RADIUS vs TACACS+ – What’s The Difference? (Pros and Cons)
RADIUS vs TACACS+ – What’s The Difference? (Pros and Cons). Network security is an essential component in your IT infrastructure. So is remote access administration. This is usually enforced in the form of a centralized access framework. Such framework manages your three key components of network access authentication, authorization, and accounting, or AAA. In other words it serves as an access control system.
Two authentication protocols that are popular and used by many organizations are Remote Access Dial-In User Service (RADIUS) and Terminal Access Controller Access Control System Plus (TACACS+). Whilst RADIUS serves you to authenticate remote network users and maintain usage logs, TACACS+ is more often used to communicate with managed network devices like switches and routers.
Both these protocols are deployed to accomplish AAA your goals for secure network access. Remember that they are fundamentally different in both their operating mechanisms and their typical use cases. Here, we are exploring the fundamental properties of these two protocols and understand their key differences.
Let’s continue reading the article RADIUS vs TACACS+ – What’s The Difference? (Pros and Cons).
Understanding AAA
Firstly before any client or entity is performs any function on the network, it is important to establish the identity of the entity. After that, it is established whether that entity is actually allowed or authorized to perform that function. Finally, a record of the action, the entity and other details like the time needs to be maintained so that you can reference in the future if the need arises. In short these are the building blocks of AAA.
Authentication
Authentication decides whether your entities are valid or permitted for gaining access to your network. That is decided with the help of security credentials like a username and password.
Authorization
Authorization happens post authentication. Decision which services your authenticated users have access to. Access is typically segmented only to the relevant services and this layer prevents entities from accessing services that are not supposed to be accessible to them. For example, your finance team would not typically have access to the developer database.
Accounting
Accounting keeps authentic records of the transactions and their properties for future reference. Records are detailed and include variables like identity of your user, the network address used for your access, a unique session identifier and the point of attachment. Logs are kept on a per user basis and you can use them later to track user activities or audit network security.
All About RADIUS
Primary purpose to develop Radius was to provide you AAA for dial in modem users. Now it’s current state exists as an open standard protocol that you use if the clients and servers are outside of the CISCO ecosystem.
Modern iteration of RADIUS uses User Datagram Protocol or UDP ports 1812 for authentication and authorization and 1813 for accounting. Originally, RADIUS was not built with security in mind. Primarily it was only encrypting your user passwords for all transactions. Albeit RADIUS is heavily used in many organizational environments due to its vendor agnostic nature and open design.
Despite the advantages of the conventional authentication method, cloud based RADIUS authentication offers all the benefits without the fuss of regular maintenance associated with on premises RADIUS authentication infrastructure.
Radius Features
- Works on Client/Server Model with user connection requests and authenticating the user.
- Acts as Proxy client to other Radius servers.
- Flexible Authentication Mechanisms: PPP, CHAP, PAP Protocol and Simple UNIX Login.
- Wireless Authentication.
- Policy based Configuration.
- Multiple Accounting Consumers.
- SQL Scripting.
- Cloud Integration.
Now with RADIUS vs TACACS+ – What’s The Difference? is to understand Tacacs+
All about TACACS+
Other solution we are comparing is TACACS+. Developed by CISCO, as an evolution of the TACACS system used to deploy access control for UNIX terminals. Primarily used for device administration and not network access control. The TACACS+ protocol uses the Transmission Control Protocol or TCP standard, usually communicating over port 49.
Features of TACACS+
- Uses TCP as the communication protocol between the remote client and security server. Results in reliable data transport.
- Encrypts link- great for LAN and WAN security.
- Serial Line Internet Protocol (SLIP), PPP, and ARA supported for dialup security.
- Important factor is that TACACS+ uses the AAA architecture, that separates AAA into separate components, if needed.
Things in common between RADIUS and TACACS+
Both RADIUS and TACACS+ are AAA solutions that enforce your network security. In broad terms, both Radius and Tacacs+ are performing similar functions. Depends on the type of network or the type of devices you have on your network. Also what you expect to use to be able to perform the centralized authentication. Equally both protocols can handle AAA duties. Usually they are both used for distinct purposes, but both of them can be theoretically used for both device administration and network access.
Differences between RADIUS and TACACS+
Use cases
First and foremost, the two most important distinctions like in the nature and primary use cases of your two protocols. On one hand Radius is a vendor agnostic open protocol while Tacacs+ is a proprietary standard that you only use in CISCO devices. While CISCO devices form the bulk of network equipment in many organizations, this is a stricture that might not be preferable in some infrastructures.
