What is the difference between TACACS+ and RADIUS?
- TACACS+ encrypts the entire packet and RADIUS does not.
- TACACS+ uses UDP transport protocol and RADIUS uses TCP.
- RADIUS is defined by Cisco and TACACS+ is RFC 2865.
- RADIUS encrypts the entire packet and TACACS+ does not.
EXPLANATION
TACACS+ uses Transmission Control Protocol (TCP) port 49 to communicate between the TACACS+ client and the TACACS+ server. An example is a Cisco switch authenticating and authorizing administrative access to the switch’s IOS CLI. The switch is the TACACS+ client, and Cisco Secure ACS is the server.
One of the key differentiators of TACACS+ is its ability to separate authentication, authorization and accounting as separate and independent functions. This is why TACACS+ is so commonly used for device administration, even though RADIUS is still certainly capable of providing device administration AAA.
Device administration can be very interactive in nature, with the need to authenticate once, but authorize many times during a single administrative session in the command-line of a device. A router or switch may need to authorize a user’s activity on a per-command basis. TACACS+ is designed to accommodate that type of authorization need. As the name describes, TACACS+ was designed for device administration AAA, to authenticate and authorize users into mainframe and Unix terminals, and other terminals or consoles.
TACACS+ communication between the client and server uses different message types depending on the function. In other words, different messages may be used for authentication than are used for authorization and accounting. Another very interesting point to know is that TACACS+ communication will encrypt the entire packet.
TACACS+ encrypts the entire packet and RADIUS does not.
ReplyDeleteRADIUS encrypts the entire packet and TACACS+ does not.
Which statement is true?