Terminal Access Controller Access Control System Plus (TACACS+) is an
improved version of TACACS. TACACS+ forwards username and password information
to a centralized security server. The remainder of this section will discuss
TACACS+, its features, and how to configure and troubleshoot it. Identity
management is key to network security. This can be accomplished using various
technologies and devices. Cisco uses the term AAA when discussing identity
management of network access using routers, switches, firewalls and access
points. AAA is the acronym for authentication, authorization, and
accounting.
Depending on the size of the network and available resources,
AAA can be implemented on a device locally or can be managed from a central
server running RADIUS or TACACS+ protocols.
Figure
documents the
features available with TACACS+.
TACACS
There are at least three versions of TACACS. TACACS is an
industry standard protocol specification, RFC 1492, that forwards username and
password information to a centralized server. The centralized server can be
either a TACACS database or a database like the UNIX password file with TACACS
protocol support. For example, the UNIX server with TACACS passes requests to
the UNIX database and sends the accept or reject message back to the access
server.
XTACACS
XTACACS defines the extensions that Cisco
added to the TACACS protocol to support new and advanced features. XTACACS is
multi-protocol and can authorize connections with SLIP, enable, PPP IP or IPX,
ARA, EXEC, and Telnet. XTACACS supports multiple TACACS servers, and syslog for
sending accounting information to a UNIX host, connects where the user is
authenticated into the access server shell, and can Telnet or initiate SLIP,
PPP or ARA after initial authentication. XTACACS is essentially obsolete
concerning Cisco AAA features and products.
TACACS+
TACACS+ is
the enhanced and continually improved version of TACACS that allows a TACACS+
server to provide the services of AAA independently. Each service can be tied
into its own database or can be used with the other services available on the
server or on the network. TACACS+ was introduced in Cisco IOS Release 10.3.
This protocol is a completely new version of the TACACS protocol referenced by
RFC 1492 and developed by Cisco. It is not compatible with XTACACS. TACACS+ has
been submitted to the IETF as a draft proposal.