Open In App

Difference between TACACS+ and RADIUS

Improve
Improve
Like Article
Like
Save
Share
Report

Prerequisite – TACACS+, and RADIUS 
To provide a centralized management system for the authentication, authorization, and accounting (AAA framework), Access Control Server (ACS) is used. For the communication between the client and the ACS server, two protocols are used namely TACACS+ and RADIUS. 

TACACS+ 
Terminal Access Controller Access Control System (TACACS+) is a Cisco proprietary protocol that is used for the communication of the Cisco client and Cisco ACS server. It uses TCP port number 49 which makes it reliable. 

RADIUS – 
Remote Access Dial-In User Service (RADIUS) is an open standard protocol used for the communication between any vendor AAA client and ACS server. If one of the clients or servers is from any other vendor (other than Cisco) then we have to use RADIUS. It uses port number 1812 for authentication and authorization and 1813 for accounting. 

Similarities – 
The process is started by Network Access Device (NAD – client of TACACS+ or RADIUS). NAD contact the TACACS+ or RADIUS server and transmit the request for authentication (username and password) to the server. First, NAD obtains the username prompt and transmits the username to the server, and then again the server is contacted by NAD to obtain the password prompt and then the password is sent to the server. 

The server replies with an access-accept message if the credentials are valid otherwise send an access-reject message to the client. Further authorization and accounting are different in both protocols as authentication and authorization are combined in RADIUS. 

Differences – 

 

TACACS+ RADIUS
Cisco proprietary protocol open standard protocol
It uses TCP as a transmission protocol It uses UDP as a transmission protocol
It uses TCP port number 49. It uses UDP port number 1812 for authentication and authorization and 1813 for accounting.
Authentication, Authorization, and Accounting are separated in TACACS+. Authentication and Authorization are combined in RADIUS.
All the AAA packets are encrypted. Only the password is encrypted while the other information such as username, accounting information, etc are not encrypted.
preferably used for ACS. used when ISE is used
It provides more granular control i.e can specify the particular command for authorization. No external authorization of commands is supported.
TACACS+ offers multiprotocol support No multiprotocol support.
Used for device administration. used for network access

Advantages (TACACS+ over RADIUS) – 
 

  1. As TACACS+ uses TCP therefore more reliable than RADIUS. 
     
  2. TACACS+ provides more control over the authorization of commands while in RADIUS, no external authorization of commands is supported. 
     
  3. All the AAA packets are encrypted in TACACS+ while only the passwords are encrypted in RADIUS i.e more secure. 
     

Advantage (RADIUS over TACACS+) – 
 

  1. As it is an open standard therefore RADIUS can be used with other vendor’s devices while because TACACS+ is Cisco proprietary, it can be used with Cisco devices only. 
     
  2. It has more extensive accounting support than TACACS+. 
     

 


Last Updated : 26 Oct, 2021
Like Article
Save Article
Previous
Next
Share your thoughts in the comments
Similar Reads