TACACS AAA systems are used as a single point of management to configuring and store user accounts. They are often coupled with directories and management repositories, simplifying the set up and maintenance of the end-user accounts.

In the authorization function of the AAA system, network devices with Authentication Services can provide fine-grained control over user capabilities for the duration of the user’s session, for example setting access control or session duration. Enforcement of restrictions to a user account can limit available commands and levels of access.

TACACS+ authentication provides a central server in which you can allow or deny access to switches and other TACACS-aware devices in your network. TACACS employs a central database which creates multiple unique user name and password sets with their associated privilege levels. This central database can be accessed by individuals via switch from either a console port or via Telnet.

Example of TACACS+ operation
TACACS+ uses an authentication hierarchy consisting of:
  • remote passwords assigned in a TACACS+ server

  • local passwords configured on the switch.

A TACACS+ server is able to:

  • Configure login authentication for read/write or read-only privileges.

  • Manage the authentication of logon attempts by either the console port or via Telnet.

  • defaults to locally assigned passwords for authentication control in the event of a connection failure.

TACACS+ does not affect: