Editing TACACS

{{Short description|Computer network protocol}}
'''Terminal Access Controller Access-Control System''' ('''TACACS''', {{IPAc-en|'|t|ae|k|ae|k|s}}) refers to a family of related [[Authentication protocol|protocols]] handling remote authentication and related services for network access control through a centralized server. The original '''TACACS''' protocol, which dates back to 1984, was used for communicating with an authentication server, common in older [[Unix|UNIX]] networks including but not limited to the [[ARPANET]], [[MILNET]] and BBNNET. It spawned related protocols:
* '''Extended TACACS''' ('''XTACACS''') is a proprietary extension to TACACS introduced by [[Cisco Systems]] in 1990 without backwards compatibility to the original protocol. TACACS and XTACACS both allow a remote access server to communicate with an authentication server in order to determine if the user has access to the network. 
* '''TACACS Plus''' ('''TACACS+''') is a protocol developed by Cisco and released as an open standard beginning in 1993. Although derived from TACACS, TACACS+ is a separate protocol that handles [[AAA protocol|authentication, authorization, and accounting (AAA)]] services. TACACS+ has largely replaced its predecessors.

==History==
TACACS was originally developed in 1984 by BBN, later known as [[BBN Technologies]], for administration of ARPANET and MILNET, which ran unclassified network traffic for [[DARPA]] at the time and would later evolve into the [[U.S. Department of Defense]]'s [[NIPRNet]]. Originally designed as a means to automate authentication &ndash; allowing someone who was already logged into one host in the network to connect to another on the same network without needing to re-authenticate &ndash; it was first formally described by BBN's Brian Anderson TAC Access Control System Protocols, BBN Tech Memo CC-0045 with minor TELNET double login avoidance change in December 1984 in [[IETF]] RFC 927.<ref name="dooley">{{cite book | author1=Dooley, Kevin | url=http://shop.oreilly.com/product/9780596003678.do | title=Cisco Cookbook | publisher=O'Reilly Media | author2=Brown, Ian | year=2003 | pages=137 | isbn=9781449390952 | url-status=live | archive-url=https://web.archive.org/web/20160624221754/http://shop.oreilly.com/product/9780596003678.do | archive-date=2016-06-24 }}</ref>{{ref RFC|927}} [[Cisco Systems]] began supporting TACACS in its networking products in the late 1980s, eventually adding several extensions to the protocol. In 1990, Cisco's extensions on top of TACACS became a proprietary protocol called Extended TACACS (XTACACS). Although TACACS and XTACACS are not open standards, Craig Finseth of the University of Minnesota, with Cisco's assistance, published a description of the protocols in 1993 as [[Internet Engineering Task Force|IETF]] RFC 1492 for informational purposes.<ref name="dooley" /><ref name="ballad">{{cite book | title=Access Control, Authentication, and Public Key Infrastructure | publisher=Jones & Bartlett Learning | author1=Ballad, Bill | author2=Ballad, Tricia | author3=Banks, Erin | year=2011 | pages=278–280 | isbn=9780763791285}}</ref>{{ref RFC|1492}}

==Technical descriptions==

===TACACS===
TACACS is defined in <nowiki>RFC 1492</nowiki>, and uses (either [[Transmission Control Protocol|TCP]] or [[User Datagram Protocol|UDP]]) port 49 by default. TACACS allows a client to accept a username and password and send a query to a TACACS authentication server, sometimes called a TACACS daemon. It determines whether to accept or deny the authentication request and sends a response back. The TIP (routing node accepting dial-up line connections, which the user would normally want to log in into) would then allow access or not, based upon the response. In this way, the process of making the decision is "opened up" and the algorithms and data used to make the decision are under the complete control of whoever is running the TACACS daemon.

===XTACACS===
Extended TACACS (XTACACS) extends the TACACS protocol with additional functionality. It also separates the authentication, authorization, and accounting (AAA) functions out into separate processes, allowing them to be handled by separate servers and technologies.<ref>{{Cite web|url=https://epdf.pub/mike-meyers-comptia-security-certification-passport-second-edition.html|title=Mike Meyers' CompTIA Security+ Certification Passport, Second Edition - PDF Free Download|website=epdf.pub|language=en|access-date=2019-08-03}}</ref>

===TACACS+===
TACACS+ is a Cisco designed extension to TACACS that is described in RFC 8907. TACACS+ includes a mechanism that can be used to obfuscate the body of each packet, while leaving the header clear-text. Moreover, it provides granular control in the form of command-by-command authorization.{{ref RFC|8907}}

TACACS+ has generally replaced TACACS and XTACACS in more recently built or updated networks. TACACS+ is an entirely new protocol which is not compatible with its predecessors, TACACS and XTACACS.

=== Comparison with RADIUS ===

There are a number of differences between the two protocols which make them substantially different in normal usage.

