CompTIA Security+ (SY0-601) — Question 225

A security analyst needs to centrally manage credentials and permissions to the company’s network devices. The following security requirements must be met:

• All actions performed by the network staff must be logged.
• Per-command permissions must be possible.
• The authentication server and the devices must communicate through TCP.

Which of the following authentication protocols should the analyst choose?

Answer options

• A. Kerberos
• B. CHAP
• C. TACACS+
• D. RADIUS

Correct answer: C

Explanation

TACACS+ is the correct choice because it allows for fine-grained control over permissions, logging of all actions, and it communicates over TCP. Kerberos is primarily for single sign-on and does not log per-command actions. CHAP is used for authentication but does not meet the requirements for logging and command-level permissions, while RADIUS does not provide the same level of control as TACACS+.