tacacs+_什么是TACACS / XTACACS / TACACS +（终端访问控制器访问控制系统）？

最新推荐文章于 2025-04-01 23:01:30 发布

cunjiu9486

最新推荐文章于 2025-04-01 23:01:30 发布

阅读量3.8k

点赞数

文章标签： java linux 网络区块链数据库

原文链接：https://www.poftut.com/what-is-tacacs-xtacacs-tacacs-terminal-access-controller-access-control-system/

版权

TACACS+是一种用于AAA（身份验证，授权，审核）的协议，由Cisco设计，提供加密和精细命令控制。与TACACS和XTACACS相比，TACACS+更先进且不兼容旧版本。它在服务器TCP端口49上运行，可限制不同用户组的命令。Cisco设备可通过配置TACACS+服务器和密钥来使用它。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

tacacs+

Terminal Access Controller Access Control System or TACACS is a protocol used for AAA (Authentication, Authorization, and Audit). TACACS is created in 1984 .TACACS is heavily used by the Cisco and Cisco created some extended version of TACACS named XTACACS , TACACS+. TACACS is defined with the IETF RFC 927 in 1984 and then updated with RFC 1492 in 1993.

终端访问控制器访问控制系统或TACACS是用于AAA(身份验证，授权和审核)的协议。 TACACS创建于1984年。TACACS被Cisco大量使用，Cisco创建了一些扩展版本的TACACS，称为XTACACS TACACS+ 。 TACACS在1984年用IETF RFC 927定义，然后在1993年用RFC 1492更新。

AAA(认证，授权，审核) (AAA (Authentication, Authorization, Audit ))

TACACS is a complete protocol designed and updated to meet IT world AAA (Authentication, Authorization, and Audit). Let’s learn what AAA means

TACACS是经过设计和更新的完整协议，可以满足IT世界AAA(认证，授权和审核)的要求。让我们了解AAA的含义

`Authentication` is the process which is used to authentication given identity whether is or not. For example, while signing in a web page we provide the user name, password in order to authenticate ourself. We need the username and password for authentication but also private key, dongle or similar things can be used for authentication.
“身份验证”是用于对给定身份进行身份验证的过程。例如，在登录网页时，我们提供用户名和密码以进行身份验证。我们需要用户名和密码进行身份验证，但也可以使用私钥，加密狗或类似的东西进行身份验证。
`Authorization` is the process of providing some right to the authenticated user. Generally, some roles are used for the given identity to operate. For example, if we authentication with a user which have Administrator role providing the Administrator rights named as Authorization.
“授权”是向经过身份验证的用户提供某些权限的过程。通常，某些角色用于给定的身份进行操作。例如，如果我们使用具有管理员角色的用户进行身份验证，该用户提供名为“授权”的管理员权限。
`Audit` is taking some logs about the actions of the users and roles. This is very useful to audit and analyze the actions later for different purposes like incident, compliance, etc.
“审核”正在记录有关用户和角色的操作的日志。这对于以后出于事件，合规性等不同目的审核和分析操作非常有用。

交谘会 (TACACS)

TACACS is a protocol which is served by a server service. TACACS server handles all request related AAA and response to these requests. TACACS works on server TCP port number 49 by default but it can be changed according to needs. UDP 49 also used for TACACS according to the situation.

TACACS是由服务器服务提供的协议。 TACACS服务器处理所有与请求相关的AAA并响应这些请求。 TACACS默认情况下在服务器TCP端口号49上运行，但可以根据需要进行更改。根据情况，UDP 49也用于TACACS。

LEARN MORE What Is AAA (Authentication, Authorization, and Accounting)?

了解更多什么是AAA(身份验证，授权和记帐)？

XTACACS (XTACACS)

XTACACS is the Extended TACACS which provides a lot more features than TACACS protocol. The most visible difference between TACACS and XTACACS is the authentication, authorization and audit processes are separate processes. So the authentication, authorization and audit processes can be done by different XTACACS servers.

XTACACS是扩展的TACACS，它提供了比TACACS协议更多的功能。 TACACS和XTACACS之间最明显的区别是身份验证，授权和审核过程是独立的过程。因此，身份验证，授权和审核过程可以由不同的XTACACS服务器完成。

TACACS + (TACACS+)

TACACS+ is a completely new protocol which is different than TACACS and XTACACS and is not compatible with them. TACACS+ is Cisco designed extension to the TACACS which adds encryption and granular command control.

TACACS +是一种全新的协议，不同于TACACS和XTACACS，并且与它们不兼容。 TACACS +是TACACS的思科设计扩展，它增加了加密和精细的命令控制。

TACACS服务器 (TACACS Server)

As TACACS is a protocol a TACACS service can be served from a different type of systems. Cisco provides the product ISE which provides AAA with a different protocol where it also supports TACACS and TACACS+ . For Linux distributions, TACACS+ can be installed with the tac_plus package name. Below there is a simple TACACS+ configuration which restricts commands for different user groups.

由于TACACS是协议，因此可以从不同类型的系统中提供TACACS服务。思科提供的产品ISE为AAA提供了不同的协议，同时还支持TACACS和TACACS +。对于Linux发行版，可以使用tac_plus软件包名称安装TACACS +。下面是一个简单的TACACS +配置，该配置限制了针对不同用户组的命令。

TACACS与TACACS +与RADIUS(TACACS vs TACACS+ vs RADIUS)

Well TACACS is a very old protocol which does not provide features for today needs. TACACS+ is designed by the Cisco which can provide very useful and up to date features for today AAA. Radius also provides similar functions to the TACACS+ and popular in IT too.

TACACS是一种非常古老的协议，不能满足当今需求。 TACACS +由思科设计，可以为当今的AAA提供非常有用和最新的功能。 Radius还提供了与TACACS +类似的功能，并且在IT中也很流行。

思科TACACS配置 (Cisco TACACS Configuration)

As Cisco is the creator of the TACACS+ protocol we will configure a Cisco device like a switch, router to use a TACACS+ server. Below we will set the TACACS+ server IP address or hostname if the hostnames can be resolved via DNS.

由于Cisco是TACACS +协议的创建者，因此我们将Cisco设备(如交换机，路由器)配置为使用TACACS +服务器。如果可以通过DNS解析主机名，则在下面我们将设置TACACS +服务器IP地址或主机名。

Router(config)# tacacs-server host 192.168.10.100

In the following line, we will configure a key which will be used to authentication and encryption with the communication of the TACACS+ server.

在下一行中，我们将配置一个密钥，该密钥将用于通过TACACS +服务器的通信进行身份验证和加密。

Router(config)# tacacs-server key 34ASDFA^+SDG3F+GAF

Now we can configure a new aaa for the cisco device and set the TACACS+ server and key.

现在，我们可以为cisco设备配置一个新的aaa并设置TACACS +服务器和密钥。

Router(config)# aaa new-model
Router(config)# aaa authentication ppp default if-needed group tacacs+ local
Router(config)# aaa authorization network default group tacacs+
Router(config)# tacacs-server host 192.168.10.100
Router(config)# tacacs-server key mysecrettacacskey
Router(config)# interface serial 0
Router(int)# ppp authentication chap default