Continuing our series of articles on Access Security, we will continue to address the essential protocols that involve AAA. In this volume, we will learn a little more about TACACS+, getting to know a bit of its history, composition, advantages, and limitations.
TACACS+, short for Terminal Access Controller Access Control System Plus, is a network security protocol designed to provide centralized AAA (authentication, authorization, and accounting) services for remote access servers.
Origins and Evolution
Its history begins in 1984 with the emergence of TACACS, developed by BBN Technologies for ARPANET and MILNET, predecessors of the modern internet. In the 1990s, Cisco Systems, recognizing the need for stronger access control, developed a proprietary solution with additional features called XTACACS.
In 1993, new functionalities were added, and Cisco made the protocol documentation available, renaming it TACACS+.
Today, TACACS+ is widely recognized as the preferred choice for AAA services in corporate network infrastructures, thanks to its superior security and flexibility.
Advantages of TACACS+
- Enhanced Security: TACACS+ encrypts all traffic between the client and server, providing additional protection against threats like spoofing attacks and man-in-the-middle interception.
- Greater Flexibility: Compared to RADIUS, TACACS+ allows for more granular authorization control, enabling administrators to adjust access permissions based on individual, group, or custom characteristics.
- Scalability: Designed for large networks, TACACS+ supports server distribution across multiple network points and integration with services like LDAP in an Active Directory, ensuring centralized and efficient authentication.
- Command and Context-based Authorization: TACACS+ offers control over the commands users can execute on network devices, as well as the customization of access authorization based on equipment or configuration responsibility.
- Detailed Auditing: Maintains detailed records of all authentication, authorization, and session usage activities, facilitating the identification and resolution of security incidents.
Limitations of TACACS+
- Configuration and Log Management: Maintaining configurations and records in distributed environments requires specialized software to ensure synchronization and centralized storage.
- Vendor Support: Although widely adopted, not all network devices and servers natively support TACACS+, which may require proprietary solutions in certain cases.
Contribution to the Zero Trust Security Model
Both RADIUS and TACACS+ play a crucial role in supporting the Zero Trust security model, providing rigorous user validation and granular access control. In highly regulated sectors like finance and healthcare, TACACS+ is preferred due to its robust security and ability to provide detailed activity logs.
Conclusion
TACACS+ remains a key component in access security architecture, especially in corporate environments that require high security and granular control.
With its rich development history and established presence in various sectors, it remains a reliable choice for ensuring the integrity and security of corporate networks.
GPr Sistemas offers expertise in deploying and customizing AAA environments based on TACACS+, ensuring security and scalability for your specific needs.
Author: Oswaldo Franzin - Director of GPr Systems