TACACS+ (Terminal Access Controller Access-Control System Plus) and RADIUS (Remote Authentication Dial-In User Service) are two primary AAA (Authentication, Authorization, and Accounting) protocols used in network access control.
TACACS+ is a Cisco-proprietary protocol that uses TCP port 49 for co…TACACS+ (Terminal Access Controller Access-Control System Plus) and RADIUS (Remote Authentication Dial-In User Service) are two primary AAA (Authentication, Authorization, and Accounting) protocols used in network access control.
TACACS+ is a Cisco-proprietary protocol that uses TCP port 49 for communication. It separates authentication, authorization, and accounting into distinct processes, providing granular control over each function. TACACS+ encrypts the entire packet payload, offering enhanced security for sensitive network environments. This protocol is particularly well-suited for device administration, allowing network administrators to control who can access network equipment and what commands they can execute.
RADIUS, on the other hand, is an open standard protocol that uses UDP ports 1812 and 1813 (or legacy ports 1645 and 1646). Unlike TACACS+, RADIUS combines authentication and authorization into a single process while keeping accounting separate. RADIUS only encrypts the password portion of the packet, leaving other information in clear text. This protocol is commonly used for network access control, such as authenticating users connecting through VPNs or wireless networks.
Key differences include transport protocol selection (TCP versus UDP), encryption scope, and the separation of AAA functions. TACACS+ provides more flexibility for command authorization on network devices, making it preferable for administrative access to routers and switches. RADIUS excels in high-volume user authentication scenarios and integrates well with various network access servers.
Both protocols work with centralized AAA servers, such as Cisco Identity Services Engine (ISE) or other authentication platforms. When implementing network access policies, organizations often deploy both protocols simultaneously - using TACACS+ for device management and RADIUS for end-user network access. Understanding these protocols is essential for CCNA candidates, as proper AAA implementation forms the foundation of secure network access control in enterprise environments.
TACACS+ and RADIUS: Complete Guide for CCNA
Why TACACS+ and RADIUS Are Important
TACACS+ (Terminal Access Controller Access-Control System Plus) and RADIUS (Remote Authentication Dial-In User Service) are the two primary AAA (Authentication, Authorization, and Accounting) protocols used in enterprise networks. Understanding these protocols is essential for network security implementation and is a key topic in the CCNA exam.
What Are TACACS+ and RADIUS?
TACACS+ is a Cisco-proprietary protocol that provides centralized authentication, authorization, and accounting services. It separates these three functions, allowing for granular control over network access.
RADIUS is an open-standard protocol (defined in RFC 2865) that combines authentication and authorization into a single process while keeping accounting separate. It is widely supported across multiple vendors.
How They Work
TACACS+ Operation: - Uses TCP port 49 for reliable communication - Encrypts the entire packet payload - Separates AAA functions completely - Client sends authentication request to TACACS+ server - Server responds with accept, reject, or challenge - Authorization and accounting handled as separate processes
RADIUS Operation: - Uses UDP ports 1812 (authentication) and 1813 (accounting) - Encrypts only the password field in the packet - Combines authentication and authorization in one process - Client sends Access-Request to RADIUS server - Server responds with Access-Accept, Access-Reject, or Access-Challenge
Key Differences Summary
| Feature | TACACS+ | RADIUS | |---------|---------|--------| | Protocol | TCP | UDP | | Port | 49 | 1812/1813 | | Encryption | Full packet | Password only | | AAA Separation | Yes | Auth+Authz combined | | Standard | Cisco proprietary | Open standard | | Best Use | Device administration | Network access |
Exam Tips: Answering Questions on TACACS+ and RADIUS
Tip 1: Remember the Transport Protocol TACACS+ uses TCP (both start with T), RADIUS uses UDP. This is frequently tested.
Tip 2: Focus on Encryption Differences TACACS+ encrypts everything; RADIUS encrypts only passwords. Questions often ask which is more secure.
Tip 3: Know the Use Cases TACACS+ is preferred for administrative access to network devices (router/switch management). RADIUS is commonly used for end-user network access (VPN, wireless, 802.1X).
Tip 4: Port Numbers Matter Memorize: TACACS+ = TCP 49, RADIUS = UDP 1812/1813 (legacy ports 1645/1646 may appear).
Tip 5: AAA Separation When a question mentions needing separate control over authorization commands or per-command authorization, TACACS+ is the answer.
Tip 6: Vendor Compatibility If the scenario involves multi-vendor environments, RADIUS is typically the better choice due to its open-standard nature.
Tip 7: Watch for Keywords Keywords like granular control, command authorization, or full encryption point to TACACS+. Keywords like wireless, 802.1X, or multi-vendor suggest RADIUS.
Common Exam Question Patterns
1. Which protocol encrypts the entire payload? Answer: TACACS+ 2. Which protocol uses TCP? Answer: TACACS+ 3. Which protocol is best for 802.1X authentication? Answer: RADIUS 4. Which protocol separates all three AAA functions? Answer: TACACS+ 5. Which protocol is an open standard? Answer: RADIUS