Read To Learn: 2014

Difference between Radius and Tacacs+ protocols

Radius and tacacs+ are two aaa protocols. The following are the main differences between them :

S.No	RADIUS	TACACS
1.	Radius uses UDP	Tacacs+ uses TCP
2.	Radius encrypts only the password transmission	Tacacs+ encrypts entire session
3.	Radius does authentication and authorization in a single request	Separate requests for authentication and authorization
4.	Limited in privilege mode	Supports 15 privilege modes. Can limit router commands based on user groups.
5.	Radius uses open standard	Tacacs+ is proprietary to Cisco
6.	Uses less memory and CPU cycles	Heavier than radius

Lets see what are the benefits offered by each of them :

RADIUS?

So when should you use RADIUS?

When your priorities are interoperability and performance.

Interoperability – RADIUS is more interoperable than TACACS+ primarily due
to the proprietary nature of Cisco’s TACACS+. While TACACS+ supports more protocols,
RADIUS is supported by, well.. everyone. A good rule of thumb is TACACS+ if you are
a cisco only shop.

Performance – RADIUS is much lighter on your routers and switches and for this
reason alone, network engineers prefer RADIUS over TACACS+.

TACACS+?

When should you use TACACS+?
When your priorities are security and flexibility:

Security - TACACS+ is more secure than RADIUS. Not only is the full session
encrypted but Authorization and Authentication are done separately to prevent someone
trying to stuff their way into your network.
Flexibility - TCP Is more flexible as a transport than UDP. You simply can
do much more with it in more advanced networks. In addition, TACACS+ supports more
of the enterprise protocols like NetBios or Appletalk. Also, the addition to prevent
certain router commands and create users with the full 15 privilege classes that cisco
is known for is a plus.

FUN FACT:

Bad news for security: most enterprise networks use RADIUS over TACACS+. Chalk one
up to habit and performance requirements.