TACACS+ and RADIUS are security protocols that you can use on network devices.
You can enable TACACS+ and RADIUS together. However, TACACS+ has a higher priority. If the TACACS+ server is not available the authentication is sent to RADIUS, if RADIUS is enabled. However, if TACACS+ authentication fails, then requests are not sent to RADIUS.
Following is a list of differences between TACACS+ and RADIUS.
TACACS+ |
RADIUS |
---|---|
Separates Authorization, Authentication and Accounting (AAA). As a result, you can selectively implement one or more TACACS+ services. With TACACS+ you can use different servers for each service. |
Combines authentication and authorization. |
Uses TCP. TCP is connection-oriented. TCP immediately indicates if a server crashes or is not running. TCP offers an acknowledgement that a request has been received. |
Uses UDP. UDP is best-effort delivery. RADIUS uses re-transmit attempts and timeouts to make up for the support TCP has. |
Encrypts the entire body of the packet, which includes the password and username. |
Encrypts only the password from the client to the server. |
Used for administrator access. Usually used for administrator access to network devices. |
Used for subscriber access. Usually used to authenticate remote users to a network. |
Can control which access level of commands a user or group can access. |
Cannot control which access level of commands can be used. |