- TACACS+ encrypts the entire packet and RADIUS does not.
-
TACACS+ uses UDP transport protocol and RADIUS uses TCP.
-
RADIUS is defined by Cisco and TACACS+ is RFC 2865.
-
RADIUS encrypts the entire packet and TACACS+ does not.
EXPLANATION
TACACS+ uses Transmission Control Protocol (TCP) port 49 to
communicate between the TACACS+ client and the TACACS+ server. An
example is a Cisco switch authenticating and authorizing administrative
access to the switch’s IOS CLI. The switch is the TACACS+ client, and
Cisco Secure ACS is the server.
One of the key differentiators of
TACACS+ is its ability to separate authentication, authorization and
accounting as separate and independent functions. This is why TACACS+ is
so commonly used for device administration, even though RADIUS is still
certainly capable of providing device administration AAA.
Device
administration can be very interactive in nature, with the need to
authenticate once, but authorize many times during a single
administrative session in the command-line of a device. A router or
switch may need to authorize a user’s activity on a per-command basis.
TACACS+ is designed to accommodate that type of authorization need. As
the name describes, TACACS+ was designed for device administration AAA,
to authenticate and authorize users into mainframe and Unix terminals,
and other terminals or consoles.
TACACS+ communication between the
client and server uses different message types depending on the
function. In other words, different messages may be used for
authentication than are used for authorization and accounting. Another
very interesting point to know is that TACACS+ communication will
encrypt the entire packet.
SOURCE
http://www.networkworld.com/article/2838882/radius-versus-tacacs.html