Home Blog What is TACACS and How Does it Work? TACACS vs. TACACS+

What is TACACS and How Does it Work? TACACS vs. TACACS+

TACACS is a centralized AAA protocol used to secure administrative access to routers, switches, and firewalls. This guide explains how TACACS works, why it uses TCP port 49, how encryption functions, and how it compares to RADIUS for infrastructure authentication.

A technical guide explaining how TACACS secures administrative access to network devices using centralized AAA and TCP port 49.
Key Points
  • TACACS stands for Terminal Access Controller Access Control System and centralizes administrator login verification.
  • TACACS+ encrypts the full authentication packet and separates authentication, authorization, and accounting functions.
  • The original TACACS protocol is largely obsolete; TACACS+ is the current standard for device administration.
  • TACACS+ and RADIUS serve different purposes: TACACS+ manages device admin access, RADIUS handles network access control.
  • Password-based TACACS+ cannot verify device identity; certificate-based authentication with 802.1X fills that gap.

TACACS (Terminal Access Controller Access-Control System) is a family of related protocols that network administrators use to control who can log in to routers, switches, and firewalls. If your team manages network infrastructure and relies on shared device passwords, TACACS+ is likely part of the picture, and so are its limits.

What Is TACACS?

TACACS (Terminal Access Controller Access-Control System) is a family of related network authentication protocols handling remote authentication and related services for network access control through a centralized server.

TACACS centralizes administrator login verification for infrastructure devices like routers, switches, and firewalls.

What Is TACACS Used For?

The protocol handles administrator login verification, device access logging, centralized credential management, and remote management authorization.

In practice, TACACS+ is deployed specifically for device administration, controlling which network engineers can log in to which routers, switches, or firewalls, and what commands they are permitted to run once logged in.

This is distinct from controlling which end users or devices can join the network, which is the domain of RADIUS. The AAA framework (Authentication, Authorization, and Accounting) is the conceptual backbone of TACACS+: authentication confirms identity, authorization defines what actions are allowed, and accounting logs every command executed for audit purposes.

How Does TACACS Work?

When an administrator attempts to access a network device, the device forwards the login request to a TACACS server over TCP port 49. The server verifies credentials and returns an allow or deny response, removing the need for locally stored passwords.

The process follows three sequential AAA steps:

  1. Authentication: The network device (the client) forwards the administrator’s login credentials to the TACACS+ server over TCP port 49. The server checks the credentials against its user database and responds with an allow or deny.
  2. Authorization: Once authenticated, the server evaluates the administrator’s assigned privilege level and returns a list of permitted commands or actions for that session.
  3. Accounting: The TACACS+ server logs the session start, duration, commands executed, and session end. This creates an audit trail for every administrative action on every managed device.

Using TCP rather than UDP gives TACACS+ a reliable transport layer. Dropped packets are retransmitted, so authentication failures caused by network noise are less common than with UDP-based protocols.

TACACS vs. TACACS+: Key Differences

TACACS+ is a complete redesign of the original TACACS protocol, not a simple version increment. The original TACACS only encrypted passwords; TACACS+ encrypts the entire authentication packet. The original merged authentication and authorization into a single operation; TACACS+ separates all three AAA functions, giving administrators granular control over each independently. TACACS+ is now the standard for device administration, while the original TACACS is rarely deployed.

This table explains the most important differences between TACACS and TACACS+.

Feature TACACS TACACS+
Packet Encryption Password only Full packet body
AAA Functions Combined (not separated) Fully separated (Auth, Authz, Acct)
Transport Protocol UDP (original) / TCP TCP (port 49)
Command Authorization Not supported Supported per-command
Current Usage Rare / legacy Standard for network device admin

Advantages of TACACS+

TACACS+ has remained in use for device administration because it offers capabilities that simpler authentication protocols do not:

  • Full packet encryption: Unlike the original TACACS, TACACS+ encrypts the entire communication between the network device and the authentication server, not just the password field.
  • Granular command authorization: TACACS+ can enforce per-command authorization, meaning an administrator can be permitted to run show commands but blocked from configure commands on specific devices.
  • Separated AAA functions: Because authentication, authorization, and accounting are handled independently, each can be configured separately. An organization can use TACACS+ for authorization and accounting while delegating authentication to a different directory service.
  • TCP reliability: TACACS+ uses TCP port 49, giving it a reliable transport layer with retransmission. Failed authentication events are less likely to be caused by transport-layer packet loss.
  • Centralized policy management: All device access policies live on the TACACS+ server, so revoking an administrator’s access requires a single change at the server rather than updates on every managed device.

