Security configuration guide, cisco ios xe fuji 16.9.x (catalyst 9300 switches) – configuring tacacs [support]
TACACS is a security
application that provides centralized validation of users attempting to gain
access to your switch.
TACACS provides for
separate and modular authentication, authorization, and accounting facilities.
TACACS allows for a single access control server (the TACACS daemon) to
provide each service—authentication, authorization, and
accounting—independently. Each service can be tied into its own database to
take advantage of other services available on that server or on the network,
depending on the capabilities of the daemon.
The goal of TACACS is
to provide a method for managing multiple network access points from a single
management service. Your switch can be a network access server along with other
Cisco routers and access servers.
TACACS , administered
through the AAA security services, can provide these services:
Authentication—Provides complete control of authentication
through login and password dialog, challenge and response, and messaging
facility can conduct a dialog with the user (for example, after a username and
password are provided, to challenge a user with several questions, such as home
address, mother’s maiden name, service type, and social security number). The
TACACS authentication service can also send messages to user screens. For
example, a message could notify users that their passwords must be changed
because of the company’s password aging policy.
Authorization—Provides fine-grained control over user
capabilities for the duration of the user’s session, including but not limited
to setting autocommands, access control, session duration, or protocol support.
You can also enforce restrictions on what commands a user can execute with the
TACACS authorization feature.
Accounting—Collects and sends information used for billing,
auditing, and reporting to the TACACS daemon. Network managers can use the
accounting facility to track user activity for a security audit or to provide
information for user billing. Accounting records include user identities, start
and stop times, executed commands (such as PPP), number of packets, and number
The TACACS protocol
provides authentication between the switch and the TACACS daemon, and it
ensures confidentiality because all protocol exchanges between the switch and
the TACACS daemon are encrypted.