diff --git a/net/tac_plus4/Makefile b/net/tac_plus4/Makefile
index cbc35c024f21..cf74514cde9d 100644
--- a/net/tac_plus4/Makefile
+++ b/net/tac_plus4/Makefile
@@ -1,57 +1,58 @@
 PORTNAME=	tac_plus
 PORTVERSION=	F4.0.4.28
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	net security
 MASTER_SITES=	ftp://ftp.shrubbery.net/pub/${PORTNAME}/
 DISTNAME=	tacacs-${PORTVERSION}
 
 MAINTAINER=	marcus@FreeBSD.org
 COMMENT=	Cisco remote authentication/authorization/accounting server
 WWW=		https://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800946a3.shtml
 
 GNU_CONFIGURE=	yes
 GNU_CONFIGURE_MANPREFIX=	${PREFIX}/share
 USES=		bison cpe perl5 libtool
 USE_PERL5=	build
 USE_RC_SUBR=	tac_plus
+SUB_LIST=	TACACS_USER=${USERS}
 USE_LDCONFIG=	yes
-CONFIGURE_ARGS=	--with-groupid=$$(/usr/bin/id -g tacacs 2>/dev/null || echo '559') \
-		--with-userid=$$(/usr/bin/id -u tacacs 2>/dev/null || echo '559')
+CONFIGURE_ARGS=	--with-groupid=$$(/usr/bin/id -g ${GROUPS} 2>/dev/null || echo '559') \
+		--with-userid=$$(/usr/bin/id -u ${USERS} 2>/dev/null || echo '559')
 
 CPE_VENDOR=	cisco
 
 USERS=		tacacs
 GROUPS=		tacacs
 
 CONFLICTS=	ru-tac+ia tac_plus-libradius
 MAKE_JOBS_UNSAFE=	yes
 
 OPTIONS_DEFINE=	DOCS
 
 # check expiration dates against 'expire' field of master.passwd file
 .if defined(TAC_EXPIRE_MASTER_PASSWD)
 EXTRA_PATCHES+=	${PATCHDIR}/extra-patch-bb
 .endif
 
 .if exists(/usr/include/skey.h) && !defined(WITHOUT_SKEY)
 CONFIGURE_ARGS+=	--with-skey
 .else
 CONFIGURE_ARGS+=	--without-skey
 .endif
 
 .if exists(/usr/include/opie.h) && !defined(WITHOUT_OPIE)
 CPPFLAGS+=	-DOPIE
 LIBS+=		-lopie -lmd
 .endif
 
 post-patch:
 	@${REINPLACE_CMD} -e 's|skey_get_algorithm|skeychallenge|g' \
 		${WRKSRC}/configure
 
 post-install:
 	${INSTALL_DATA} ${FILESDIR}/tac_plus.conf.example ${STAGEDIR}${PREFIX}/etc
 	@${MKDIR} ${STAGEDIR}${PREFIX}/share/doc/tac_plus
 	${INSTALL_DATA} ${WRKSRC}/users_guide ${STAGEDIR}${PREFIX}/share/doc/tac_plus
 	${INSTALL_SCRIPT} ${WRKSRC}/tac_convert ${STAGEDIR}${PREFIX}/share/doc/tac_plus
 