TACACS vs. RADIUS: Which Should You Use?

TACACS+ and RADIUS are both AAA protocols, but they solve different problems and rarely compete directly for the same use case.

Dimension TACACS+ RADIUS
Primary use case Device administration (routers, switches, firewalls) Network access control (Wi-Fi, VPN, wired 802.1X)
AAA structure Fully separated Authentication and authorization combined
Transport TCP (reliable) UDP (lower overhead)
Encryption Full packet Password field only (standard)
Command authorization Yes, per-command No
Vendor support Cisco-heavy Broad (vendor-neutral)

TACACS+ is the right choice when the goal is controlling what network engineers can do on managed infrastructure devices. RADIUS is the right choice when the goal is controlling which users and devices can access the network, including Wi-Fi authentication via 802.1X , VPN access, and wired port authentication.

Many enterprise networks run both: TACACS+ handles administrator access to network devices, while RADIUS handles end-user and endpoint access to the network itself. The two protocols complement rather than replace each other.

TACACS+ Limitations and Modern Network Security

The TACACS+ protocol relies heavily on usernames and passwords, lacks device identity verification, and offers limited encryption. The protocol also struggles in distributed cloud environments and remote user scenarios.

These limitations matter in environments that have moved beyond traditional perimeter security. For example, an attacker using stolen credentials can authenticate just as easily as a legitimate network engineer, because TACACS+ has no mechanism to verify whether the device being used to log in is a trusted, managed endpoint.

Certificate-based authentication addresses this gap. By deploying a dynamic PKI that issues device certificates to every managed endpoint, organizations can enforce the principle that administrative access requires both a valid credential and a verified device identity. This is the architecture behind modern zero-trust network access policies.

For network access control beyond device administration, Cloud RADIUS provides a RADIUS-as-a-Service platform that supports certificate-based authentication natively, removing the dependency on shared passwords for both end users and administrators.

Move Beyond Password-Based Device Authentication with SecureW2

TACACS+ centralizes device administration access, but its reliance on passwords leaves a gap that modern network environments cannot afford to ignore. SecureW2 helps organizations replace password-based authentication with certificate-based identity verification, for both network access and device administration workflows.

Schedule a demo to see how certificate-based authentication works with your existing network infrastructure.

Frequently Asked Questions

What is TACACS used for?

TACACS (and its successor TACACS+) is used to control administrator access to network infrastructure devices such as routers, switches, and firewalls. It centralizes login verification, enforces per-command authorization, and logs all administrative activity for audit purposes.

What is the difference between TACACS and RADIUS?

TACACS+ is designed for device administration: controlling what network engineers can log in to and what commands they can run. RADIUS is designed for network access control: determining which users and devices are allowed to connect to the network via Wi-Fi, VPN, or wired 802.1X. Both use the AAA framework but are optimized for different access scenarios.

Is TACACS still used?

The original TACACS protocol is rarely used and is considered outdated. TACACS+, which is a separate and significantly improved protocol, remains in active use in enterprise environments where Cisco networking equipment is deployed. It is the standard protocol for centralized device administration in those environments.

What does TACACS stand for?

TACACS stands for Terminal Access Controller Access Control System. The name comes from the protocol’s original function: verifying access requests from terminal controllers on early time-sharing networks. TACACS+ is not an abbreviation; it is a distinct protocol that builds on the original design.

What port does TACACS+ use?

TACACS+ uses TCP port 49 for all communication between network devices and the TACACS+ server. Using TCP (rather than the UDP used by RADIUS) gives TACACS+ a reliable transport layer with built-in retransmission, reducing the chance of authentication failures caused by dropped packets.

