Home Blog What Is a TACACS Server? TACACS+ Explained vs RADIUS Guide

What Is a TACACS Server? TACACS+ Explained vs RADIUS Guide

TACACS+ is a centralized AAA protocol designed to secure administrative access to network devices. This guide explains how TACACS servers work, how TCP port 49 is used, key differences between TACACS+ and RADIUS, and when each protocol should be deployed in enterprise networks.

A technical guide explaining TACACS servers, TACACS+ protocol behavior, TCP port 49, and AAA separation.
Key Points
  • A TACACS server is a centralized AAA server used to control administrative access to network devices.
  • TACACS+ is the modern version of TACACS, offering full packet encryption and separation of AAA functions.
  • For end-user authentication on WPA2 or VPN networks, a cloud RADIUS server complements a TACACS+ setup.

Network infrastructure security is complex, requiring complete control over a growing array of devices and users. TACACS is a protocol used to centralize authentication, authorization, and accounting (AAA) for administrative access to network infrastructure devices.

Here’s what TACACS servers are, the differences between TACACS, TACACS+, and RADIUS, and how to structure a comprehensive security strategy that covers you end-to-end, from administrators to end users.

What Is a TACACS Server?

TACACS stands for Terminal Access Controller Access-Control System. It’s a network security protocol focused on device administration, providing centralized authentication, authorization, and accounting (AAA) for administrative devices seeking network access. Cisco announced a proposed standard for early TACACS in 1984.

A TACACS server is a centralized authentication server that processes AAA requests from network devices.

Here’s what TACACS servers are, the differences between TACACS, TACACS+, and RADIUS, and how to structure a comprehensive security strategy that covers you end-to-end, from administrators to end users.

How Does a TACACS+ Server Work?

TACACS+ servers work by performing the three essential AAA functions.

The first step is authentication. A user attempts to connect to the TACACS+ server host through a router or other network device. The device asks for a username and password, then passes the authentication request and user credentials to the server. If the credentials match administrator information stored in the local database, the user receives an authentication success message. Otherwise, they get an authentication failure message, and the process restarts.

Successful authentication prompts an authorization request, including relevant user information. This allows the server to determine whether this individual user has the administrative user privileges necessary for the requested action. If the authorization response is positive, the server sends approval and the user gains access.

Finally, the server stores details of the exchange, including username, identity, user activities, and timestamps. The server retains this content for security, troubleshooting, compliance, and auditing requests.

Is a TACACS Server Different from a TACACS+ Server?

Yes. The TACACS+ protocol is a more modern, secure version of TACACS. TACACS was the original standard for authentication and access control. However, as the technology evolved, Cisco introduced and documented TACACS+ through the Internet Engineering Task Force in the 1990s. They’re fundamentally similar, but TACACS+ offers a number of improvements over TACACS, including:

  • Enhanced encryption for entire packets
  • Modern authentication techniques such as two-factor authentication (2FA) and multi-factor authentication (MFA)
  • Advanced transmission control protocol (TCP) for improved communication and security

Is TACACS Obsolete?

The original TACACS protocol of the 1980s is obsolete. It doesn’t meet modern standards for encryption, and most of Cisco’s tools no longer support commands for this outdated server.

However, in the 1990s, Cisco introduced an updated, more secure, extensible protocol called TACACS+. This modern network device administration protocol offers enhanced encryption and security with improved access controls. While the original protocol is obsolete, TACACS+ certainly isn’t; it’s still in use today.

Top 6 Features of TACACS+ Servers

Compared to servers using other network infrastructure security protocols, TACACS+ servers offer these features:

  1. Separate Authentication, Authorization, and Accounting (AAA) Functions

    Cisco created TACACS+ around the authentication, authorization, accounting (AAA) framework, with a unique twist: each element is distinct and separate. This grants more flexibility and security when managing user access for administrators.

  2. Centralized Authentication

    TACACS+ uses an AAA server with a centralized authentication process for simple management. Administrators can review, control, and modify administrator access across multiple user accounts and network devices, all from a centralized server.

  3. Granular Access Controls (Authorization)

    TACACS+ offers a high degree of flexibility for managing device access. Managers can enforce command-level authorization on network devices. TACACS+ access controls also extend all the way to individual command authorization.

  4. Detailed Auditing and Accounting Data

    TACACS+ is good for monitoring, logging, and troubleshooting purposes. including user credentials, user activities, and time of access, providing detailed logs that improve compliance, simplify audits, and keep network environments safe.

