Terminal Access Controller Access Control System

From Hill2dot0
Jump to: navigation, search

The Terminal Access Controller Access Control System (TACACS) is another authentication, authorization, and accounting (AAA) system for remote network access. Developed by Cisco Systems, TACACS actually refers to a family of protocols. The original TACACS supported only authentication to a central server. A later, more robust version called Extended TACACS (XTACACS), added authorization and accounting features. RFC 1492 describes both TACACS and XTACACS.

The current flavor of the protocol is called TACACS Plus (TACACS+) and it is being promoted by Cisco in favor of the previous two versions. Originally a Cisco proprietary solution, TACACS+ has been submitted for approval as standard by the IETF. TACACS+ is conceptually similar to RADIUS, in that it provides AAA capability and supports an environment where a single or few TACACS+ servers can support many remote dial-in servers. Like RADIUS, TACACS+ is highly scalable, so that it can work with networks with very few or very many users. TACACS+, is arguably more mature than RADIUS, but it is not widely deployed nor supported; indeed, few vendors besides Cisco and Novell support TACACS+.

In a Cisco-only environment, however, it is the recommended access management solution because TACACS+ has a richer set of optional features than Cisco’s implementation of RADIUS. Current implementations use TCP as a transport to ensure reliable delivery of the AAA messages, ostensibly providing a more secure and complete accounting log.



The RADIUS and TACACS+ protocols are both popular and widely used. While TACACS+ might arguably offer better security and scalability, its restriction to only Cisco networks makes RADIUS the more widely deployed remote access AAA system. Therefore, the equipment a corporation or an ISP deploys might be the biggest factor in determining which protocol to use for authentication. To aid in this decision process, the following list describes the most important differences between the two protocols.

  1. RADIUS uses UDP and TACACS+ uses TCP. Therefore, RADIUS requires other configuration parameters to adjust to network round-trip time (RTT) and might have problems with variable network delay or server availability.
  1. RADIUS uses MD5 hashing on the password only when the NAS communicates with the server. TACACS+ encrypts the entire message. With RADIUS, information on user-name and access privileges will be available to anyone with a network sniffer. While the password is protected, an attacker can still learn important information about a network with the unencrypted information.
  1. RADIUS treats authentication and authorization as one element. TACACS+ treats them as distinct elements. Thus, a remote user using a TACACS+ server could be authenticated using the Kerberos protocol or tokens, but then given access to network resources according to the rights configured on the TACACS+ server.
  1. TACACS+ offers multiprotocol support (e.g., NetBIOS, AppleTalk, and X.25 PAD connections). RADIUS supports IP only. RADIUS is an open standard supported by many vendors. TACACS+ is a Cisco proprietary solution.

Despite the seeming advantages of TACACS+ over RADIUS, in the environment that the two authentication protocols are used (i.e., within the LAN of an ISP or corporation primarily running IP), the open nature of RADIUS generally encourages its use over TACACS+.


<mp3>http://podcast.hill-vt.com/podsnacks/2007q3/tacacs.mp3%7Cdownload</mp3> | Terminal Access Controller Access Control System (TACACS)