Man Linux: Main Page and Category List


       tac_plus - tacacs plus daemon


       tac_plus -C <configfile> [-GghiLPSstv] [-B <bind_address>] [-d <level>]
       [-l <logfile>] [-p <tcp_port>] [-u <wtmpfile>] [-w <wholog>]


       By default, tac_plus listens  on  tcp  port  49  and  provides  network
       devices  (normally  routers  and  access  servers) with authentication,
       authorization and accounting services.

       A  configuration  file  controls   the   details   of   authentication,
       authorization and accounting.


       -C <configfile>

              Specify the configuration file name.  The -C option is required.

       -B <bind address>

              Specify  the  address  on  which  the  daemon  should   bind(2).
              Successive  instances  of  -B  override  previous instances.  By
              default, the  daemon  listens  on  all  addresses.   Note:  this
              changes the name of the pid file created by the daemon.

       -G     Remain in the foreground, but not single-threaded nor logging to
              the tty.

       -d <level>
              Switch on debugging.  By default the output will appear  in  the
              log file and syslog(3).

              NOTE:  The  -g  flag will cause these messages to also appear on
              stdout.  The -t flag  will  cause  these  messages  to  also  be
              written to /dev/console.

              The  value  of  level  is  as  described  below.   These  values
              represent bits that can be logically OR’d together.  The  daemon
              logically ORs successive occurrences of the -d option.

              Value   Meaning
              8       authorization debugging
              16      authentication debugging
              32      password file processing debugging
              64      accounting debugging
              128     config file parsing & lookup
              256     packet transmission/reception
              512     encryption/decryption
              1024    MD5 hash algorithm debugging
              2048    very low level encryption/decryption

       -g     Single threaded mode.  The daemon will only accept and service a
              single connection at a time without forking and without  closing
              file descriptors.  All log messages appear on standard output.

              This  is intended only for debugging and not for normal service.

              This option does not work with single-connection sessions.

       -h     Display help message.

       -i     tac_plus  will  be  run  from  inetd(8).   In  inetd  mode,  the
              configuration file is parsed every time tac_plus starts.

              If the configuration is large or the frequency of connections is
              high, this negatively will  affect  the  responsiveness  of  the

              If  the  config  file  is small, connections are infrequent, and
              authentication is being done via passwd(5) files or SKEY  (which
              are  not cached), running in inetd mode should be tolerable, but
              still is not recommended.

              This option does not work with single-connection sessions.

       -l <logfile>
              Specify an alternate log file location.  This file is only  used
              when  the  -d  option  is  used.   The  logs are still posted to

       -L     Lookup DNS PTR (Domain Name System  PoinTeR)  record  of  client
              addresses.  The resulting FQDN (Fully Qualified Domain Name), if
              it  resolves,  will   be   used   in   log   messages,   libwrap
              (tcp_wrappers)  checks,  and  for  matching  host clauses of the
              configuration file.  Also see tac_plus.conf(5).

       -P     Parse the configuration file, echo it to standard  output  while
              parsing,  and  then  exit.   tac_plus  will exit non-zero when a
              parser error occurs.

              Useful for debugging configuration file syntax.

       -p <port>
              Listen on the specified port number instead of the default  port
              49 for incoming tcp connections.  Note: this changes the name of
              the pid file created by the daemon.

       -S     Enables or allows client single-connection  mode,  where-by  the
              client will create one connection and interleave queries.

              Note: this is broken in IOS and IOS-XE.

              Note:  this is currently only partially supported in the daemon.

       -s     Causes the daemon to always reject authentication requests which
              contain  a  minor  version  number  of  zero  (SENDPASS).   This
              enhances security in  the  event  that  someone  discovers  your
              encryption  key.   SENDPASS requests permit requesters to obtain
              CHAP, PAP and ARAP passwords from the daemon, iff the encryption
              key is known.

              Note: IOS versions preceding 11.2 will fail.

       -t     Log   all   informational,   debugging   or  error  messages  to
              /dev/console in addition  to  logging  to  syslogd.  Useful  for

       -u <wtmpfile>
              Write wtmp entries to the specified wtmp file.

       -v     Display version information and exit.

       -w <wholog>
              Specify the location of the max session file.


       tac_plus is normally invoked by root, as follows:

           # tac_plus -C <configfile>

       where  <configfile> is a full path to the configuration file.  Tac_plus
       will background itself and start listening on port 49 for incoming  tcp

       Tac_plus must be invoked as root to obtain privileged network socket 49
       and to  read  the  protected  configuration  file,  which  may  contain
       confidential   information   such  as  encryption  keys  and  cleartext

       After the port is acquired and the config file is read, root privileges
       are  no longer required.  You can arrange that tac_plus will change its
       user and group  IDs  to  a  more  innocuous  user  and  group  via  the
       configuration file.

       NOTE:  The  new  user  and  group  still  needs  permission to read any
       passwd(5) (and shadow(5)) files and S/KEY database if these  are  being


       If tac_plus was compiled with libwrap (aka. tcp_wrappers) support, upon
       connection the daemon will consult with  tcp_wrappers  on  whether  the
       client  has  permission  to  connect.  The daemon name used in a daemon
       list of the access control file is the name of the executable, normally
       "tac_plus".  See hosts_access(5).


       The  configuration  file should be unreadable and unwriteable by anyone
       except root, as it contains passwords and keys.


       If the daemon is receives a SIGHUP or  SIGUSR1,  it  will  reinitialize
       itself and re-read its configuration file.

       Note:  if an error is encountered in the configuration file, the daemon
       will die.


       tac_plus logs error  and  informational  messages  to  syslog  facility


       /var/log/tac_plus.acct        Default accounting file.

       /var/log/tac_plus.log         Default  log file used when the -d option
                                     is used.

       /var/run/         Pid file.  If  the  -B  option  is  used,
                                     ".bind_address"  is  appended.  If the -p
                                     option   is   used,   ".port_number"   is


       tac_plus.conf(5), tac_pwd(8)

       Also  see  the  tac_plus  User  Guide  (user_guide)  that came with the
       distribution.  The user guide does not cover all the  modifications  to
       the original Cisco version.


       There  are  at  least  3  versions  of the authentication protocol that
       people commonly refer to as "TACACS".

       The first is ordinary tacacs, which was the first one offered on  Cisco
       boxes  and  has been in use for many years.  The second is an extension
       to the first, commonly called Extended Tacacs or XTACACS, introduced in

       The  third  one  is  TACACS+  (or  T+  or  tac_plus)  which  is what is
       documented here.  TACACS+ is NOT COMPATIBLE with any previous  versions
       of tacacs.


       The  tac_plus  (tacacs+) developer’s kit is a product of Cisco Systems,
       written by Lol Grant.  Made available at no cost and with  no  warranty
       of  any kind.  See the file COPYING and source files that came with the
       distribution for specifics.

       Though heavily modified from the original Cisco manual pages,  much  of
       the  modifications are derived from the tacacs IETF draft and the Cisco
       user guide.

                                 27 July 2009                      tac_plus(8)