100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace

What is TACACS+?

Learn what TACACS+ is, how it differs from RADIUS, and why it is used for device administration and per-command authorization.

mediumQ135 of 224 in Computer Networks Est. time: 5 minsLast updated:
Open Code Lab

Expected Interview Answer

TACACS+ (Terminal Access Controller Access-Control System Plus) is a Cisco-designed AAA protocol that fully encrypts the entire packet body and separates authentication, authorization, and accounting into three distinct processes, most commonly used to control administrative access to network devices.

Where RADIUS bundles authentication and authorization together and only encrypts the password field, TACACS+ encrypts the full TCP payload and treats each of the three AAA functions independently, so a router or switch can authenticate a user once and then issue a separate authorization check for every command that user tries to run. It runs over TCP port 49 for reliable, connection-oriented delivery, which suits interactive administrative sessions better than the UDP-based RADIUS. Network engineers deploy TACACS+ with a central server (such as Cisco ISE) so that every login and every privileged command on every switch and router is centrally authenticated, authorized per-command, and logged for audit, without needing local accounts on each device. It is considered a device-administration protocol first, distinct from RADIUS which dominates network-access (802.1X, VPN, Wi-Fi) authentication.

  • Encrypts the entire packet body, not just the password
  • Separates authentication, authorization, and accounting cleanly
  • Supports per-command authorization on network devices
  • Runs over reliable TCP, suited to interactive admin sessions

AI Mentor Explanation

TACACS+ is like a stadium security desk that checks a staff member’s ID at the gate (authentication), then separately checks a laminated pass before letting them into the broadcast booth, the pitch, or the dressing room (authorization), and logs every single door they walk through in a notebook (accounting). Each of those three checks happens independently, not as one bundled pat-down, and the notebook entry is written for every single door, not just the main gate. A groundskeeper radio message describing who went where is also sealed in an envelope rather than shouted in the open, mirroring how TACACS+ encrypts the whole exchange.

Step-by-Step Explanation

  1. Step 1

    Authentication

    A user logging into a router or switch has their credentials verified against the central TACACS+ server.

  2. Step 2

    Authorization

    Each command the user attempts is separately checked against a per-user or per-group command authorization policy.

  3. Step 3

    Accounting

    The TACACS+ server logs which user ran which command, on which device, and when.

  4. Step 4

    Encrypted transport

    The entire TCP payload between the device and the TACACS+ server is encrypted, not just the password.

What Interviewer Expects

  • Explains AAA and that TACACS+ separates the three functions
  • Contrasts TACACS+ with RADIUS (full encryption vs password-only, TCP vs UDP)
  • Knows TACACS+ is used mainly for device administration, not network access
  • Mentions per-command authorization as a distinguishing capability

Common Mistakes

  • Confusing TACACS+ with RADIUS as interchangeable protocols
  • Thinking TACACS+ only encrypts the password like RADIUS
  • Not knowing TACACS+ runs over TCP port 49
  • Forgetting per-command authorization is a key TACACS+ use case

Best Answer (HR Friendly)

TACACS+ is a way to centrally control who can log into network devices like routers and switches, and exactly what commands they are allowed to run once they are in. Instead of every device having its own local accounts, everything is checked against one central server, every command is logged, and the whole conversation between the device and that server is encrypted for security.

Code Example

Configuring TACACS+ AAA on a Cisco IOS device
! Define the TACACS+ server and shared secret
tacacs server ISE-PRIMARY
 address ipv4 10.10.10.5
 key MySharedSecretKey

! Enable AAA and point authentication/authorization/accounting at TACACS+
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting commands 15 default start-stop group tacacs+

! Verify the server is reachable
test aaa group tacacs+ admin Cisco123 legacy

Follow-up Questions

  • How does TACACS+ differ from RADIUS in what it encrypts and the transport protocol it uses?
  • What does per-command authorization mean in a TACACS+ deployment?
  • Why is TCP preferred over UDP for a device-administration AAA protocol?
  • What happens to device access if the TACACS+ server becomes unreachable?

MCQ Practice

1. Which transport protocol does TACACS+ use?

TACACS+ uses TCP port 49 for reliable, connection-oriented delivery.

2. What is a key advantage of TACACS+ over RADIUS for device administration?

TACACS+ encrypts the entire payload and separates AAA functions, enabling granular per-command authorization.

3. TACACS+ is most commonly used for what purpose?

TACACS+ is primarily used to control and audit administrative access to network infrastructure devices.

Flash Cards

What is TACACS+?A Cisco AAA protocol that fully encrypts traffic and separates authentication, authorization, and accounting, mainly for device admin access.

TACACS+ transport and port?TCP, port 49.

TACACS+ vs RADIUS encryption?TACACS+ encrypts the full packet body; RADIUS encrypts only the password.

Key TACACS+ capability?Per-command authorization on network devices.

1 / 4

Continue Learning