  5. Enhanced Security and Encryption

    TACACS+ encrypts the entire payload, keeping sensitive information secure. With reliable, comprehensive encryption and the reliable Transmission Control Protocol (TCP), TACACS+ offers secure communication.

  6. Scalability

    TACACS+ is designed for large Cisco networks. It offers flexibility and scalability for a growing number of devices and administrative users, accommodating granular control over permissions and access levels at scale.

Why Use a TACACS Server? Common Use Cases

TACACS+ is a helpful device administration protocol for a variety of uses:

  • Network Device Administration: Administrative management for routers, switches, firewalls, and user devices.
  • Role-Based Command Authorization: Industries requiring fine-tuned access controls rely on TACACS+ for customization and flexibility.
  • Accounting and Auditing: Centralized management simplifies logging, access to, and auditing of admin and user actions.
  • High-Budget Industries: Industries such as finance and defense often have huge budgets, giving them the leeway to purchase and maintain on-premise servers. TACACS+ is the standard for managing access to private data stored on-premises.

However, there’s one major scenario that TACACS+ can’t cover: enterprise network access management.

TACACS doesn’t manage end-user access for public networks . It handles the authentication, authorization, and accounting of administrative devices.

For Wi-Fi Protected Access 2 (WPA2) networks, robust Virtual Private Networks (VPNs), and similar technologies, device administration protocols like TACACS+ can’t provide the right protection. For this use case, choose a comprehensive network access protocol like RADIUS .

9 Key Differences Between TACACS+ Servers and RADIUS Servers: Benefits and Limitations

Both RADIUS and TACACS+ are AAA servers for managing access to networks and network devices. They both offer customizable authorization levels and keep detailed accounting records of all user attempts to access network resources. But there are important differences between the two.

Here’s what to know when comparing TACACS vs. RADIUS :

  1. Proprietary vs. Open: TACACS+ natively supports Cisco devices, creating potential licensing costs and incompatibility with other devices; RADIUS is an open standard protocol compatible with all modern devices
  2. Protocol Type and Application: TACACS+ is a device administration protocol for internal administrative devices on ACS servers; RADIUS is a broader network access protocol authenticating end users
  3. Communication Speed: TACACS+ is more computationally demanding for servers, resulting in slower communication compared to RADIUS
  4. Encryption: TACACS+ encrypts entire data packets; many RADIUS servers encrypt only the password in the access-request packet, though passwordless authentication solutions mitigate this issue
  5. Security: While both TACACS+ and RADIUS are susceptible to brute-force and other attacks, setup and implementation are key — RADIUS is typically easier to set up and configure
  6. Transport Layer Protocol: TACACS+ uses the Transmission Control Protocol (TCP), while RADIUS uses the User Datagram Protocol (UDP)
  7. Access Control: TACACS+ typically provides more fine-grained control compared to RADIUS, including command-level restrictions
  8. Accounting Records: TACACS+ offers detailed accounting, but not as detailed or robust as the audit and accounting processes of RADIUS
  9. Wireless Authentication: TACACS+ doesn’t support 802.1X port-based network access control , posing wireless security risks; RADIUS supports 802.1X, making it a more secure choice for authentication on modern WPA2-Enterprise networks

While there are many similarities, the use cases differ. TACACS+ is a strong choice for device administration and security, primarily among Cisco users. RADIUS is a preferred choice for organizations seeking true user authentication on Virtual Private Networks (VPNs), WPA2 networks, and devices outside the Cisco suite, as well as those with demanding accounting requirements.

How to Set Up TACACS Servers

Here are the steps to configuring a TACACS server:

  • Identify the Server Host(s): Name and prioritize your IP hosts, making sure to use the correct commands for TACACS vs TACACS+ (they’re not the same).
  • Choose a TACACS Server Key: You’ll set one global authentication key and encryption key.
  • Configure AAA Server Groups: You can designate certain hosts or host groups for specific purposes and assign users to server groups using IP addresses or phone numbers (thanks to the Dialed Number Identification Service or DNIS).
  • Specify TACACS Authentication, Authorization, and Accounting: This designates TACACS+ as the method for all three validation steps. Since you can only enable TACACS through AAA commands, this step is critical.

The exact process and commands you’ll use may vary depending on your specific TACACS software type and network; consult your TACACS provider for more information.

What Is the Best TACACS Server Setup?

The best, most secure TACACS server setup requires a trusted provider and two or more dedicated, hardened virtual machines (VMs) and/or bare metal servers to maximize security and uptime.

