RADIUS was originally built for dial-up user authentication—and while it’s evolved, it’s still better suited for VPN/Wi-Fi access or remote user auth.

When RADIUS Might Still Be Better

  • Wireless authentication (802.1X)
  • VPN access
  • Environments using MFA via cloud identity providers

If you’re managing network gear and care about fine-grained access control and better auditing, TACACS+ is the way to go.

When would you recommend using TACACS+ over RADIUS or Kerberos?

Each of these protocols has its strengths, but here’s a breakdown of when you should use TACACS+ over RADIUS or Kerberos, especially from a practical, real-world IT/security perspective.

Use TACACS+ When:

You’re Managing Network Infrastructure (Routers, Switches, Firewalls, etc.)

  • TACACS+ is purpose-built for device administration.
  • Supports per-command authorization—ideal for granting limited access to junior admins or contractors.

You Need Granular Role-Based Access

  • TACACS+ separates Authentication, Authorization, and Accounting (AAA), letting you apply fine-tuned access policies.
  • You can define who can enter exec mode, who can run show commands, who can change config, etc.

You Want Better Auditing & Accountability

  • TACACS+ can log every single command a user runs.
  • Combine this with your SIEM and you’ve got strong user accountability.

You Want Full Packet Encryption

  • Unlike RADIUS (which only encrypts passwords), TACACS+ encrypts the entire session—credentials, commands, everything.
  • Useful in sensitive environments (gov, defense, finance) where plaintext metadata = risk.

Avoid TACACS+ When:

You’re Authenticating Wi-Fi, VPN, or End-User Logins

  • Use RADIUS here—it’s the industry standard for 802.1X and integrates well with identity providers like Azure AD, Okta, and others.

You Want Single Sign-On (SSO) Across Internal Apps

  • Use Kerberos for Windows-based enterprise networks or SSO environments.
  • It’s built into Active Directory and ideal for seamless domain authentication across internal resources (file shares, intranet apps, etc.).

TL;DR:

Use Case Best Choice
Network device administration TACACS+ 
Per-command control on CLI TACACS+ 
Wi-Fi or VPN access (802.1X) RADIUS 
MFA with cloud identity providers RADIUS 
Windows SSO across internal systems Kerberos 

So if you’re securing routers, switches, and firewalls—and you care about fine-grained access, audit trails, and encryption—TACACS+ is your go-to.

Is TACACS+ proprietary to Cisco?

No, TACACS+ is not proprietary to Cisco—but Cisco is the main driver behind its development and adoption.

A Quick Breakdown:

  • TACACS (original version) and XTACACS were indeed Cisco proprietary in the early days.
  • TACACS+, introduced by Cisco in the 1990s, was designed as a more secure, extensible, and flexible protocol.
  • While Cisco originally developed TACACS+, it was released as an open protocol, and the specification is publicly available (RFC-style documentation exists, though it’s not an IETF standard).
  • This means anyone can implement TACACS+, and many open-source and commercial vendors do.

Non-Cisco TACACS+ Implementations:

  • tac_plus by Marc Huber (open source, widely used in production)
  • FreeRADIUS with TACACS+ support
  • Portnox and other NAC/AAA platforms with TACACS+ integrations

TACACS+ is Cisco-developed, but not Cisco-owned. You don’t need Cisco hardware or software to run or benefit from it.