« Sync Me Up Scotty!
Latest post
Let's Get Physical Part 1 »

RADIUS VS TACACS+

Saturday, August 25, 2007 11:46:08 PM (Pacific Daylight Time, UTC-07:00)
by Ray Zadjmool
   
UP UP And Away With AAA
    There are a lot of good reasons for implementing a AAA (authentication, authorization, and accountability) solution in your network - not the least of which is to make the management of user accounts easier.

    The  idea behind a RADIUS or TACACS+ server is simple – a central authentication server that routers, switches, even servers can use to authenticate logons to. Think of the advantages that a central user directory brings for authentication auditing and access control in a client server model,, and you have your justification for Radius or TACACS+ for your networks infrastructure.


RADIUS VS TACACS+

 Ok. So what to use? Well in order to make that choice you need to understand some of the differences between RADIUS or TACACS+.
Five things you need to know about RADIUS vs TACACS+
  • RADIUS uses UDP
  • TACACS+ use TCP

  • RADIUS encrypts only the password during transmission
  • TACACS+ encrypts the entire session

  • RADIUS combines authentication (device) and Authorization(User).
  • TACACS+ Separates Authentication, Authorization, and Accountability

  • RADIUS is limited in its privilege mode
  • TACACS+ supports 15 privilege modes. In addition, you can limit router commands based on user groups.

  • RADIUS is an open standard and therefore more interoperable than TACACS+
  • TACACS+ is proprietary to cisco

  • RADIUS uses less memory and CPU cycles on your routers
  • TACACS+ is heavier than RADIUS

RADIUS?
So when should you use RADIUS?
When your priorities are interoperability and performance.
  • Interoperability - RADIUS is more interoperable than TACACS+ primarily due to the proprietary nature of Cisco’s TACACS+. While TACACS+ supports more protocols, RADIUS is supported by, well.. everyone. A good rule of thumb is TACACS+ if you are a cisco only shop.
  • Performance – RADIUS is much lighter on your routers and switches and for this reason alone, network engineers prefer RADIUS over TACACS+.
TACACS+?
When should you use TACACS+?
When your priorities are security and flexibility:
  • Security - TACACS+ is more secure than RADIUS. Not only is the full session encrypted but Authorization and Authentication are done separately to prevent someone trying to stuff their way into your network.
  • Flexibility - TCP Is more flexible as a transport than UDP. You simply can do much more with it in more advanced networks. In addition, TACACS+ supports more of the enterprise protocols like NetBios or Appletalk. Also, the addition to prevent certain router commands and create users with the full 15 privilege classes that cisco is known for is a plus.


FUN FACT:
Bad news for security: most enterprise networks use RADIUS over TACACS+. Chalk one up to habit and performance requirements.

Posted in Authentication | General Security |