TACACS+ is an authentication protocol for routers, switches, and other network devices.
TACACS+ is an open standard supported by most enterprise and carrier-class devices. It was first created for the US Department of Defense to address the limitations in the RADIUS protocol for administrator authentication.
TACACS+ is similar to RADIUS in some respects, but has some distinct advantages. It is more stable because it uses TCP instead of UDP, and it is more secure because it encrypts the whole packet instead of just hashing passwords.
The biggest advantage of using TACACS+ is that it enables more granular access controls than RADIUS. You can specify the exact commands can be used for a particular user or group based on location, time of day, or device type. For example, you can allow some users to run show commands during the day time, but allow them to run debugging commands after hours, so they don’t affect service. You could allow some users to have full show and debug commands, but block configure commands. You can give different groups the ability to run some configure commands, but block other configure commands. In an enterprise environment, one group may have the ability to configure IPSec, and firewall rules, and another group could configure routing and interfaces. This gives you the ability to scale out a large network very efficiently by designating certain groups to complete some tasks without giving everyone root access on the devices, which can lead to service affecting mistakes and security incidents.
Another advantage of using TACACS+ is that it logs each command entered on the device with the time and date and the username and source IP address of the individual who made the change. RADIUS only logs the start and stop time. This is a huge advantage when trying to find out who did what if something does happen.
TACACS+ also supports Multi-Factor Authentication for high security environments. Users can be prompted for a PIN code that is generated from a smart phone, desktop application, or token in addition to their username and password to ensure that the user is who he/she says they are.
When scaling out your network infrastructure, local usernames and passwords and authorization levels become unmanageable pretty quickly. TACACS+ addresses this problem by making it easier to manage, more scalable, and improves network security at the same time.
To download a free TACACS+ server for your network, go to www.TACACS.net.