 .include <bsd.port.mk>
diff --git a/net/tac_plus4/files/patch-choose_authen.c b/net/tac_plus4/files/patch-choose_authen.c
index ccfe7badd3ab..da3b778ac85e 100644
--- a/net/tac_plus4/files/patch-choose_authen.c
+++ b/net/tac_plus4/files/patch-choose_authen.c
@@ -1,34 +1,32 @@
 --- choose_authen.c.orig	2012-04-16 21:42:55 UTC
 +++ choose_authen.c
-@@ -130,12 +130,29 @@ choose_login(struct authen_data *data, s
+@@ -130,10 +130,27 @@ choose_login(struct authen_data *data, struct authen_t
  #else /* SKEY */
  	    report(LOG_ERR,
  		   "%s %s: user %s s/key support has not been compiled in",
 -		   name ? name : "<unknown>",
 -		   session.peer, session.port);
 +		   session.peer, session.port,
 +		   name ? name : "<unknown>");
  	    return(CHOOSE_FAILED);
  #endif	/* SKEY */
- 	}
- 
++	}
++
 +	if (cfg_passwd && STREQ(cfg_passwd, "opie")) {
 +	    if (debug & DEBUG_PASSWD_FLAG)
 +		report(LOG_DEBUG, "%s %s: user %s requires opie",
 +			session.peer, session.port, name);
 +#ifdef OPIE
 +		type->authen_func = opie_fn;
 +		strcpy(type->authen_name, "opie_fn");
 +		return (CHOOSE_OK);
 +#else /* OPIE */
 +		report(LOG_ERR,
 +			"%s %s: user %s opie support has not been compiled in",
 +			session.peer, session.port,
 +			name ? name : "<unknown>");
 +		return(CHOOSE_FAILED);
 +#endif /* OPIE */
-+	}
-+
+ 	}
+ 
  	/* Does this user require aceclnt */
- 	cfg_passwd = cfg_get_login_secret(name, TAC_PLUS_RECURSE);
- 	if (cfg_passwd && STREQ(cfg_passwd, "aceclnt")) {
diff --git a/net/tac_plus4/files/patch-tac__plus.8.in b/net/tac_plus4/files/patch-tac__plus.8.in
new file mode 100644
index 000000000000..585a4e8e9972
--- /dev/null
+++ b/net/tac_plus4/files/patch-tac__plus.8.in
@@ -0,0 +1,14 @@
+--- tac_plus.8.in.orig	2024-08-26 12:52:38 UTC
++++ tac_plus.8.in
+@@ -206,8 +206,10 @@ in addition to logging to syslogd. Useful for debuggin
+ /dev/console 
+ in addition to logging to syslogd. Useful for debugging.
+ .\"
+-.TP \-U <setuid username>
++.TP
++.B \-U <setuid username>
+ Specify the username or UID to
++.B
+ .IR setuid(2).
+ If the daemon was compiled with a specific UID, this option overrides that
+ value.
diff --git a/net/tac_plus4/files/patch-users_guide.in b/net/tac_plus4/files/patch-users_guide.in
index 8c839cf8669d..6f4b5ae9fecd 100644
--- a/net/tac_plus4/files/patch-users_guide.in
+++ b/net/tac_plus4/files/patch-users_guide.in
@@ -1,32 +1,33 @@
 --- users_guide.in.orig	2011-05-27 22:11:57 UTC
 +++ users_guide.in
-@@ -164,7 +164,10 @@ for S/KEY in the Makefile.  I got my S/K
+@@ -164,8 +164,11 @@ suggest you try a web search for s/key source code.
  crimelab.com but now it appears the only source is ftp.bellcore.com. I
  suggest you try a web search for s/key source code.
  
 -Note: S/KEY is a trademark of Bell Communications Research (Bellcore).
 +To use OPIE, you must have built tac_plus with the -DWITH_OPIE flag.
-+
+ 
 +Note: S/KEY and OPIE are a trademark of Bell Communications Research 
 +(Bellcore).
- 
++
  Should you need them, there are routines for accessing password files
  (getpwnam,setpwent,endpwent,setpwfile) in pw.c.
+ 
 @@ -414,7 +417,16 @@ be authenticated via s/key, as follows:
        login = skey
      }
  
 -4). Authentication using PAM (Pluggable Authentication Modules)
 +4). Authentication using opie.
 +
 +If you have successfully built tac_plus with opie support, you can specify
 +a user be authenticated via opie, as follows:
 +
 +    user = marcus {
 +      login = opie
 +    }
 +
 +5). Authentication using PAM (Pluggable Authentication Modules)
  
  Assuming that your OS supports it, tac_plus can be configured to use PAM
  for authentication, which may make it possible to use LDAP, SecureID, etc
diff --git a/net/tac_plus4/files/tac_plus.in b/net/tac_plus4/files/tac_plus.in
index eb92cb03126c..d4c8743216f8 100644
--- a/net/tac_plus4/files/tac_plus.in
+++ b/net/tac_plus4/files/tac_plus.in
@@ -1,95 +1,95 @@
 #!/bin/sh
 