TACACS+ can only use TCP, while RADIUS normally operates over UDP,<ref name="tacacs+v.radius">{{cite web |date=14 January 2008 |title=TACACS+ and RADIUS Comparison |url=http://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/13838-10.html |url-status=live |archive-url=https://web.archive.org/web/20140907214150/http://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/13838-10.html |archive-date=7 September 2014 |access-date=9 September 2014 |publisher=Cisco}}</ref> but can also use TCP (RFC6613), and for additional security, TLS (RFC 6614) and DTLS (RFC7360).

TACACS+ can operate in two modes.  One mode is where all traffic including passwords are sent in clear-text, and the only security is IP address filtering.  The other mode is data obfuscation (RFC 8907 Section 4.5), where the packet header is clear-text, but the body including passwords is obfuscated with an MD5-based method.  The MD5-based obfuscation method is similar to that used for the RADIUS User-Password attribute (RFC 2865 Section 5.2), and therefore has similar security properties.

Another difference is that TACACS+ is used only for administrator access to networking equipment, while RADIUS is most often used for end-user authentication.  TACACS+ supports "command authorization", where an administrator can log in to a piece of networking equipment, and attempt to issue commands.  The equipment will use TACACS+ to send each command to a TACACS+ server, which can choose to authorize, or reject the command.

Similar functionality exists in RADIUS in RFC 5607, but support for that standard appears to be poor or non-existent.

TACACS+ offers robust functionality for administrator authentication and command authorization, but is essentially never used for authenticating end-user access to networks.  In contrast, RADIUS offers minimal functionality for administrator authentication and command authorization, while offering strong support (and is widely used) for end-user authentication, authorization, and accounting.

As such, the two protocols have little overlap in functionality or in common usage.

== Implementations ==
{{Cleanup list|section|date=September 2022}}
'''Client implementations'''
* [[Arista Networks|Arista EOS]], a proprietary implementation
* [[Cisco IOS]], a proprietary implementation
* [[Extreme Networks]], a proprietary implementation
* [[Fortinet|Fortinet FortiOS]], a proprietary implementation
* [[Junos OS|Juniper Junos OS]], a proprietary implementation
* [[Palo Alto Networks|Palo Alto Networks PAN-OS]], a proprietary implementation
* [https://github.com/jeroennijhof/pam_tacplus Pam_tacplus], a TACACS+ protocol client library and PAM module
* [https://github.com/AugurSystems/TACACS Augur Systems TACACS+], a free open-source Java library
'''Server implementations'''
* [https://freeradius.org/modules/?cat=protocols&mod=proto_tacacs FreeRADIUS TACACS+ module], an open-source implementation available since version 4.0
* [http://www.shrubbery.net/tac_plus/ Tac_plus by Shrubbery], an open-source implementation for Linux
* [https://www.pro-bono-publico.de/projects/tac_plus-ng.html Tac_plus-ng by Pro-Bono-Publico], an open-source implementation for Linux
* [https://sites.google.com/site/tacplusvm/ Tac_plus VM], tac_plus with an added webadmin in a VM (no longer updated)
* [https://www.arubanetworks.com/products/security/network-access-control/ Aruba ClearPass Policy Manager], a proprietary implementation 
* [https://www.cisco.com/site/us/en/products/security/identity-services-engine/index.html Cisco Identity Services Engine], a proprietary implementation
* [https://www.portnox.com/portnox-clear/tacacs-as-a-service/ Portnox TACACS+-as-a-Service], a proprietary implementation as a cloud-hosted service
* [[Pulse Secure]] Pulse Policy Secure, a proprietary implementation
* [https://www.tacacs.net/ TACACS.net], a proprietary implementation of TACACS+ for Windows
* [https://github.com/AugurSystems/TACACS Augur Systems TACACS+], a free open-source Java library (full client, with framework for a server)

== Standards documents ==
* {{IETF RFC|927|link=no}} – TACACS User Identification Telnet Option
* {{IETF RFC|1492|link=no}} – An Access Control Protocol, Sometimes Called TACACS
* {{IETF RFC|8907|link=no}} – The Terminal Access Controller Access-Control System Plus (TACACS+) Protocol
* RFC [https://datatracker.ietf.org/doc/rfc9105/ 9105] – A YANG Data Model for Terminal Access Controller Access-Control System Plus (TACACS+)

== See also ==
* [[Diameter (protocol)|Diameter]]
* [[RADIUS]]

==References==
{{Reflist}}

==External links==
* [http://www.openwall.com/advisories/OW-001-tac_plus/ An Analysis of the TACACS+ Protocol and its Implementations] from a security standpoint, by [[Openwall]]
* [https://www.tacacs.net/docs/TACACS_Advantages.pdf TACACS+ Benefits and Best Practices]

{{Authentication APIs}}

[[Category:Authentication protocols]]
[[Category:Computer access control protocols]]
[[Category:Cisco protocols]]
[[Category:Computer network security]]