Both the original Terminal Access Controller Access-Control System (TACACS) and its successor, TACACS+, use port 49, but the protocol they use is different. The original TACACS protocol used both TCP and UDP, while TACACS+ exclusively uses TCP port 49, a connection-oriented protocol that offers greater reliability and security.
In-depth article: TACACS ports and protocol details
The evolution of TACACS and its port usage
To fully understand the role of port 49 in TACACS, it is important to distinguish between the different versions of the protocol.
- Original TACACS: Developed in the 1980s for ARPANET, this legacy protocol could use either TCP or UDP over port 49. It is now largely considered deprecated due to security limitations, such as leaving much of the packet data unencrypted.
- XTACACS: A proprietary extension developed by Cisco in 1990, it offered improvements but remained a transitional protocol.
- TACACS+: Developed by Cisco in 1993, this is the modern, open-standard version that has replaced its predecessors. It provides significant improvements, including:
- Exclusive TCP usage: TACACS+ relies solely on TCP for its communications on port 49. This ensures reliable, connection-oriented data transfer.
- Full packet encryption: In contrast to older versions, TACACS+ encrypts the entire packet payload, ensuring sensitive data like usernames and commands are protected.
- Separate AAA functions: It completely separates the functions of authentication, authorization, and accounting, providing more granular control for administrators.
The importance of TCP port 49 in TACACS+
In a modern enterprise network, port 49 is associated almost exclusively with TACACS+ traffic, particularly for managing administrator access to network infrastructure.
- Reliable communication: As a TCP-based protocol, TACACS+ ensures reliable, in-order delivery of packets. This prevents lost data, which is critical during authentication and authorization exchanges.
- Encrypted packet payload: The use of TCP over port 49 allows TACACS+ to encrypt the entire body of its packets. A shared secret key is used to obfuscate the data, preventing unauthorized access and protecting credentials and command strings from eavesdropping.
- Firewall configuration: Network firewalls must be configured to allow TCP port 49 traffic between network devices (the TACACS+ clients) and the centralized TACACS+ servers. If this port is blocked, communication will fail, and authentication requests will be denied.
- Centralized AAA services: The primary function of port 49 is to facilitate the client-server model for centralized Authentication, Authorization, and Accounting (AAA).
- Authentication: Verifies the user's identity based on credentials sent to the TACACS+ server over port 49.
- Authorization: After a successful authentication, the server communicates the user's permissions and authorized commands to the network device via port 49.
- Accounting: The TACACS+ server also collects and logs user activity and executed commands, with data passed over port 49 for auditing purposes.
Port 49 in practice: A sequence of events
Here is a typical sequence of events that highlights the role of TCP port 49:
- User attempts to log in: A network administrator attempts to access a device like a router or switch.
- TCP connection initiated: The network device (the TACACS+ client) establishes a TCP connection to the TACACS+ server on port 49.
- Authentication packets exchanged: The client and server communicate securely over this TCP connection. The client sends the user's credentials, and the server validates them against its user database.
- Authorization packets exchanged: If authentication succeeds, the server sends authorization information, detailing the user's specific command-level permissions.
- Access granted: Based on the authorization response received over port 49, the network device allows or denies the user's requested actions.
- Accounting begins: The network device sends accounting records to the server over the same TCP connection on port 49, detailing user activity for logging and auditing.
TACACS+ vs. RADIUS: A port comparison
Comparing TACACS+ with another popular AAA protocol, RADIUS, further clarifies the importance of port 49.
| Feature | TACACS+ | RADIUS |
|---|---|---|
| Transport Protocol | TCP | UDP |
| Primary Port(s) | 49 (for all AAA) | 1812 (Authentication) and 1813 (Accounting) |
| Packet Encryption | Encrypts the entire packet body, except for the standard TCP header. | Encrypts only the password within the authentication request, leaving other fields in plaintext. |
| AAA Functions | Separates authentication, authorization, and accounting into distinct processes. | Combines authentication and authorization. |
| Authorization | Offers granular, command-level authorization, allowing for fine-grained control over administrative access. | Uses pre-defined attributes sent from the server, providing less flexibility for granular control. |
| Best For | Network device administration in environments with high-security needs and complex access control requirements. | End-user access, such as dial-up, VPN, and wireless network authentication. |
Enjoyed this article? Share it with a friend.