TACACS (and TACACS+): Terminal Access Controller Access Control System

TACACS+ protocol provides access control for routers, network access servers and other networked computing devices via one or more centralized servers. TACACS+ provides separate authentication, authorization and accounting services.

TACACS allows a client to accept a username and password and send a query to a TACACS authentication server, sometimes called a TACACS daemon or simply TACACSD. This server was normally a program running on a host. The host would determine whether to accept or deny the request and sent a response back. The TIP would then allow access or not, based upon the response. In this way, the process of making the decision is "opened up" and the algorithms and data used to make the decision are under the complete control of whoever is running the TACACS daemon. The extensions to the protocol provide for more types of authentication requests and more types of response codes than were in the original specification.  

There are three versions of TACACS and the third version is called TACACS+, which is not compatible with previous versions.
Protocol Structure - TACACS and TACACS+

4	8	16	24	32 bit
Major	Minor	Packet type	Sequence no.	Flags
Session ID
Length

• Major version - The major TACACS+ version number.
• Minor version - The minor TACACS+ version number. This is intended to allow revisions to the TACACS+ protocol while maintaining backwards compatibility.
• Packet type - Possible values are:
  TAC_PLUS_AUTHEN:= 0x01 (Authentication).
  TAC_PLUS_AUTHOR:= 0x02 (Authorization).
  TAC_PLUS_ACCT:= 0x03 (Accounting).
• Sequence number - The sequence number of the current packet for the current session.
• Flags - This field contains various flags in the form of bitmaps. The flag values signify whether the packet is encrypted.
• Session ID - The ID for this TACACS+ session.
• Length - The total length of the TACACS+ packet body (not including the header).

http://www.javvin.com/protocol/tacacs.html : Introduction to TACACS+