What is the difference between TACACS and TACACS+?

TACACS+ is a complete redesign, not a minor update to the original TACACS. TACACS encrypts only the password field, while TACACS+ encrypts the entire packet. TACACS combines authentication and authorization, but TACACS+ separates all three AAA functions independently. TACACS does not support per-command authorization, while TACACS+ does.

In practice, TACACS+ is the only version actively deployed today.

Vivek Raj

Vivek Raj has over 8 years of experience in cybersecurity, enterprise SaaS, and technical product marketing, with deep expertise in PKI, RADIUS, 802.1X, and Zero Trust security frameworks. At SecureW2, he works closely with Content, Product, and Marketing teams to translate complex security challenges into practical guidance for customers and IT leaders. Vivek specializes in making advanced identity and network security concepts clear, actionable, and business-focused. He also holds the IBM AI Product Manager Professional Certificate. Besides writing, you can find him watching (or even playing) soccer, tennis, or his favourite cricket.

Learn More About SecureW2

Why SecureW2

Establish continuous trust with Dynamic PKI and Cloud RADIUS. Enforce access based on live identity, device posture, and risk context.

  • Passwordless authentication that can't be phished
  • Works with your IdP, MDM, and security stack
  • Real-time policy engine for dynamic access control
Learn More
Explore the Platform

Get the essentials on the products that power continuous enforcement.

SecureW2 JoinNow Platform
SecureW2 Dynamic PKI
SecureW2 Cloud RADIUS
MultiOS for Self-Service Onboarding
Integration Hub
Knowledge Base Articles

Explore practical guidance from engineers and admins deploying SecureW2.

  • Setup and configuration tutorials
  • Integration best practices with IdPs and MDMs
  • Troubleshooting guides for PKI and RADIUS
Browse Explainers

Related Articles

RADIUS CBA: Smarter, safer authentication.
RADIUS May 20, 2026
What Is RADIUS Certificate-Based Authentication?

As cyber security risks increase and secure access to network resources is required, organizations are adopting different authentication methods. RADIUS certificate-based authentication is one of those methods that increase the...

By Radhika Vyas 4 min read
RADIUS vs. TLS vs. EAP-TLS: Understanding the Key Differences
Protocols & Standards May 20, 2026
What’s the Difference between RADIUS, TLS, and EAP-TLS?

There are many components involved in running a secure network. It’s very easy to get bogged down by different terminology and be confused about what exactly each component does. This...

By Vivek Raj 2 min read
Certificates + EAP-TLS Enhance Wired And Wireless Networks With Certificates.
Protocols & Standards May 20, 2026
How to Use IEEE 802.1x Authentication for a Wired or a Wireless Network 

IEEE 802.1x authentication is a standard for port-based network access control. It essentially requires devices to authenticate themselves before gaining access to network resources. This standard is versatile, working seamlessly...

By Anusha Harish 7 min read
Configure 802.1X authentication and RADIUS on Ubiquiti UniFi to secure enterprise Wi-Fi with certificate-based access.
Wi-Fi & Wired Security May 18, 2026
How to Configure 802.1X and RADIUS for Ubiquiti UniFi

This guide explains how to configure 802.1X authentication and a RADIUS server for Ubiquiti UniFi networks. Learn how to deploy secure Wi-Fi access using WPA2-Enterprise, certificate-based authentication, and cloud RADIUS...

By Vivek Raj 4 min read
The Best CloudRADIUS Server for Next-Level Authentication
RADIUS May 18, 2026
What Is a Secure RADIUS Service and How Does It Work?

Due to the COVID-19 pandemic, employees are working from home now more than ever before. According to a Stanford study, an incredible 42 percent of the U.S. labor force now...

By Anusha Harish 4 min read
Understand how AAA servers enable secure authentication, authorization, and accounting for network access.
RADIUS May 18, 2026
What Is an AAA Server? How Authentication, Authorization, and Accounting Work

Learn what an AAA server is, how it works, and how it secures network access with authentication and authorization.

By Vivek Raj 6 min read