Terminal Access Controller Access Control System (TACACS) was originally defined in RFC 1492 as a system to allow users connecting to a remote access server to be centrally authenticated. TACACS was originally implemented in the Cisco IOS in 1989, and was later extended to include additional features in what is known as XTACACS (Extended TACACS). While client support for both versions can still be found in the Cisco IOS, they are currently considered End-of-Maintenance (EoM) protocols. Cisco currently supports a completely new (and incompatible) version on its equipment known as TACACS+.
TACACS+ provides what are known as AAA services – Authentication, Authorization, and Accounting. Authentication services are used to identify users, usually via a username and password combination. Authorization services are used to control what a user has access to, once they have been authenticated. For example, a user could be given access to only certain router commands with TACACS+. Accounting services track user sessions, such that the amount of time that a user spends connected to a system can be logged for security or billing purposes. All three of components are considered central to the security of networking services.
In TACACS lingo, a client would be a device like a switch or router. A server would be a centralized server configured with a user database of some sort, where authentication (as well as authorization and accounting) requests would be validated. For example, if a router were configured to use TACACS+ authentication, it would not authenticate connected users locally, but would rather pass the request on to a TACACS+ server. This would allow a single user account to be defined for an administrator, who could then log on to equipment for which they had been authorized. Cisco provides a TACACS+ server in its Cisco Secure Access Control Server (ACS) product, but freeware TACACS+ servers that run on UNIX/Linux are also available.