 # PROVIDE: tac_plus
 # REQUIRE: DAEMON
 #
 # Add the following line to /etc/rc.conf to enable the TACACS+ daemon:
 #
 # tac_plus_enable (bool):    Set to "NO" by default
 #    Set it to "YES" to enable tac_plus
 # tac_plus_flags (str):      Set to "" by default
 #    Extra flags to be passed to start command
 # tac_plus_profiles (str):   Set to "" by default
 #    Allows you to run multiple tac_plus daemons with
 #    different settings
 # tac_plus_configfile (str): Set to "%%PREFIX%%/etc/tac_plus.conf" by default
 #    Allows you to specify a different config file for
 #    the tac_plus daemon
 
 . /etc/rc.subr
 
 name=tac_plus
 rcvar=tac_plus_enable
 
 command="%%PREFIX%%/sbin/tac_plus"
 pidfile="/var/run/${name}.pid"
 tac_plus_enable=${tac_plus_enable:-"NO"}
-tac_plus_flags=${tac_plus_flags:-}
+tac_plus_flags=${tac_plus_flags:-"-U %%TACACS_USER%%"}
 tac_plus_profiles=${tac_plus_profiles:-}
 tac_plus_configfile=${tac_plus_configfile:-"%%PREFIX%%/etc/tac_plus.conf"}
 
 load_rc_config ${name}
 
 if [ -n "$2" ]; then
     profile="$2"
     if [ "x${tac_plus_profiles}" != "x" ]; then
 	eval tac_plus_configfile="\${tac_plus_${profile}_configfile:-}"
 	if [ "x${tac_plus_configfile}" = "x" ]; then
 	    echo "You must define a configuration file (tac_plus_${profile}_configfile)"
 	    exit 1
 	fi
 	required_files="${tac_plus_configfile}"
 	eval tac_plus_enable="\${tac_plus_${profile}_enable:-${tac_plus_enable}}"
 	eval tac_plus_flags="\${tac_plus_${profile}_flags:-${tac_plus_flags}}"
 	eval tac_plus_port="\${tac_plus_${profile}_port:-}"
 	eval tac_plus_ip="\${tac_plus_${profile}_ip:-}"
     else
 	echo "$0: extra argument ignored"
     fi
 else
     if [ "x${tac_plus_profiles}" != "x" -a "x$1" != "x" ]; then
 	for profile in ${tac_plus_profiles}; do
 	    eval _enable="\${tac_plus_${profile}_enable}"
 	    case "x${_enable:-${tac_plus_enable}}" in
 		x|x[Nn][Oo]|x[Nn][Oo][Nn][Ee])
 			continue
 			;;
 		x[Yy][Ee][Ss])
 
 			;;
 		*)
 			if test -z "$_enable"; then
 			    _var=tac_plus_enable
 			else
 			    _var=tac_plus_"${profile}"_enable
 			fi
 			echo "Bad value "\
 				"'${_enable:-${tac_plus_enable}}' "\
 				"for ${_var}.  "\
 				"Profile ${profile} skipped."
 			continue
 	    esac
 	    echo "====> tac_plus profile: ${profile}"
 	    %%PREFIX%%/etc/rc.d/tac_plus $1 ${profile}
 	    retcode="$?"
 	    if [ "0${retcode}" -ne 0 ]; then
 	        failed="${profile} (${retcode}) ${failed:-}"
 	    else
 	        success="${profile} ${success:-}"
 	    fi
 	done
 	exit 0
     fi
 fi
 
 tac_plus_flags="-C ${tac_plus_configfile} ${tac_plus_flags}"
 if [ "x${tac_plus_ip}" != "x" ]; then
     pidfile="${pidfile}.${tac_plus_ip}"
     tac_plus_flags="${tac_plus_flags} -B ${tac_plus_ip}"
 fi
 if [ "x${tac_plus_port}" != "x" ]; then
     pidfile="${pidfile}.${tac_plus_port}"
     tac_plus_flags="${tac_plus_flags} -p ${tac_plus_port}"
 fi
 
 run_rc_command "$1"