"TACACS+ provides access control for routers, network access servers and other networked computing devices via one or more centralized servers. TACACS+ provides separate authentication, authorization and accounting services."
TACACS+ (Terminal Access Controller Access Control System Plus) is the extended version of TACACS, the basic security authentication protocol for Cisco (and others) equipment. It provides a greater level of security and accounting for the end user but still has its flaws.
Setting up TACACS+ on a Cisco-based network can be a royal pain. One thing to note is that the process takes a large number of short steps, and if a power failure happens in the middle, you often end up locking yourself out!
TACACS+ provides for secure communication through a challenge/response, challenge/authorize system of password checking. Once connected to a network, TACACS+ authentication is requested by the local Switch or Router. The information is related to one (or more if you are sensible and want some redundancy) main server for authentication. If allowed, the switch lets the packets from that IP address through, based on monitoring of individual socket connections. Once a connection is finished, the switch reports traffic totals to the accounting machine (usually the same one) and totals are updated.
It works, but with a couple of points. TACACS+ only watches the socket connection status for an IP address for authentication. Thus if you hijack a connection you can get authorised traffic and surf away. Also, the challenge/response, challenge/authorize system is NOT encrypted in any way, so you can still steal passwords. But it works over all.
Quote taken from
http://www.cisco.com/warp/customer/459/tac-rfc.1.76.txt