Penguin
Recent Changes
Note: You are viewing an old revision of this page. View the current version.

Acronym for Terminal Access Controller Access Control System.

Cisco's protocol for allowing a NetworkAccessServer? (or more commonly, a number of them) to offload user administration to a central server.

Described in RFC:1492.

You probably won't see this much outside of Cisco gear. Compare RADIUS.

Linux Alternative: XTacacs

xtacacsd is an extended TACACS server (for Cisco network devices) which authenticates users logging onto a terminal server (or any host which cares to query the server). It uses the standard password file (/etc/passwd) by default, or an alternate list of password files.

This program can be used to authenticate users when they try to access a terminal server (Cisco terminal servers support this option). The server can log information about all queries coming to the server using syslog(2). It is meant to be invoked by inetd(8) but can be run from a terminal in standalone mode if desired. In this mode, it writes all errors to the controlling terminal. It the -d option is specified on the command line (along with -s), it will not fork so all debug messages and errors will be printed on the stderr.

The server expects a username and password to be supplied in the query packet recieved from the terminal servers. This username and password are authenticated by searching in the password file(s). (The default is /etc/passwd but up to five alternate filenames can be specified). If it cannot find a match in any of the password files, it sends an authentication failure reply to the query (unless the quiet option is specified in which case no negative response will be sent).

The server always returns an authentication failure for any queries that have a uid of 0 (the SuperUser) or for any users that do not have a password (null password field) in the password files. It also verifies that the account is current and not expired if the last password field (pw_shell) supports this feature (or if the password file has an expiry field on System V based machines). Finally, permissions are checked for the request by matching the username, group-id and gecos field of the user in the TACACS request (the groups listed in the /etc/groups file are checked as well).