![[Translate to English:]](https://www.macmon.eu/fileadmin/_processed_/7/d/csm_Cybertek-Logo-Biale-Tlo_erweitert_630bb2cf7d.jpg "[Translate to English:]"){kind=logo}
RADIUS vs. TACACS+
Sarah Kolberg | July 4, 2024
RADIUS or TACACS+? Both protocols are used to manage user access in networks. They are also referred to as AAA protocols, as they are used for authentication, authorization, and accounting of network users. It is possible to link them to various directory services and implement a centralized management of user access control, which is meant to simplify the management of access policies and security checks. RADIUS and TACACS+ follow different approaches as well as architectures and offer different functions. Find out more about which security protocol is better suited to your organization.
Remote Authentication Dial-In User Service (RADIUS)
RADIUS is an established standard. It’s used in many companies for user logins in the Wi-Fi network. Central administration is also possible for distributed network structures, which makes RADIUS attractive for large companies.
How does RADIUS work?
RADIUS is based on a client-server architecture. A RADIUS client, a network access server (NAS) or authenticator and a RADIUS server are required for dial-in via RADIUS protocol. The RADIUS client is installed on the endpoints and starts the dial-in request. This is transmitted as an access request packet to the NAS, which forwards the information about the user to the RADIUS server. The server compares the data from the packet with the user database, grants or denies dial-in permission and establishes the corresponding connection to the network.
RADIUS uses the User Datagram Protocol (UDP) as the transport protocol. Authentication and authorization are bundled into a single request.
How secure is RADIUS?
RADIUS only encrypts the password in the packet. Other package components such as usernames or billing information are only protected by the protocol itself. As RADIUS is based on UDP, there are fewer control mechanisms available for packet transmission. It is therefore more susceptible to certain types of network attacks than TACACS+.
Terminal Access Controller Access-Control System Plus (TACACS+)
TACACS+ is particularly suitable for environments that require more control and detailed administration of user authorizations and activities. It is also convincing with its scalability for growing networks.
How does TACACS+ work?
The authentication request is sent from the network device to the TACACS+ server. The server compares the login information with a database or a directory service and verifies it. The TACACS+ server sends a response to the network device with permission or denial of network access.
After successful authentication, the network device sends an authorization request to the TACACS+ server. The server checks which commands and actions the user is allowed to execute. The network device receives a list of the authorized commands and actions. TACACS+ uses the Transmission Control Protocol (TCP) as the transport protocol. Authentication, authorization, and accounting processes are divided into separate functions and requests. This makes it possible to introduce separate authentication solutions.
How secure is TACACS+?
TACACS+ is tailored to the new requirements of security solutions. In contrast to RADIUS, TACACS+ encrypts the entire content of the packets, which increases cybersecurity. It also uses TCP, which offers more reliable transmission. TCP also enables better error control, because if a server crashes or is stopped, this is indicated immediately.
RADIUS & TACACS+ in comparison
RADIUS is widely used. The standard can be used with a large number of network devices and is therefore comparatively easy to implement. TACACS+ is currently only supported by a few major network device manufacturers. The conversion of a network structure based on RADIUS to TACACS+ can be accompanied by challenges in terms of interoperability, as they differ greatly. RADIUS is suitable for deployment scenarios in which simple access control is sufficient. TACACS+ has more detailed and flexible authorization functions. It can be used to implement complex security policies and instructions. The bundling of authentication and authorization in one request with the RADIUS protocol can be undesirable for far-reaching security requirements. TACACS+ completely separates the services and therefore enables detailed management and control.
However, the separation of the AAA services in TACACS+ and the comprehensive functions also entail a high configuration and administration effort. TACACS+ offers reliable data transmission. To ensure this, the protocol requires more network and server resources. TACACS+ offers more security measures. One example of this is packet encryption. While RADIUS only encrypts the password, TACACS+ encrypts the entire content of the packets. Both protocols contribute to better network security. RADIUS is sufficient for most scenarios and offers simple implementation as well as manageable administrative effort. TACACS+ has more functions as well as security measures and therefore provides better network protection - making it attractive for security-critical areas.