Protocols
The other major difference is that RADIUS is typically used in scenarios involving network access management while TACACS+ is primarily used for device administration. While they can be used in other ways, these are the most typical use cases for these two protocols.
RADIUS uses the UDP protocol while TACACS+ uses the TCP protocol. This is a major difference as the TCP protocol has several advantages over the UDP protocol. UDP is a best effort protocol, which means that using Radius involves you to program extra variables like time out, reconnects and retransmits. Oppositely to Radius , TCP is connection oriented that gives you acknowledgement for all received requests.
Evidently TCP is immensely useful in network environments as it can detect and alert your users about unresponsive or crashed servers. There is no such mechanism in the UDP protocol. This property also increases the utility of keep alive commands using TCP to monitor the current state of multiple servers.
Packet Encryption
Following RADIUS and TACACS+ also differ in the way they use packet encryption. Generally with Radius, all the data apart from the password remains unencrypted. Included are the username, the list of authorized services and accounting data. Only the password is encrypted. In contrast, TACACS+ encrypts the entirety of the packet. There is a standard unencrypted header that indicates whether the rest of the packet is encrypted or not. Unencrypted packets you use only in very special cases involving debugging.
AAA
However Tacacs+ features are completely separate from AAA- authentication, authorization and accounting layers. Instead RADIUS combines authentication and authorization into a single entity that cannot be decoupled in any way. Significantly TACACS+ also has support for multiple protocols like ARA, NASI, and X.25 while RADIUS does not support these standards.
Router Management
Here with RADIUS it does not allow your users to control which commands can be executed on a router and which cannot. Then RADIUS is not as useful for router management or as flexible for terminal services.
Specifically TACACS+ provides two methods to control the authorization of router commands on a per user or per group basis. The first method assigns privileges levels to commands and have the router verify with the TACACS+ server whether or not the user is authorized at the specified privilege level. The second method is to explicitly specify in the TACACS+ server, on a per-user or per-group basis, the commands that are allowed.
Due to their different origins and intended use cases, RADIUS does not feature router specific commands. Therefore, its efficiency for router management or terminal services is severely limited. Thus, TACACS+ has flexible for authorization on routers, either on the basis of each individual user or user groups.
The following comparison table can provide an at a glance look at the differences between the RADIUS and TACACS+ protocols.
Comparison between RADIUS vs TACACS+
Comparison Chart Between RADIUS and TACACS+ | ||
Specifics | TACACS+ | RADIUS |
Standards in use | Cisco’s proprietary standard | Open standards |
Transmission Type | Its transmission protocol is TCP.
| Its transmission protocol is UDP. |
Ports and Protocols | TCP port 49
AppleTalk Remote Access (ARA) protocol, NetBIOS Frame Protocol Control protocol, Novell Asynchronous Services Interface (NASI), and X.25 PAD connection are also supported. | Port 1812/1645 on UDP (Authentication) 1813/1646 (Accounting)
No multiprotocol support |
The Encryption | Every AAA packet has encryption.
| The only piece of information that is encrypted is the password; the username, accounting information, etc., are not. |
The way each operates | TACACS+ separates Authentication, Authorization, and Accounting. | RADIUS combines authentication and authorization. |
Uses | Utilized for managing devices. | Used to access networks |
Thank you for reading RADIUS vs TACACS+ – What’s The Difference? (Pros and Cons). Let’s conclude.
RADIUS vs TACACS+ – What’s The Difference? Conclusion
While interoperability is always a concern when it comes to network security, device interoperability using Radius has been improving over time. Especially when vendors use the same attributes for the RFCs. Finally RADIUS is also a protocol that you use mostly for semi trusted networks while TACACS+ works with your internal administrative logins.
To choose between the two, take a careful look at your use cases and consider all the brands and vendors you are tied to. Weigh the relative pros and cons and adopt the standard that ticks all the right boxes for your use case. In most cases, if your priority is device administration and you are tied in to the Cisco ecosystem, you will be going ahead with TACACS+. If your primary motive is network access management and you do not want vendor lock-ins or prefer interoperability between different vendors, the better option might be RADIUS. Consider your network security needs and the versatility that an ideal solution might have before coming to your final decision.
Please read more about Radius content here.
