📖 What is TACACS+?
TACACS+ is a Cisco-proprietary protocol that provides centralized Authentication, Authorization, and Accounting (AAA) services for network device administration. It separates the three AAA functions and encrypts the entire body of the packet for enhanced security.
"Focus on the separation of AAA functions. Unlike RADIUS, TACACS+ allows you to authorize specific commands for specific users on a router or switch."
📚 Certification: CompTIA Security+ Certification Exam (SY0-701)
🔑 What are the Key Concepts of TACACS+?
- ▸ Separates Authentication, Authorization, and Accounting into distinct processes, allowing administrators to modify authorization levels without requiring the user to re-authenticate.
- ▸ Provides granular command-level authorization, enabling the restriction of specific CLI commands based on the user's assigned role or privilege level.
- ▸ Enhances security by encrypting the entire body of the packet, preventing attackers from capturing sensitive usernames or authorization attributes via sniffing.
- ▸ Utilizes TCP port 49 to ensure reliable communication between the network device and the AAA server, providing better session stability than UDP.
- ▸ Primarily designed for device administration and management of network infrastructure rather than providing network access for end-user devices.
🎯 How does TACACS+ appear on the SY0-701 Exam?
You may be asked to select the best protocol for a scenario where a company needs to restrict junior administrators to read-only commands on their core switches.
A scenario might describe a requirement for a centralized AAA system that encrypts all packet contents to prevent credential theft during device management sessions.
Expect questions comparing RADIUS and TACACS+, where the correct choice depends on whether the goal is network access control or granular administrative command authorization.
❓ Frequently Asked Questions
Why is the separation of AAA functions a critical distinction from RADIUS?
Separation allows for independent control. In TACACS+, you can authorize a user for a specific command without needing to re-verify their identity, providing much finer control over administrative sessions.
Which protocol is more secure for managing network hardware and why?
TACACS+ is more secure for administration because it encrypts the entire packet. RADIUS only encrypts the password, leaving the username and other attributes visible to anyone capturing traffic.