TACACS+ is a cornerstone protocol for network device authentication that every security professional preparing for the CISSP exam must understand. Here are the five essential concepts that will help you both on the exam and in real-world security management.
Whether you're managing a Cisco-heavy infrastructure or preparing for CISSP Domain 5 (Identity and Access Management), understanding TACACS+ and how it differs from RADIUS is critical knowledge. Let's break down what you need to know.
TACACS+ Centralizes Network Device Authentication
Terminal Access Controller Access-Control System Plus (TACACS+) provides centralized authentication, authorization, and accounting (AAA) for network infrastructure devices. Instead of managing local accounts on every router, switch, and firewall, TACACS+ lets you authenticate administrators against a central server.
This centralization is critical for security managers because it provides a single point of control for who can access and configure network devices—and a single audit trail of all administrative actions.
TACACS+ eliminates the need for local accounts on network devices, providing centralized control over authentication, authorization, and accounting for all network infrastructure management.
AAA Functions Are Completely Separated
Unlike RADIUS, which combines authentication and authorization into a single process, TACACS+ keeps all three AAA functions completely separate and independent. This architectural difference gives security teams granular control that's impossible to achieve with RADIUS.
Authentication verifies the user's identity. Authorization determines what commands and resources that user can access. Accounting logs all actions for audit and compliance. Each function can be managed independently, using different servers or policies if needed.
The CISSP exam frequently tests the difference between TACACS+ (separated AAA) and RADIUS (combined authentication/authorization). Remember: TACACS+ = Separated, RADIUS = Combined. This is a high-probability exam question.
Full Packet Encryption Provides Superior Security
Here's a critical security distinction: TACACS+ encrypts the entire packet payload, including usernames, passwords, and all command data. RADIUS, by contrast, only encrypts the password field—leaving usernames and other data transmitted in cleartext.
For organizations with strict security requirements or compliance mandates, this full encryption is often the deciding factor when choosing between TACACS+ and RADIUS for network device management.
| Security Feature | TACACS+ | RADIUS |
|---|---|---|
| Encryption Scope | Full packet | Password only |
| Username Protection | Encrypted | Cleartext |
| Command Data | Encrypted | N/A |
TCP Provides Reliable, Acknowledged Delivery
TACACS+ uses TCP port 49 for communication, providing connection-oriented, reliable delivery with acknowledgment. RADIUS uses UDP (ports 1812/1813), which is connectionless and doesn't guarantee delivery.
This matters for security because TCP's reliability means you can be certain whether an authentication succeeded or failed. With UDP, packets can be lost without notification, potentially leaving authentication status ambiguous.
When planning TACACS+ deployments, ensure firewall rules allow TCP port 49 between all network devices and your TACACS+ servers. In segmented networks, this can require numerous firewall change requests—plan accordingly.
Cisco Environments Are the Primary Use Case
While TACACS+ is technically an open standard, it was developed by Cisco and is predominantly deployed in Cisco network environments. Cisco devices have the deepest TACACS+ integration, making it the natural choice for Cisco-heavy infrastructures.
For multi-vendor environments, RADIUS often provides better cross-platform compatibility. However, for dedicated network device management (as opposed to network access control), TACACS+ remains the preferred choice when available.
Use TACACS+ for network device administration (routers, switches, firewalls) and RADIUS for network access control (VPN, WiFi, 802.1X). This separation aligns with each protocol's strengths and provides defense in depth.
Summary
- Centralized AAA: Single point of control for network device authentication
- Separated Functions: Authentication, authorization, and accounting are independent
- Full Encryption: Entire packet payload encrypted, not just password
- TCP Port 49: Reliable, connection-oriented delivery
- Cisco Primary: Best supported in Cisco environments
TACACS+ vs RADIUS
- AAA: TACACS+ separates all three; RADIUS combines auth/authz
- Encryption: TACACS+ full packet; RADIUS password only
- Transport: TACACS+ uses TCP; RADIUS uses UDP
- Use Case: TACACS+ for device admin; RADIUS for network access
Exam Tips
- Remember: TACACS+ = TCP, full encryption, separated AAA
- Watch for: Questions comparing TACACS+ and RADIUS security features
- Focus on: Protocol selection based on use case requirements
Challenge Yourself
Tough, realistic CISSP scenarios that expose gaps before exam day does.
Take the Challenge