TACACS+ servers
When users connect to their corporate network remotely, they do so through a remote access server. As remote access technology has evolved, the need for security when accessing networks has become increasingly important. This need can be filled using a Terminal Access Controller Access-Control System (TACACS+) server.
TACACS+ is a remote authentication protocol that provides access control for routers, network access servers, and other networked computing devices via one or more centralized servers. TACACS+ allows a client to accept a username and password and send a query to a TACACS+ authentication server. The server host determines whether to accept or deny the request and sends a response back that allows or denies the user access to the network.
TACACS+ offers fully encrypted packet bodies, and supports both IP and AppleTalk protocols. TACACS+ uses TCP port 49, which is seen as more reliable than RADIUS’s UDP protocol.
There are several different authentication protocols that TACACS+ can use during the authentication process:
Authentication protocols
Protocol | Definition |
ASCII | Machine-independent technique that uses representations of English characters.
Requires user to type a username and password that are sent in clear text (unencrypted) and matched with an entry in the user database stored in ASCII format. |
PAP | Password Authentication Protocol (PAP) Used to authenticate PPP connections. Transmits passwords and other user information in clear text. |
CHAP | Challenge-Handshake Authentication Protocol (CHAP) Provides the same functionality
as PAP, but is more secure as it does not send the password and other user information over the network to the security server. |
MS-CHAP | MicroSoft Challenge-Handshake Authentication Protocol v1 (MSCHAP) Microsoftspecific version of CHAP. |
default | The default protocol configuration, Auto, uses PAP, MS-CHAP, and CHAP, in that order. |