Prerequisite – TACACS+, and RADIUS
To provide a centralised management system for the authentication, authorization and accounting (AAA framework), Access Control Server (ACS) is used. For the communication between the client and the ACS server, two protocols are used namely TACACS+ and RADIUS.
Terminal Access Controller Access Control System (TACACS+) is Cisco proprietary protocol which is used for the communication of the Cisco client and Cisco ACS server. It uses TCP port number 49 which makes it reliable.
Remote Access Dial In User Service (RADIUS) is an open standard protocol used for the communication between any vendor AAA client and ACS server. If one of the client or server is from any other vendor (other than Cisco) then we have to use RADIUS. It uses port number 1812 for authentication and authorization and 1813 for accounting.
The process is start by Network Access Device (NAD – client of TACACS+ or RADIUS). NAD contact the TACACS+ or RADIUS server and transmit the request for authentication (username and password) to the server. First, NAD obtain username prompt and transmit the username to the server and then again the server is contact by NAD to obtain password prompt and then the password is send to the server.
The server replies with access-accept message if the credentials are valid otherwise send an access-reject message to the client. Further authorisation and accounting is different in both protocols as authentication and authorisation is combined in RADIUS.
|Cisco proprietary protocol||open standard protocol|
|It uses TCP as transmission protocol||It uses UDP as transmission protocol|
|It uses TCP port number 49.||It uses UDP port number 1812 for authentication and authorization and 1813 for accounting.|
|Authentication, Authorization and Accounting is separated in TACACS+.||Authentication and Authorization is combined in RADIUS.|
|All the AAA packets are encrypted.||Only the password are encrypted while the other information such as username, accounting information etc are not encrypted.|
|preferably used for ACS.||used when ISE is used|
|It provides more granular control i.e can specify the particular command for authorization.||No external authorization of commands supported.|
|TACACS+ offers multiprotocol support||No multiprotocol support.|
|Used for device administration.||used for network access|
Advantages (TACACS+ over RADIUS) –
- As TACACS+ uses TCP therefore more reliable than RADIUS.
- TACACS+ provides more control over the authorization of commands while in RADIUS, no external authorization of commands is supported.
- All the AAA packets are encrypted in TACACS+ while only the passwords are encrypted in RADIUS i.e more secure.
Advantage (RADIUS over TACACS+) –
- As it is open standard therefore RADIUS can be used with other vendors device while because TACACS+ is Cisco proprietary, it can be used with Cisco devices only.
- It has more extensive accounting support than TACACS+.