This is the conclusion of the article on network security and TACACS+that began in the last issue. In that issue,we discussed the three major components of network security--authentication, authorization, and accounting and alternative protocols to TACACS+.
In this issue, we discuss the key features of TACACS+. We also introduce the new, supported version of TACACS+ called CiscoSecure UNIX Server. See this issue's cover article for key features of CiscoSecure UNIX Server.
TACACS+ is poised to become the leader in access security solutions. Here's why.
Using TACACS+ saves memory in all the access devices and eliminates the
need to update every NAS (Network Access Server) when new users are added,authorization is modified, or users change their passwords. In addition,
the TACACS+ server and protocol are designed to support thousands of remoteconnections. 
The TACACS+ model supports the following authentication, authorization
and accounting features as shown here 
The TACACS+ protocol handles many types of username/password information,such as ARAP, SLIP, PAP, CHAP, and standard Telnet. This allows clients to use the same username and password for different protocols.
TACACS+ supports many password management features:
Password aging. Passwords must be changed after being used for a predetermined time period.
User password changes. Users may change their own passwords instead of requiring a network administrator to do it for them.
Strong password enforcement. Passwords are checked and only ones difficult to guess are accepted.
One-time passwords. S-Key or token cards can be used to implement one-time passwords.
Many other features can be implemented over the basic protocol, which is very flexible. For example, it is possible to construct a system which supplies menus to the users, allows them to select items, requires authentication, and connects them to the selected services.
TACACS+ can tell a NAS which network services the user may access or which commands a network administrator may issue on a router. In addition,TACACS+ provides a mechanism to specifiy the exact port or ports on a particular NAS from which a user may connect. This allows greater control over user actions and can be used to create separate administrative groups that are based on user functionality. These groups can be assigned certain allowed features and services such as Telnet, IP, or AppleTalk.
TACACS+ can perform time-qualified authorization, permitting or denying login or certain services based on time of day, day of the week or date. With information available from accounting, it is possible to detect users who are logged in multiple times from separate places due to sharing logins or password theft.
Since TACACS+ uses TCP, its accounting information database reliably receives accounting information, providing a more secure and complete accounting log. The accounting portion of the TACACS+ protocol contains the network address of the user, the username, the service attempted, protocol used, time and date, and the packet-filter module originating the log. The billing information includes connect time, user ID, connection location, amount of data transferred, start time and stop time.
In summary, TACACS+ is a powerful, flexible, full-featured protocol for access security. It's the foundation for Cisco's new CiscoSecure UNIX Server, and is something with which every network administrator should be familiar.