tac_plus - tacacs plus daemon
<configfile> [ -GghiLPSstv
By default, tac_plus listens on tcp port 49
and provides network devices
(normally routers and access servers) with authentication, authorization and
A configuration file controls the details of authentication, authorization and
- -C <configfile>
- Specify the configuration file name. The -C option is
- -B <bind address>
- Specify the address on which the daemon should
bind(2). Successive instances of -B override previous
instances. By default, the daemon listens on all addresses. Note: this
changes the name of the pid file created by the daemon.
- Remain in the foreground, but not single-threaded nor
logging to the tty.
- -d <level>
- Switch on debugging. By default the output will appear in
the log file and syslog(3).
NOTE: The -g flag will cause these messages to also appear on stdout.
The -t flag will cause these messages to also be written to
The value of level is as described below. These values represent bits that
can be logically OR'd together. The daemon logically ORs successive
occurrences of the -d option.
2 configuration parsing debugging
4 fork(1) debugging
8 authorization debugging
16 authentication debugging
32 password file processing debugging
64 accounting debugging
128 config file parsing & lookup
256 packet transmission/reception
1024 MD5 hash algorithm debugging
2048 very low level encryption/decryption
32768 max session debugging
65536 lock debugging
- Single threaded mode. The daemon will only accept and
service a single connection at a time without forking and without closing
file descriptors. All log messages appear on standard output.
This is intended only for debugging and not for normal service.
This option does not work with single-connection sessions.
- Display help message.
- tac_plus will be run from inetd(8). In inetd mode,
the configuration file is parsed every time tac_plus starts.
If the configuration is large or the frequency of connections is high, this
negatively will affect the responsiveness of the daemon.
If the config file is small, connections are infrequent, and authentication
is being done via passwd(5) files or SKEY (which are not cached), running
in inetd mode should be tolerable, but still is not recommended.
This option does not work with single-connection sessions.
- -l <logfile>
- Specify an alternate log file location. This file is only
used when the -d option is used. The logs are still posted to
- Lookup DNS PTR (Domain Name System PoinTeR) record of
client addresses. The resulting FQDN (Fully Qualified Domain Name), if it
resolves, will be used in log messages, libwrap (tcp_wrappers) checks, and
for matching host clauses of the configuration file. Also see
- Parse the configuration file, echo it to standard output
while parsing, and then exit. tac_plus will exit non-zero when a
parser error occurs.
Useful for debugging configuration file syntax.
- -p <port>
- Listen on the specified port number instead of the default
port 49 for incoming tcp connections. Note: this changes the name
of the pid file created by the daemon.
- Enables or allows client single-connection mode, where-by
the client will create one connection and interleave queries.
Note: this is broken in IOS and IOS-XE.
Note: this is currently only partially supported in the daemon.
- Causes the daemon to always reject authentication requests
which contain a minor version number of zero (SENDPASS). This enhances
security in the event that someone discovers your encryption key. SENDPASS
requests permit requesters to obtain CHAP, PAP and ARAP passwords from the
daemon, iff the encryption key is known.
Note: IOS versions preceding 11.2 will fail.
- Log all informational, debugging or error messages to
/dev/console in addition to logging to syslogd. Useful for
- -u <wtmpfile>
- Write wtmp entries to the specified wtmp file.
- Display version information and exit.
- -w <wholog>
- Specify the location of the max session file.
is normally invoked by root, as follows:
# tac_plus -C <configfile>
where <configfile> is a full path to the configuration file. Tac_plus will
background itself and start listening on port 49 for incoming tcp connections.
Tac_plus must be invoked as root to obtain privileged network socket 49 and to
read the protected configuration file, which may contain confidential
information such as encryption keys and cleartext passwords.
After the port is acquired and the config file is read, root privileges are no
longer required. You can arrange that tac_plus will change its user and group
IDs to a more innocuous user and group via the configuration file.
NOTE: The new user and group still needs permission to read any passwd(5) (and
shadow(5)) files and S/KEY database if these are being used.
was compiled with libwrap (aka. tcp_wrappers) support, upon
connection the daemon will consult with tcp_wrappers on whether the client has
permission to connect. The daemon name used in a daemon list of the access
control file is the name of the executable, normally "tac_plus". See
The configuration file should be unreadable and unwriteable by anyone except
root, as it contains passwords and keys.
If the daemon is receives a SIGHUP or SIGUSR1, it will reinitialize itself and
re-read its configuration file.
Note: if an error is encountered in the configuration file or the file can not
be opened for reading, such as due to insufficient permissions resulting from
process ownership and file permissions, the daemon will exit.
Likewise, if the daemon is configured to send accounting records to a file and
that file can not be opened for writing, such as due to insufficient
permissions resulting from process ownership and file permissions, the daemon
logs error and informational messages to syslog facility
- Default accounting file.
- Default log file used when the -d option is
- Pid file. If the -B option is used,
".bind_address" is appended. If the -p option is used,
".port_number" is appended.
Also see the tac_plus
User Guide (user_guide) that came with the
distribution. The user guide does not cover all the modifications to the
original Cisco version.
There are at least 3 versions of the authentication protocol that people
commonly refer to as "TACACS".
The first is ordinary tacacs, which was the first one offered on Cisco boxes and
has been in use for many years. The second is an extension to the first,
commonly called Extended Tacacs or XTACACS, introduced in 1990.
The third one is TACACS+ (or T+ or tac_plus) which is what is documented here.
TACACS+ is NOT COMPATIBLE with any previous versions of tacacs.
The tac_plus (tacacs+) developer's kit is a product of Cisco Systems, written by
Lol Grant. Made available at no cost and with no warranty of any kind. See the
file COPYING and source files that came with the distribution for specifics.
Though heavily modified from the original Cisco manual pages, much of the
modifications are derived from the tacacs IETF draft and the Cisco user