TACACS

Terminal Access Controller Access-Control System (TACACS, usually pronounced like tack-axe) refers to a family of related protocols handling remote authentication and related services for networked access control through a centralized server. The original TACACS protocol, which dates back to 1984, was used for communicating with an authentication server, common in older UNIX networks; it spawned related protocols:
终端访问控制器访问控制系统（TACACS，通常发音像tack-axe[tæk-æks]）是指一个相关协议族，用来处理远程身份验证和网络访问控制的相关服务，它是通过一个集中控制的服务器来完成的。原始的TACACS协议，它的历史可以追溯到1984，用于与认证服务器进行通信，常见于旧的Unix网络中；它衍生了一些相关协议：

Extended TACACS (XTACACS) is a proprietary extension to TACACS introduced by Cisco Systems in 1990 without backwards compatibility to the original protocol. TACACS and XTACACS both allow a remote access server to communicate with an authentication server in order to determine if the user has access to the network.
扩展TACACS（XTACACS）是TACACS的一种专有扩展，它由思科系统公司于1990年推出的协议，该协议不向后兼容原来的协议。 TACACS和XTACACS都允许一个远程访问服务器和认证服务器进行通信，以确定用户是否具有访问网络的权限。

Terminal Access Controller Access-Control System Plus (TACACS+) is a protocol developed by Cisco and released as an open standard beginning in 1993. Although derived from TACACS, TACACS+ is a separate protocol that handles authentication, authorization, and accounting (AAA) services. TACACS+ and other flexible AAA protocols have largely replaced their predecessors.
终端访问控制器访问控制系统+(TACACS+)是一种由思科开发的协议，并且于1993年作为一个开放的标准开始发布。虽然来源于TACACS,但TACACS+是一个单独的协议，它处理身份认证、授权和计费(AAA)服务。TACACS+和其他灵活的AAA协议在很大程度上取代了上一代的协议。

Technical descriptions
TACACS
TACACS is defined in RFC 1492, and uses (either TCP or UDP) port 49 by default. TACACS allows a client to accept a username and password and send a query to a TACACS authentication server, sometimes called a TACACS daemon or simply TACACSD. TACACSD uses TCP and usually runs on port 49. It would determine whether to accept or deny the authentication request and send a response back. The TIP (routing node accepting dial-up line connections, which the user would normally want to log in into) would then allow access or not, based upon the response. In this way, the process of making the decision is “opened up” and the algorithms and data used to make the decision are under the complete control of whomever is running the TACACS daemon.
TACACS是在RFC 1492中定义的，并使用49(TCP或UDP)作为默认的用户端口。TACACS允许客户端接收一个用户名和密码, 同时发送一个查询到TACACS认证服务器,有时称为TACACS守护进程或者是TACACSD。TACACSD使用TCP协议，通常运行在49端口。它将决定是否接受或拒绝身份验证请求,并回发一个响应。接下来，TIP(路由节点接受拨号线路连接,这个通常是用户想登录的节点)将基于之前的响应来控制是否允许访问。通过这种方式,保证决策的过程是“开放”的,用来做决策所使用的算法和数据都完全在运行TACACS守护进程的任何设备的控制之下。

TACACS+
TACACS+ and RADIUS have generally replaced TACACS and XTACACS in more recently built or updated networks. TACACS+ is an entirely new protocol and is not compatible with its predecessors, TACACS and XTACACS. TACACS+ uses TCP (while RADIUS operates over UDP). Since TACACS+ uses the authentication, authorization, and accounting (AAA) architecture, these separate components of the protocol can be segregated and handled on separate servers.[5]
TACACS + RADIUS通常取代TACACS和XTACACS最近建立或更新的网络。TACACS +是一个全新的协议,并不符合其前辈,TACACS和XTACACS。TACACS +使用TCP(虽然半径在UDP)。由于TACACS +使用身份验证、授权和会计(AAA)架构,这些单独的组件的协议可以隔离和处理在不同的服务器上。[5]

Since TCP is a connection oriented protocol, TACACS+ does not have to implement transmission control. RADIUS, however, does have to detect and correct transmission errors like packet loss, timeout etc. since it rides on UDP which is connectionless. RADIUS encrypts only the users’ password as it travels from the RADIUS client to RADIUS server. All other information such as the username, authorization, accounting are transmitted in clear text. Therefore, it is vulnerable to different types of attacks. TACACS+ encrypts all the information mentioned above and therefore does not have the vulnerabilities present in the RADIUS protocol.
TCP是一种面向连接的协议以来,TACACS +没有实现传输控制。半径,然而,有检测并纠正传输错误像包丢失,超时等,因为它取决于无连接的UDP。半径只加密用户的密码,因为它从服务器端半径半径的旅行。其他信息,如用户名、授权会计以明文传输。因此,它很容易受到不同类型的攻击。TACACS +加密上面提到的所有信息,因此没有漏洞出现在RADIUS协议。

TACACS+ is a CISCO designed extension to TACACS that encrypts the full content of each packet. Moreover, it provides granular control(command by command authorization).
TACACS +是一个加密的设计扩展TACACS思科每个数据包的全部内容。此外,它提供了细粒度的控制(命令,命令授权)。

本文原版摘抄自：https://en.wikipedia.org/wiki/TACACS