The U.S. Department of Defense developed Terminal Access Controller Access Control Service to solve some of the problems with RADIUS remote access servers. Both systems provide authentication and authorization services, but RADIUS is oriented more to the user of the service, while TACACS is designed for network administrators who must connect remotely to network devices.
Authentication is the process of validating a user's identity. TACACS accomplishes this via a username and password supplied by the user. TACACS separates the authentication, authorization and accounting processes, providing a level of granularity and flexibility not found in RADIUS. TACACS also encrypts the username and password, providing a higher level of security.
TACACS provides centralized management of authorization and tighter security by checking each command issued against the authorization configuration database. This ensures that the user is only allowed to perform commands he is authorized to issue. This method requires more bandwidth and, because TACACS uses the TCP protocol, inherent overhead. This could cause performance problems if TACACS is heavily used.
Network auditors require activity trails to do their jobs properly, which means they need activity logs. TACACS' major disadvantage is that it lacks any accounting services. This critical drawback can be overcome by using TACACS+ or XTACACS, enhanced versions that provide accounting services.
TACACS+ and XTACACS
In addition to adding the accounting feature to TACACS, TACACS+ is supported by many network equipment vendors. However, because the user database doesn't reside on the TACACS+ server, performance can be slow. Extended TACACS (XTACACS) also provides accounting services and multiple protocol support, and is not proprietary, as is TACACS+.
- Photo Credit Ablestock.com/AbleStock.com/Getty Images