TACACS+ is a security application that provides centralized validation of users attempting to gain access to a router or network access server. TACACS+ services are maintained in a database on a TACACS+ daemon running, typically, on a UNIX or Windows NT workstation. We must have access to and must configure a TACACS+ server before the configured TACACS+ features on a network access server are available. It provides for separate and modular authentication, authorization, and accounting facilities. TACACS+ allows for a single access control server (the TACACS+ daemon) to provide each service authentication, authorization, and accounting independently. Each service can be tied into its own database to take advantage of other services available on that server or on the network, depending on the capabilities of the daemon. The goal of TACACS+ is to provide a methodology for managing multiple network access points from a single management service. The Cisco family of access servers and routers and the Cisco IOS user interface (for both routers and access servers) can be network access servers.
Syntax: Router(config)#tacacs-server host <ip-address> key <keyname>
Ex: Router(config)#tacacs-server host 192.168.10.1 key cisco123
Features of TACACS+ Server
a. Granular control: TACACS+ uses the AAA architecture, which separates AAA. This allows separate authentication solutions that can still use TACACS+ for authorization and accounting. For example, with TACACS+, it is possible to use Kerberos authentication and TACACS+ authorization and accounting. TACACS+ is very commonly used for device administration.
b. TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header.
c. TACACS+ is a Cisco proprietary protocol (later became an Open standard), and very widely supported by various vendors offering AAA servers. Note that RADIUS is an Open Standard and widely supported too.
d. TACACS+ uses TCP port (port #49) to communicate between the server and the client.
With respect to the given command "test aaa group tacacs+ admin Frisco123 legacy", the following are true:
It enables you to verify that the ACS to router authentication component is working
Frisco123 is the shared secret that has been configured on the ACS server
It tests the reachability of ACS server
TACACS+ is the group name