Difference between TACACS+ and RADIUS
Prerequisite – TACACS+, and RADIUS
To provide a centralized management system for the authentication, authorization, and accounting (AAA framework), Access Control Server (ACS) is used. For the communication between the client and the ACS server, two protocols are used namely TACACS+ and RADIUS.
Terminal Access Controller Access Control System (TACACS+) is a Cisco proprietary protocol that is used for the communication of the Cisco client and Cisco ACS server. It uses TCP port number 49 which makes it reliable.
Remote Access Dial-In User Service (RADIUS) is an open standard protocol used for the communication between any vendor AAA client and ACS server. If one of the clients or servers is from any other vendor (other than Cisco) then we have to use RADIUS. It uses port number 1812 for authentication and authorization and 1813 for accounting.
The process is started by Network Access Device (NAD – client of TACACS+ or RADIUS). NAD contact the TACACS+ or RADIUS server and transmit the request for authentication (username and password) to the server. First, NAD obtains the username prompt and transmits the username to the server, and then again the server is contacted by NAD to obtain the password prompt and then the password is sent to the server.
The server replies with an access-accept message if the credentials are valid otherwise send an access-reject message to the client. Further authorization and accounting are different in both protocols as authentication and authorization are combined in RADIUS.
|Cisco proprietary protocol||open standard protocol|
|It uses TCP as a transmission protocol||It uses UDP as a transmission protocol|
|It uses TCP port number 49.||It uses UDP port number 1812 for authentication and authorization and 1813 for accounting.|
|Authentication, Authorization, and Accounting are separated in TACACS+.||Authentication and Authorization are combined in RADIUS.|
|All the AAA packets are encrypted.||Only the password is encrypted while the other information such as username, accounting information, etc are not encrypted.|
|preferably used for ACS.||used when ISE is used|
|It provides more granular control i.e can specify the particular command for authorization.||No external authorization of commands is supported.|
|TACACS+ offers multiprotocol support||No multiprotocol support.|
|Used for device administration.||used for network access|
Advantages (TACACS+ over RADIUS) –
- As TACACS+ uses TCP therefore more reliable than RADIUS.
- TACACS+ provides more control over the authorization of commands while in RADIUS, no external authorization of commands is supported.
- All the AAA packets are encrypted in TACACS+ while only the passwords are encrypted in RADIUS i.e more secure.
Advantage (RADIUS over TACACS+) –
- As it is an open standard therefore RADIUS can be used with other vendor’s devices while because TACACS+ is Cisco proprietary, it can be used with Cisco devices only.
- It has more extensive accounting support than TACACS+.
Please Login to comment...