Terminal Access Controller Access-Control System Plus (TACACS+) is another industry-standard
method used to authenticate user login requests.
TACACS+ authenticates over TCP. Because TCP is a connection-oriented protocol, TACACS+
does not require transmission control the way RADIUS does. While RADIUS encrypts only
passwords, TACACS+ uses MD5 encryption on all communication and is consequently less
vulnerable to attacks.
Unlike RADIUS authorization, the role (privilege level) of a TACACS+ user is determined
by the TACACS default-user group configuration on the TPS device. For example, if
the TACACS+ default-user group is set to
operator, TACACS users are assigned the
operator role. This might not provide sufficient control for the user's environment. To assign
a TACACS+ user a higher role from the default-user group role:
- On the TPS device, create a local user that uses the same name as the TACACS user.
- Assign that local TPS user to a user group. The TPS device references that user group
to determine the authorization level of the TACACS user.
Note
Because authentication is through the TACACS+ server, do not create a password for the local TPS user.
This differs from RADIUS authorization; for that, TPS devices can use the filter
ID returned from the RADIUS server during user authentication to determine a RADIUS
user role. If the RADIUS server does not return the filter ID, the TPS device uses
the RADIUS default-user group configuration to determine the user role.
Although user authentication is performed on the TACACS+ server, user authorizations
and access rights are maintained on the SMS server. If the TACACS+ server is unavailable,
the SMS can authenticate local users. The SMS does not permit you to manage SMS user
accounts on the TACACS+ server; the account password for a TACACS+ authenticated user
must be changed on the TACACS+ server.