Skip to main content

CompTIA A+

TACACS+

10 min read

For CompTIA A+ Core 2 (220-1202), Domain 2, Objective 2.3, you need a basic, practical grasp of TACACS+. In plain terms, TACACS+ is a way to control who can log in to network equipment and what they can do after they sign in. Instead of managing separate admin accounts on every router, switch, or firewall, an organization can centralize logins and permissions on one server.

This article explains the core ideas you're expected to know for the exam. First, you'll learn what TACACS+ is and why IT teams rely on it for access control. Next, you'll see how it works at a high level, including the port number and what gets encrypted. Finally, you'll compare TACACS+ to RADIUS in the way CompTIA questions often frame it.

What TACACS+ is and why IT teams use it

TACACS+ (Terminal Access Controller Access Control System Plus) supports controlled administrative access to network devices. Think about a help desk technician who needs to sign in to a switch to check port status. Without centralized control, that switch might have a local account that someone forgot to remove. Over time, those accounts pile up across dozens of devices, and each one becomes a risk.

TACACS+ reduces that risk because it centralizes access decisions. The network device asks a TACACS+ server, "Can this person log in?" and later, "Can this person run this command?" As a result, IT teams can apply consistent rules, even across mixed hardware.

The model behind TACACS+ is AAA:

  • Authentication confirms who the user is.
  • Authorization decides what the user can do.
  • Accounting records what the user did.

Separating these steps matters in real operations. When a login fails, authentication logs help you find the cause quickly (wrong password, disabled account, expired credential). When a change goes wrong, authorization settings show whether the user had permission to run that command. When an audit happens, accounting records provide the timeline.

This structure supports common workplace goals:

Least privilege becomes easier because roles can map to job needs, not convenience. Consistent access rules also reduce mistakes, since admins don't "wing it" per device. Audit trails help with compliance and incident response, because investigators can review who ran what. Offboarding gets faster, too, because disabling one account on the identity store can remove access across many systems.

A good mental model: TACACS+ treats device administration like a controlled checkout counter, not a self-serve shelf.

AAA explained with a simple login example

Picture a junior technician opening an SSH session to a managed switch.

First, authentication happens. The switch prompts for a username and password (or another method), then forwards that request to the TACACS+ server. The server checks the credentials against its own database or a connected directory. If the identity matches, the server tells the switch to allow the login.

Next comes authorization. The switch asks what privilege level or command set this user should get. At this point, TACACS+ can apply role-based access control in a practical way. For example, the tech might get a read-only role, while a network engineer gets full configuration rights. The key idea is granularity. Instead of "all admin" or "no admin," authorization can allow certain commands and block others.

Finally, accounting tracks activity. The system logs that the user logged in, ran commands, and logged out. Those records help after a security event, and they also help during routine troubleshooting. If a config changed at 2:07 p.m., the accounting log can show which account ran the command.

Where TACACS+ shows up in the real world

TACACS+ most often appears where organizations need tight control over administrative actions. It commonly supports management access to:

  • Routers and switches
  • Firewalls and security gateways
  • Wireless LAN controllers
  • VPN concentrators
  • Network management and admin portals

In many environments, a central TACACS+ server handles these requests, so admins don't maintain local accounts on each device. For example, Cisco ISE can act as a TACACS+ server in networks that already use Cisco tooling. Other vendors offer similar TACACS+ services, including appliances and software servers.

Centralizing access also supports standard onboarding. When a new technician starts, you assign a role once and apply it across devices. When someone changes teams, you update the role. When someone leaves, you disable the account and end access quickly.

How TACACS+ works on the wire

TACACS+ uses a client-server model. The network device plays the role of a client, often called a NAS (network access server) in AAA language.

This lesson is part of ExamWizardz Pro

Unlock every lesson, unlimited practice tests, and the AI tutor.

See Pro pricing

or start with a free account