Deciding whether to use
<acronym title="Remote Authentication Dial-In User Service">RADIUS
<acronym title="Terminal Access Controller Access Control System Plus">TACACS+
<acronym title="Authentication, Authorization, Accounting">AAA
</acronym> functionality on a Cisco-based network seems straight-forward. After all, if the network uses Cisco, shouldn't the AAA server? The answer isn't quite so clear.
Both RADIUS and TACACS+ are client/server AAA protocols. The server resides on a remote system and answers queries from clients (for example, routers and switches). They can authenticate a username/password combination, determine if a user is allowed to connect to the client, and log the connection. When designing TACACS+, Cisco incorporated many of the existing functionality of RADIUS and extended it to meet their needs. Feature-wise, TACACS+ can be considered an extension of RADIUS.
The state of RADIUS and TACACS+ development is also equivalent. Although Cisco offers a commercial TACACS+ server product known as Cisco Secure Access Control Server, the cost of the product is a barrier for many organizations. Otherwise, both protocols are supported by various open source means, none of which is the clear leader in the field.
The main advantage of RADIUS is availability. Although all modern Cisco devices support TACACS+, support outside the Cisco community is limited. If you work on a mixed vendor network, RADIUS is likely the best option available.
As an extension of the RADIUS protocol, TACACS+ implements most of the features of RADIUS. The advantages of TACACS+ are in how it changes the implementation of RADIUS, as well as how it extends the protocol to meet the needs of modern networks.
- TACACS+ uses
<acronym title="Transmission Control Protocol">TCP
<acronym title="User Datagram Protocol">UDP
</acronym>. TCP guarantees communication between the client and server. Unlike UDP, which is connectionless, TCP initiates a connection with the server and is not as susceptible to situations such as network congestion and server crashes.
- TACACS+ encrypts all of the data in the TACACS+ packet. Although RADIUS does encrypt the password in the packet, it doesn't protect against other data interception such as username and accounting information.
- TACACS+ allows for different methods of authentication, authorization, and accounting. RADIUS couples authentication and authorization, making it difficult to use different servers for these purposes.
- TACACS+ allows a network administrator to define what commands a user may run. This fine grain level of control allows more controlled access for a greater number of users on a network.
When choosing a AAA protocol to use on a Cisco-based network, TACACS+ is the obvious choice. RADIUS (or a combination of TACAS+ and RADIUS) may be required if the network uses non-Cisco devices that do not support the TACACS+ protocol. Use Cisco's site for an even greater in-depth look at the comparison between TACACS+ and RADIUS.