During setup, you’ll want to enable encryption, implement granular role-based access control, integrate directories for centralized management, document all policies and procedures, and conduct regular testing to identify errors and inefficiencies.

This process ensures you get the most secure setup.

Beyond TACACS: Adding RADIUS for End-User Access

TACACS is a device administration protocol that secures administrative device requests, not end users. For comprehensive network validation, most modern networks require identity-based access to authenticate users, which protocols like RADIUS can provide.

As you scale, policy enforcement and auditing become more critical than ever. TACACS offers strong auditing capabilities for its scope, but you need the same functionality on the network side.

Enterprises can’t afford to leave network security up to TACACS servers alone. For reliable high-security environments, consider a hybrid approach: TACACS for administrative management and RADIUS for managing user access.

Cloud RADIUS from SecureW2 offers advanced user and device authentication using reliable AAA methods to keep your devices, users, and networks compliant and secure. Pair it with JoinNow Dynamic PKI for certificate-based authentication across your full network.

Schedule a demo today to see how JoinNow Cloud RADIUS complements a TACACS server with end-user authentication for WPA2 and VPN networks.

Frequently Asked Questions

What is a TACACS server?

A TACACS server is a centralized authentication server that processes AAA (authentication, authorization, and accounting) requests from network devices. It is used primarily to control administrative access to routers, switches, and other network infrastructure.

Is TACACS the same as RADIUS?

No. TACACS and RADIUS are both AAA protocols, but they serve different purposes. TACACS is a device administration protocol focused on controlling administrative access to network hardware. RADIUS is a network access protocol that authenticates end users connecting to Wi-Fi, VPNs, and other network services.

What is the difference between TACACS+ and RADIUS?

The main differences are: TACACS+ is Cisco-proprietary and encrypts the full packet, while RADIUS is an open standard and typically encrypts only the password. TACACS+ uses TCP, while RADIUS uses UDP. TACACS+ provides command-level authorization for device administration, while RADIUS handles broader end-user network access and supports 802.1X wireless authentication.

What port does TACACS+ use?

TACACS+ uses TCP port 49 for all communication between the client device and the TACACS+ server.

Is TACACS+ obsolete?

The original TACACS protocol (1980s) is obsolete. TACACS+, introduced by Cisco in the 1990s, is not obsolete and remains in active use in Cisco network environments for administrative device access control.

Does TACACS use TCP or UDP?

TACACS+ uses TCP (Transmission Control Protocol), specifically TCP port 49. This differs from RADIUS, which uses UDP (User Datagram Protocol). TCP provides more reliable, connection-oriented communication, which contributes to TACACS+’s stronger error-handling capabilities.

Vivek Raj

Vivek is a Digital Content Specialist from the garden city of Bangalore. A graduate in Electrical Engineering, he has always pursued writing as his passion. Besides writing, you can find him watching (or even playing) soccer, tennis, or his favorite cricket.

Learn More About SecureW2

Why SecureW2

Establish continuous trust with Dynamic PKI and Cloud RADIUS. Enforce access based on live identity, device posture, and risk context.

  • Passwordless authentication that can't be phished
  • Works with your IdP, MDM, and security stack
  • Real-time policy engine for dynamic access control
Learn More
Explore the Platform

Get the essentials on the products that power continuous enforcement.

SecureW2 JoinNow Platform
SecureW2 Dynamic PKI
SecureW2 Cloud RADIUS
MultiOS for Self-Service Onboarding
Integration Hub
Knowledge Base Articles

Explore practical guidance from engineers and admins deploying SecureW2.

  • Setup and configuration tutorials
  • Integration best practices with IdPs and MDMs
  • Troubleshooting guides for PKI and RADIUS
Browse Explainers

Related Articles

A technical guide explaining how TACACS secures administrative access to network devices using centralized AAA and TCP port 49.
Network Authentication & AAA March 10, 2026
What is TACACS and How Does it Work? TACACS vs. TACACS+

TACACS is a centralized AAA protocol used to secure administrative access to routers, switches, and firewalls. This guide explains how TACACS works, why it uses TCP port 49, how encryption...

By Vivek Raj 3 min read
A technical guide explaining how TACACS+ secures administrative access to network devices using centralized AAA and TCP port 49.
Network Authentication & AAA February 26, 2026
TACACS+ Explained: Protocol, Authentication & When to Use

TACACS+ is a centralized AAA protocol used to secure administrative access to routers, switches, and firewalls. This guide explains how TACACS+ works, why it uses TCP port 49, how encryption...

By Vivek Raj 4 min read