Skip to content
ProtocolPorts

Port reference

Port 49 (TCP) – TACACS+

TACACS+ — Cisco's AAA protocol that authenticates and authorizes administrative access to network devices.

tcpWell-knownCommonly attacked

Default state

Open on TACACS+ servers (ISE, ACS, tac_plus). Should be reachable only from managed network devices, never the internet.

Common attacks

  • Shared-secret cracking from captured TACACS+ traffic
  • Body decryption exposing usernames, commands, and authorization data
  • Man-in-the-middle interception of device administration sessions
  • Replay and brute-force of administrator logins

Hardening

  • Use a long, random shared secret per device, not a global one
  • Restrict TCP 49 to management VLANs and AAA servers only
  • Tunnel TACACS+ over IPsec where the network is untrusted
  • Enable command accounting and alert on failed administrative logins
  • Patch the AAA server (ISE/ACS) and rotate secrets regularly

nmap snippet

nmap -p49 --script banner <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 49?

Port 49 carries TACACS+, Cisco's protocol for AAA — authentication, authorization, and accounting — of administrative access to network devices. When an engineer logs into a router, switch, or firewall, the device forwards credentials over TCP 49 to a TACACS+ server (such as Cisco ISE, ACS, or tac_plus), which decides whether the login and each command are permitted. Unlike RADIUS, TACACS+ separates authorization from authentication and encrypts the full packet body.

Why it matters for security

TACACS+ gates privileged access to the network backbone, so compromising it hands an attacker control of routers and switches. The body encryption relies on a shared secret and a weak MD5-based scheme: anyone who captures traffic can attempt to recover the secret offline and then decrypt usernames, typed commands, and authorization decisions. A reused or short secret makes this trivial.

How it's attacked

Attackers on a management path capture TACACS+ packets and crack the shared secret offline, after which the entire session — including commands run on core devices — is readable. They also attempt man-in-the-middle interception, replay of captured exchanges, and brute-force of administrator logins when accounting and lockout are absent.

Hardening checklist

Use a long, random shared secret per device rather than one global value, and rotate secrets regularly. Restrict TCP 49 to management VLANs and AAA servers, never exposing it to untrusted networks. Where the path is untrusted, tunnel TACACS+ over IPsec. Enable command accounting and alert on failed administrative logins. Keep the AAA server patched. The nmap banner check above confirms exposure on hosts you are authorized to test. </content> </invoke>

Related ports

Port 1812Port 1645Port 22Port 443

Frequently asked questions

What is port 49 used for?
Port 49 is TACACS+, Cisco's AAA protocol that authenticates administrators logging into routers, switches, and firewalls and authorizes the commands they can run.
Is TACACS+ traffic encrypted?
TACACS+ encrypts the packet body with the shared secret, but the design is cryptographically weak. A captured session can be decrypted offline if the secret is guessed.