RADIUS vs. TACACS| Key Differences

In the world of technology, network access has to be kept secure by using security controls. A simple security principle is known as AAA – Authentication, Authorization, and Accounting. TACACS+ and RADIUS are both AAA protocols. But, what are their key differences? 

TACACS is an abbreviation for Terminal Access Controller Access-Control System, while RADIUS stands for Remote Access Dial-In User Service. Cisco designed the more advanced TACACS+ protocol to replace TACACS. These two AAA protocols (TACACS+ & RADIUS) are used for secure network access.

An Access Control System is used to provide a centralized management system for the AAA framework. TACACS+ and RADIUS facilitate communication between the ACS Server and the client. There are several differences between the two AAA protocols. This article looks at these differences and how the two protocols are used in secure network access. 

Key Differences Between TACACS+ and RADIUS

RADIUS and TACACS+ differ in many ways. Some of these differences include:

• Protocol 

TACACS+ is Cisco’s new protocol that uses Transmission Control Protocol (TCP) to establish communication between the TACACS+ server and the clients. As a Device Administration AAA, it authenticates and authorizes users to access the mainframe of the device. 

On the other hand, RADIUS uses an open standard UDP transmission protocol to communicate between the ACS server and any AAA client. Furthermore, RADIUS operates with IEEE 802.1X to extend the end-user using the Extensible Authentication Protocol to the authentication server. 

• Port Numbers 

On the Transmission Control Protocol (TCP), TACACS+ connects through port 49 for reliability. This connection separates the AAA functions such that Authentication, Authorization, and Accounting are executed independently. 

RADIUS uses ports 1812 and 1813 on the UDP transmission protocol. Port 1812 facilitates authorization and authentication, while port 1813 is for accounting. This means that the authentication and authorization functions are intertwined and work together. 

• Functionality

TACACS+ works by separating the AAA frameworks, such that the authentication, authorization, and accounting functions are executed separately. RADIUS functions differently as it combines the authentication and authorization functions. 

TACACS+’s ability to separate and execute these functions independently makes it more useful in device administration than RADIUS. However, RADIUS can handle device administration functions, only that TACACS+ is preferred over it. 

RADIUS has more support for accounting when it comes to the Accounting function considering that it operates independently, unlike the combined authorization and authentication functions. 

• Primary Use

TACACS+ is a protocol designed for Device Administration AAA and some other types of Network Access AAA. The separation of functions in TACACS+ makes it suitable to accommodate the over-interactive nature of Device Administration.

The RADIUS protocol is best in Network Access AAA because of its superior ability to connect the AAA servers and wireless devices. In addition, it’s the transport protocol for authentication protocols like the Extensible Authentication Protocol (EAP). 

• Encryption

TACACS+ encrypts the whole payload, including all the AAA packages. On the flip side, RADIUS encrypts the password only, leaving information like the usernames and other accounting information not encrypted. This makes TACACS+ a more secure AAA protocol compared to RADIUS. 

You must understand that Device Administration and Network Access policies differ because of their difference in nature, including the encrypted information and the level of encryption. Therefore, if you want an AAA protocol that offers more security, TACACS+ would be a better choice. 

• Multiprotocol Support

TACACS+’s design and segregation of AAA framework functionalities make it possible for it to support multiple protocols. However, this ability is limited in RADIUS because of the mode of its operation. Therefore, radius does not support multiprotocol. 

It’s easier to consider a protocol that supports other protocols because that broadens its effectiveness. That’s why most clients prefer TACACS+ as RADIUS has limitations in accepting multiple protocols. 

• External Authorization Support

TACACS+’s authorization functionality is more granular as the function is independent such that the protocol can specify which commands are for authorization. This involves even external authorization by the different protocols it supports. 

RADIUS does not support external authorization as its authorization and authentication functions are combined. This is because it would be complex to specify commands on the protocol. Moreover, RADIUS does not support other protocols. 

• Different policies 

The different policies determine the protocol’s nature, administration and execution, and expected results. For example, policies in TACACS+ involve dictating the privilege level and the sets of commands allowed running on the client’s device. 

On RADIUS, the policies have more to do with assigning VLANs, Access control lists, etc. Its focus is on the endpoint attributes of the client’s device. 

Similarities of TACACS+ and RADIUS

Even though these protocols operate differently and handle the AAA framework functions differently, there are similarities. Some of the similarities include the following. 

1. Both protocols start by transmitting a request for username and password authentication through the Network Access Device (NAD) to the server. In this case, the NAD is the client of TACACS+ or RADIUS. 

If the credentials provided are correct, the server sends back an accept message, but the server sends a reject message if the credentials are wrong. These messages are brought back to the client by the NAD from the server. 

2. Both are AAA protocols, even though they function in different types of network access. For example, TACACS+ works well in Device Administration while RADIUS focuses on Network Access. However, you can use the RADIUS protocol for Device Administration, even though its functionalities are not separated. 

Conclusion

Both TACACS+ and RADIUS are effective in executing their roles. However, even with the many differences, you’ll notice that each has advantages over the other regarding reliability, control of commands, security, support, etc. For example, TACACS+ is considered as a more reliable protocol over RADIUS because of the transmission protocol it’s connected to. 

You may need first to understand all the differences and the advantages that one has over the other, and then make a choice depending on your convictions.