Centralised control with TACACS+

The context of the solution

With the advent of the European NIS2 directive, operators of industrial networks and critical infrastructure are facing new demands for access security. Managing hundreds of passwords and an opaque history of network activity is no longer just an operational risk, but a legislative issue. This case study describes how the integration of TACACS+ on METEL G-Series switches addresses these challenges.

Solution content

The Terminal Access Controller Access-Control System Plus ( TACACS+ ) protocol is the gold standard for managing network elements. Unlike the more common RADIUS protocol, TACACS+ separates authentication, authorization, and accounting (AAA), allowing much finer control over what a particular administrator can do on the network.

Key features of LAN-RING (G-Series) deployments

  • Encrypted communications - The entire packet content is encrypted, eliminating the risk of eavesdropping on login credentials within the internal network.
  • Command granularity - Specific permission levels can be defined for administrators - for example, a maintenance technician can monitor port status but cannot change VLAN configuration.
  • Audit Trail (Accounting) - Every command executed is logged to a central server, which is crucial for forensic analysis in the event of an incident.

Impact on cybersecurity and NIS2 compliance

The implementation of TACACS+ on the G-Series switches directly supports NIS2 requirements, particularly in the following areas:

  1. Access Control: NIS2 requires a strict access control policy. By centralizing user management, you eliminate "one-size-fits-all" passwords and facilitate immediate account deactivation (e.g. when an employee leaves).
  2. Supply Chain Integrity and Security: Using proven G-Series hardware with robust protocol support, you strengthen the resilience of the entire system against tampering.
  3. Incident reporting and monitoring: detailed logging (Accounting) provides the basis for the mandatory reporting of security incidents that NIS2 strictly requires.
  • The result: a more secure and transparent network.

TACACS+ on G-Series switches significantly reduces the risk of human error and targeted attacks. The network administrator has absolute visibility:

  • WHO has logged on to the switch.
  • WHEN it happened.
  • ExactlyWHAT they changed in the configuration.

"Integrating TACACS+ into our LAN-RING G-Series switches is not just about the technical specification. It's about peace of mind for operators that their network meets the most stringent security standards of today and tomorrow."

Summary of Technical Specifications

Features

Support on LAN-RING G-Series

Benefits for NIS2

Separate AAA

Yes

Maximum control over permissions

Communication encryption

Yes (Full payload)

Protection against insider threats

Central administration

Yes (e.g. Cisco ISE, TACACS+ server)

Efficient identity management

Command logging

Yes

Transparent audit trail