Home Blog What Is a TACACS Server? TACACS+ Explained vs RADIUS Guide

What Is a TACACS Server? TACACS+ Explained vs RADIUS Guide

A technical guide explaining TACACS servers, TACACS+ protocol behavior, TCP port 49, and AAA separation.

Network infrastructure security is complex, requiring complete control over a growing array of devices and users. TACACS is a protocol used to centralize authentication, authorization, and accounting (AAA) for administrative access to network infrastructure devices.

Here’s what TACACS servers are, the differences between TACACS, TACACS+, and RADIUS, and how to structure a comprehensive security strategy that covers you end-to-end, from administrators to end users.

What Is a TACACS Server?

TACACS stands for Terminal Access Controller Access-Control System. It’s a network security protocol focused on device administration, providing centralized authentication, authorization, and accounting (AAA) for administrative devices seeking network access. Cisco announced a proposed standard for early TACACS in 1984.

A TACACS server is a centralized authentication server that processes AAA requests from network devices.

Is a TACACS Server Different from a TACACS+ Server?

Yes.The TACACS+ protocol is a more modern, secure version of TACACS.TACACS was the original standard for authentication and access control. However, as the technology evolved, Cisco introduced and documented TACACS+ through the Internet Engineering Task Force in the 1990s. They’re fundamentally similar, but TACACS+ offers a number of improvements over TACACS, including:

  • Enhanced encryption for entire packets
  • Modern authentication techniques such as two-factor authentication (2FA) and multi-factor authentication (MFA)
  • Advanced transmission control protocol (TCP) for improved communication and security

Is TACACS Obsolete?

The original TACACS protocol of the 1980s is obsolete. It doesn’t meet modern standards for encryption, and most of Cisco’s tools no longer support commands for this outdated server. 

However, in the 1990s, Cisco introduced an updated, more secure, extensible protocol called TACACS+. This modern network device administration protocol offers enhanced encryption and security with improved access controls. While the original protocol is obsolete, TACACS+ certainly isn’t; it’s still in use today.

Top 6 Features of TACACS+ Servers

Compared to servers using other network infrastructure security protocols, TACACS+ servers offer these features:

1. Separate Authentication, Authorization, and Accounting (AAA) Functions

Cisco created TACACS+ around the authentication, authorization, accounting (AAA) framework, with a unique twist: each element is distinct and separate. This grants more flexibility and security when managing user access for administrators.

2. Centralized Authentication

TACACS+ uses an AAA server with a centralized authentication process for simple management. Administrators can review, control, and modify administrator access across multiple user accounts and network devices, all from a centralized server.

3. Granular Access Controls (Authorization)

TACACS+ offers a high degree of flexibility for managing device access. Managers can enforce command-level authorization on network devices.TACACS+ access controls also extend all the way to individual command authorization.

4. Detailed Auditing and Accounting Data

TACACS+ is good for monitoring, logging, and troubleshooting purposes. It tracks critical data including user credentials, user activities, and time of access, providing detailed logs that improve compliance, simplify audits, and keep network environments safe.

5. Enhanced Security and Encryption

TACACS+ encrypts the entire payload, keeping sensitive information secure. With reliable, comprehensive encryption and the reliable Transmission Control Protocol (TCP), TACACS+ offers secure communication.

6. Scalability

TACACS+ is designed for large Cisco networks. It offers flexibility and scalability for a growing number of devices and administrative users, accommodating granular control over permissions and access levels at scale. 

How Does a TACACS+ Server Work?

TACACS+ servers work by performing the three essential AAA functions.

The first step is authentication. A user attempts to connect to the TACACS+ server host through a router or other network device. The device asks for a username and password, then passes the authentication request and user credentials to the server. If the credentials match administrator information stored in the local database, the user receives an authentication success message. Otherwise, they get an authentication failure message, and the process restarts.

Successful authentication prompts an authorization request, including relevant user information. This allows the server to determine whether this individual user has the administrative user privileges necessary for the requested action. If the authorization response is positive, the server sends approval and the user gains access.

Finally, the server stores details of the exchange, including username, identity, user activities, and timestamps. The server retains this content for security, troubleshooting, compliance, and auditing requests.

Why Use a TACACS Server? Common Use Cases

TACACS+ is a helpful device administration protocol for a variety of uses:

  • Network Device Administration: Administrative management for routers, switches, firewalls, and user devices.
  • Role-Based Command Authorization: Industries requiring fine-tuned access controls rely on TACACS+ for customization and flexibility.
  • Accounting and Auditing: Centralized management simplifies logging, access to, and auditing of admin and user actions.
  • High-Budget Industries: Industries such as finance and defense often have huge budgets, giving them the leeway to purchase and maintain on-premise servers. TACACS+ is the standard for managing access to private data stored on-premises.

However, there’s one major scenario that TACACS+ can’t cover: enterprise network access management. 

TACACS doesn’t manage end-user access for public networks. It handles the authentication, authorization, and accounting of administrative devices.

For Wi-Fi Protected Access 2 (WPA2) networks, robust Virtual Private Networks (VPNs), and similar technologies, device administration protocols like TACACS+ can’t provide the right protection. For this use case, choose a comprehensive network access protocol like RADIUS.

9 Key Differences Between TACACS+ Servers and RADIUS Servers: Benefits and Limitations

Both RADIUS and TACACS+ are AAA servers for managing access to networks and network devices. They both offer customizable authorization levels and keep detailed accounting records of all user attempts to access network resources. But there are important differences between the two. 

