📖 What is Terminal Access Controller Access-Control System Plus (TACACS+)?
Terminal Access Controller Access-Control System Plus (TACACS+) is a protocol used for AAA services, specifically designed for device administration. Unlike RADIUS, it separates authentication, authorization, and accounting functions and encrypts the entire packet payload for enhanced security.
"For the exam, remember that TACACS+ provides more granular control over administrative commands than RADIUS does."
📚 Certification: CompTIA Network+ Certification Exam (N10-009)
🔑 What are the Key Concepts of Terminal Access Controller Access-Control System Plus (TACACS+)?
- ▸ Separation of AAA: Unlike RADIUS, TACACS+ separates authentication, authorization, and accounting, allowing these functions to be managed independently by different servers.
- ▸ Full Packet Encryption: TACACS+ encrypts the entire body of the packet, providing superior security compared to RADIUS, which only encrypts the user password.
- ▸ Granular Command Authorization: It enables administrators to restrict specific CLI commands on a per-user basis, ensuring junior staff cannot execute high-risk configuration changes.
- ▸ TCP-Based Transport: TACACS+ utilizes TCP port 49, ensuring reliable delivery of AAA data, which is critical when managing core network infrastructure devices.
- ▸ Device Administration Focus: While RADIUS is optimized for network access control, TACACS+ is specifically designed for the secure management of routers, switches, and firewalls.
🎯 How does Terminal Access Controller Access-Control System Plus (TACACS+) appear on the N10-009 Exam?
You may be asked to identify the best protocol for a scenario where an organization needs to restrict specific CLI commands for different levels of network administrators.
A scenario might describe a requirement for a AAA protocol that encrypts the entire communication payload between a network device and the server to prevent eavesdropping.
Expect questions comparing RADIUS and TACACS+ where you must choose TACACS+ because the requirement emphasizes granular control over device administration rather than general user network access.
❓ Frequently Asked Questions
Why is the separation of AAA functions in TACACS+ an advantage over RADIUS?
It allows for more flexible security policies. For example, you can authenticate a user on one server but authorize their specific command permissions on a completely different server.
When should I choose RADIUS over TACACS+ for a network deployment?
Choose RADIUS for network access control, such as 802.1X port security or VPN authentication, as it is more widely supported by end-user devices and more efficient for high-volume access.