Get this Security+ CertiGuide for your own computer.
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Also available: 300-question Security+ practice test!
Get It Here!

Custom Search

Table Of Contents  CertiGuide to Security+
 9  Chapter 2:  Communication Security (Domain 2.0; 20%)
      9  2.1  Remote Access

Previous Topic/Section
2.1.3  RADIUS
Previous Page
Pages in Current Topic/Section
Next Page
2.1.5  L2TP/PPTP
Next Topic/Section


TACACS is the Terminal Access Controller Access Control System, another client/server user authentication protocol similar to RADIUS, which works similarly to RADIUS. For authentication, it allows use of user/password information, Kerberos-style authentication that does not require keys being passed over the wire, or even dynamic password systems in which smart cards are used to generate one-time passwords.

Over the years, three generations of TACACS have been developed:

  • TACACS, the original, which performs authentication and authorization.

  • XTACACS, or Extended TACACS, which separates the tasks of authentication, authorization and accounting/logging.

  • TACACS+, developed by Cisco, which builds on XTACACS by adding a two-factor user authentication (proving that a user is who they say they are through both something they know, like a password, and something they have, like a smart card), system and encrypting all client/server communication.

TACACS+ has some security vulnerabilities that may concern you if end-users have access to the network over which TACACS+ traffic travels:

  • Since accounting information is sent in clear text, and, the only verification performed is that the received accounting record packet length = the length that was sent, someone could intercept the communication and alter it or inject spurious accounting records.

  • Encryption is potentially vulnerable due to the small size of the session id key used for encryption.

  • Lengths of user passwords can be determined by watching traffic, because, the protocol provides for sending a password only as long as there are characters in the password.

  • Theoretical issues with MD5 hashes (see section 1.4.10 on Birthday attacks, and chapter 4 on cryptography)

    A handful of overflow/resource hogging vulnerabilities in some popular implementations of the protocol, which can lead to denial of service

  • TACACS+ uses a Kerberos-style authentication mechanism that doesn’t require keys to be sent over the wire, but potentially leaves it vulnerable to similar exploits as Kerberos


A security vulnerability with TACACS+ is accounting information is sent in clear text, and the only verification performed on received data is a check that the packet length did not change during transmission. This means that someone could alter accounting records without detection.


146. Solar Designer, “An Analysis of the TACACS+ Protocol and its Implementations,” BugTraq mailing list,

Previous Topic/Section
2.1.3  RADIUS
Previous Page
Pages in Current Topic/Section
Next Page
2.1.5  L2TP/PPTP
Next Topic/Section

If you find useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $

Home - Table Of Contents - Contact Us

CertiGuide for Security+ ( on
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al. Version Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.