Just like the RADIUS protocol, we often use TACACS+ within the AAA framework in order to communicate between the authenticator and the authentication server.
Unlike RADIUS, TACACS+ is a Cisco proprietary protocol. It is based on an earlier TACACS protocol, and is not compatible with the preceding TACACS or XTACACS protocols.
Another unique aspect of TACACS+ when compared to RADIUS is modularity. TACACS+ allows the implementation of authentication, authorization, and accounting independently of each other.
The packet header structure of the TACACS+ packet includes the following fields:
- Major – indicates the major version number of TACACS+
- Minor – indicates the minor TACACS+ version number
- Packet Type – defines if the packet is for authentication, authorization, or accounting
- Sequence Number – clients begin and send sequence number 1, the server responds with sequence number 2 and so on
- Flags – these values signify whether the packet is encrypted
- Session ID – contains the ID for the TACACS+ session
- Length – contains the total length of the packet body excluding the header
While RADIUS relied upon UDP, TACACS+ relies upon Transmission Control Protocol (TCP). TCP port 49 is used between the client and the server.
During communications between the authenticator and the authentication server, several responses are possible from the TACACS+ server:
- ACCEPT - the authentication was successful and if authorization is required, that process may now begin
- REJECT - the authentication process failed
- ERROR - a communication problem is occurring between the authenticator and the authentication server
- CONTINUE - the server is expecting additional information
Once again, unlike RADIUS, TACACS+ provides security between the communications of the authenticator and the authentication server. The entire body of the packet is encrypted. This encryption relies on a shared secret key on each device.
Anthony Sequeira CCIE, CCSI