Here’s what to know when comparing TACACS vs. RADIUS:

  1. Proprietary vs. Open: TACACS+ natively supports Cisco devices, creating potential licensing costs and incompatibility with other devices; RADIUS is an open standard protocol compatible with all modern devices
  2. Protocol Type and Application: TACACS+ is a device administration protocol for internal administrative devices on ACS servers; RADIUS is a broader network access protocol authenticating end users
  3. Communication Speed: TACACS+ is more computationally demanding for servers, resulting in slower communication compared to RADIUS
  4. Encryption: TACACS+ encrypts entire data packets; many RADIUS servers encrypt only the password in the access-request packet, though passwordless authentication solutions mitigate this issue
  5. Security: While both TACACS+ and RADIUS are susceptible to brute-force and other attacks, setup and implementation are key — RADIUS is typically easier to set up and configure
  6. Transport Layer Protocol: TACACS+ uses the Transmission Control Protocol (TCP), while RADIUS uses the User Datagram Protocol (UDP)
  7. Access Control: TACACS+ typically provides more fine-grained control compared to RADIUS, including command-level restrictions
  8. Accounting Records: TACACS+ offers detailed accounting, but not as detailed or robust as the audit and accounting processes of RADIUS
  9. Wireless Authentication: TACACS+ doesn’t support 802.1X port-based network access control, posing wireless security risks; RADIUS supports 802.1x, making it a more secure choice for authentication on modern WPA2-Enterprise networks

While there are many similarities, the use cases differ. TACACS+ is a strong choice for device administration and security, primarily among Cisco users. RADIUS is a preferred choice for organizations seeking true user authentication on Virtual Private Networks (VPNs), WPA2 networks, and devices outside the Cisco suite, as well as those with demanding accounting requirements.

How to Set Up TACACS Servers

Here are the steps to configuring a TACACS server:

  • Identify the Server Host(s): Name and prioritize your IP hosts, making sure to use the correct commands for TACACS vs TACACS+ (they’re not the same).
  • Choose a TACACS Server Key: You’ll set one global authentication key and encryption key.
  • Configure AAA Server Groups: You can designate certain hosts or host groups for specific purposes and assign users to server groups using IP addresses or phone numbers (thanks to the Dialed Number Identification Service or DNIS).
  • Specify TACACS Authentication, Authorization, and Accounting: This designates TACACS+ as the method for all three validation steps. Since you can only enable TACACS through AAA commands, this step is critical.

The exact process and commands you’ll use may vary depending on your specific TACACS software type and network; consult your TACACS provider for more information.

What Is the Best TACACS Server Setup?

The best, most secure TACACS server setup requires a trusted provider and two or more dedicated, hardened virtual machines (VMs) and/or bare metal servers to maximize security and uptime. 

During setup, you’ll want to enable encryption, implement granular role-based access control, integrate directories for centralized management, document all policies and procedures, and conduct regular testing to identify errors and inefficiencies. 

This process ensures you get the most secure setup.

Beyond TACACS: Enforcing Ironclad Network Access Policies at Scale

TACACS is a device administration protocol that secures administrative device requests,not end users. For comprehensive network validation, most modern networks require identity-based access to authenticate users, which protocols like RADIUS can provide.

As you scale, policy enforcement and auditing become more critical than ever. TACACS offers strong auditing capabilities for its scope, but you need the same functionality on the network side.

Enterprises can’t afford to leave network security up to TACACS servers alone. For reliable high-security environments, consider a hybrid approach: TACACS for administrative management and RADIUS for managing user access.

CloudRADIUS offers advanced user and device authentication using reliable AAA methods to keep your devices, users, and networks compliant and secure.

Vivek Raj

Vivek is a Digital Content Specialist from the garden city of Bangalore. A graduate in Electrical Engineering, he has always pursued writing as his passion. Besides writing, you can find him watching (or even playing) soccer, tennis, or his favorite cricket.

Learn More About SecureW2

Why SecureW2

Establish continuous trust with Dynamic PKI and Cloud RADIUS. Enforce access based on live identity, device posture, and risk context.

  • Passwordless authentication that can't be phished
  • Works with your IdP, MDM, and security stack
  • Real-time policy engine for dynamic access control
Learn More
Explore the Platform

Get the essentials on the products that power continuous enforcement.

SecureW2 JoinNow Platform
SecureW2 Dynamic PKI
SecureW2 Cloud RADIUS
MultiOS for Self-Service Onboarding
Integration Hub
Knowledge Base Articles

Explore practical guidance from engineers and admins deploying SecureW2.

  • Setup and configuration tutorials
  • Integration best practices with IdPs and MDMs
  • Troubleshooting guides for PKI and RADIUS
Browse Explainers

Related Articles

A technical guide explaining how TACACS secures administrative access to network devices using centralized AAA and TCP port 49.
Network Authentication & AAA March 10, 2026
What is TACACS and How Does it Work? TACACS vs. TACACS+

TACACS is a centralized AAA protocol used to secure administrative access to routers, switches, and firewalls. This guide explains how TACACS works, why it uses TCP port 49, how encryption...

By Vivek Raj 5 min read
A technical guide explaining how TACACS+ secures administrative access to network devices using centralized AAA and TCP port 49.
Network Authentication & AAA February 26, 2026
TACACS+ Explained: Protocol, Authentication & When to Use

TACACS+ is a centralized AAA protocol used to secure administrative access to routers, switches, and firewalls. This guide explains how TACACS+ works, why it uses TCP port 49, how encryption...

By Vivek Raj 5 min read