📖 What is Terminal Access Controller Access-Control System Plus (TACACS+)?
Terminal Access Controller Access-Control System Plus (TACACS+) is a protocol that provides AAA services for network device administration. Unlike RADIUS, it separates authentication, authorization, and accounting functions and encrypts the entire payload of the packet.
"Focus on the 'administrative' aspect; TACACS+ is typically used for managing network gear (routers/switches), whereas RADIUS is for user network access."
📚 Certification: CompTIA Security+ Certification Exam (SY0-701)
🔑 What are the Key Concepts of Terminal Access Controller Access-Control System Plus (TACACS+)?
- ▸ Separates authentication, authorization, and accounting into distinct processes, allowing administrators to implement granular control over each individual phase of the AAA cycle.
- ▸ Encrypts the entire body of the packet, offering superior security compared to RADIUS, which only encrypts the password during the authentication phase.
- ▸ Designed specifically for device administration, enabling precise control over which CLI commands a user can execute on routers, switches, and firewalls.
- ▸ Utilizes TCP port 49 for transport, providing a connection-oriented and reliable communication channel necessary for critical network infrastructure management tasks.
🎯 How does Terminal Access Controller Access-Control System Plus (TACACS+) appear on the SY0-701 Exam?
You may be asked to select the most appropriate protocol for a scenario where a company needs to restrict specific administrative commands for junior network engineers on core switches to prevent accidental configuration errors.
A scenario might describe a requirement for a AAA protocol that encrypts all communication between the network device and the server to prevent sensitive administrative data from being sniffed on the wire.
Expect questions comparing TACACS+ and RADIUS where the key differentiator is whether the goal is managing network infrastructure hardware or providing general user network access via VPN or 802.1X.
❓ Frequently Asked Questions
Why is the separation of AAA functions in TACACS+ considered a security benefit?
It allows for granular authorization. An administrator can grant a user access to the device (authentication) but strictly limit which specific commands they can run (authorization) without needing to re-authenticate for every action.
In what situation would RADIUS be a better choice than TACACS+?
RADIUS is preferable for network access control (NAC), such as managing thousands of Wi-Fi or VPN users. It is an open standard and generally more efficient for high-volume user authentication than device administration.