Question 272 of 530 from exam 400-251: CCIE Security written exam

CDF.

Sure, I'd be happy to explain the correct statements about the TACACS+ protocol:

A. TACACS+ is an IETF standard protocol: This statement is incorrect. TACACS+ is not an IETF (Internet Engineering Task Force) standard protocol. TACACS+ was originally developed by Cisco, but it is now an open standard.

B. TACACS+ uses TCP port 47 by default: This statement is incorrect. TACACS+ uses TCP port 49 by default.

C. TACACS+ is considered to be more secure than the RADIUS protocol: This statement is correct. TACACS+ is considered to be more secure than RADIUS (Remote Authentication Dial-In User Service) protocol because TACACS+ separates authentication, authorization, and accounting functions, while RADIUS combines them into a single function.

D. TACACS+ can support authorization and accounting while having another separate authentication solution: This statement is correct. TACACS+ can support authorization and accounting while having another separate authentication solution. This allows organizations to use different authentication methods for different services or devices while maintaining a centralized authorization and accounting system.

E. TACACS+ only encrypts the password of the user for security: This statement is incorrect. TACACS+ encrypts the entire packet, not just the password.

F. TACACS+ supports per-user or per-group for authorization of router commands: This statement is correct. TACACS+ supports both per-user and per-group authorization of router commands, allowing fine-grained control over who can execute specific commands on network devices.

So the correct statements are C, D, and F.