Latest

Home / Cisco / Security / Exploring the Key Differences: RADIUS vs TACACS+

Exploring the Key Differences: RADIUS vs TACACS+

October 13, 2022 ,

Exploring the Key Differences: RADIUS vs TACACS+

TACACS+ and RADIUS are two protocols used in the AAA (Authentication, Authorization, and Accounting) system to enable centralized authentication for network users. Lets talk about both one by one in simple words. 

RADIUS (Remote Authentication Dial-In User Service)

RADIUS (Remote Authentication Dial-In User Service) is a server system that protects our networks against unauthorized access. As a result, RADIUS clients execute on routers and switches that are supported. Clients transmit authentication requests to a centralized RADIUS server, which stores all user authentication and network service access data. 

To put it another way, RADIUS is a network protocol that defines rules and norms for communication between network devices - specifically, for remote user authentication and accounting. Uses UDP port 1812 for authentication and 1813 for accounting. Legacy ports are 1645 and 1646.

⭐Read: Introduction to RADIUS- Remote Authentication Dial-In User Service

RADIUS Server Auth
Fig 1.1- RADIUS Server Authentication

What is the primary function of RADIUS servers?
The primary function of the RADIUS server in the network is detailed below.

  • Authenticates people or devices before granting them network access. 
  • Allows particular people or devices to utilize specific network services. 
  • Accounts for and monitors the utilization of those services 

TACACS+ (Terminal Access Controller Access Control System)

TACACS+ stands for “Terminal Access Controller Access Control System”. TACACS+ servers' main job is to offer network devices including routers, switches, and firewalls centralized authentication, authorization, and accounting (AAA) services 1. Network administrators may manage and regulate user access to network resources and devices with TACACS+.

When a user tries to connect to a network device, the device (TACACS client) connects to the TACACS+ server. The user enters their credentials (usually a username and password), which are then checked against a database of authorized users by the TACACS+ server.

TACACS+ is also responsible for determining which activities the user is permitted to execute on the network device once the user has been authorized. This involves defining which commands and resources the user has access to. The TACACS+ server maintains a list of user privileges and enforces these limits, ensuring that users may only conduct tasks that they are authorized to undertake.

TACACS+ additionally records all network device user activity, such as login and logout timings, commands executed, and resources accessed. This accounting information can be utilized for auditing, billing, or troubleshooting.