TACACS+ AAA systems are used as a single point of management to configure and store user accounts. They are often coupled with directories and management repositories, simplifying the setup and maintenance of the end-user accounts.

Network devices with Authentication Services can provide fine-grained control over user capabilities for the duration of the user’s session, for example, setting access control or session duration. Enforcement of restrictions to a user account can limit available commands and levels of access.

TACACS+ authentication provides a central server in which you can allow or deny access to switches and other TACACS+-aware devices in your network. TACACS+ employs a central database which creates multiple unique user name and password sets with their associated privilege levels. This central database can be accessed by users through switch from either a console port, Telnet, SSH, or REST.

TACACS+ operation

TACACS+ uses an authentication hierarchy consisting of remote passwords assigned in a TACACS+ server.

A TACACS+ server can:

  • Configure login authentication for read/write or read-only privileges.

  • Manage the authentication of logon attempts by either the console port ,Telnet, SSH, or REST.

TACACS+ is not supported for WebAgent access. See Controlling Web UI access when using TACACS+ authentication.


A client can communicate for AAA with an IPv6 TACACS+ server.