There are a lot of good reasons for implementing a AAA (authentication,
authorization, and accountability) solution in your network – not the least of which
is to make the management of user accounts easier.
The idea behind a RADIUS or TACACS+ server is simple – a
central authentication server that routers, switches, even servers can use to authenticate
logons to. Think of the advantages that a central user directory brings for authentication
auditing and access control in a client server model,, and you have your justification
for Radius or TACACS+ for your networks infrastructure.
RADIUS VS TACACS+
Ok. So what to use? Well in order to make that choice you need
to understand some of the differences between RADIUS or TACACS+.
Five things you need to know about RADIUS vs TACACS+
- RADIUS uses UDP
- TACACS+ use TCP
- RADIUS encrypts only the password during transmission
- TACACS+ encrypts the entire session
- RADIUS combines authentication (device) and Authorization(User).
- TACACS+ Separates Authentication, Authorization, and Accountability
- RADIUS is limited in its privilege mode
- TACACS+ supports 15 privilege modes. In addition, you can limit router commands based
on user groups.
- RADIUS is an open standard and therefore more interoperable than TACACS+
- TACACS+ is proprietary to cisco
- RADIUS uses less memory and CPU cycles on your routers
- TACACS+ is heavier than RADIUS
So when should you use RADIUS?
When your priorities are interoperability and performance.
- Interoperability – RADIUS is more interoperable than TACACS+ primarily due
to the proprietary nature of Cisco’s TACACS+. While TACACS+ supports more protocols,
RADIUS is supported by, well.. everyone. A good rule of thumb is TACACS+ if you are
a cisco only shop.
- Performance – RADIUS is much lighter on your routers and switches and for this
reason alone, network engineers prefer RADIUS over TACACS+.
When should you use TACACS+?
When your priorities are security and flexibility:
- Security – TACACS+ is more secure than RADIUS. Not only is the full session
encrypted but Authorization and Authentication are done separately to prevent someone
trying to stuff their way into your network.
- Flexibility – TCP Is more flexible as a transport than UDP. You simply can
do much more with it in more advanced networks. In addition, TACACS+ supports more
of the enterprise protocols like NetBios or Appletalk. Also, the addition to prevent
certain router commands and create users with the full 15 privilege classes that cisco
is known for is a plus.
Bad news for security: most enterprise networks use RADIUS over TACACS+. Chalk one
up to habit and performance requirements.