TACACS+ and RADIUS differences

TACACS+ and RADIUS are security protocols that you can use on network devices.

You can enable TACACS+ and RADIUS together. However, TACACS+ has a higher priority. If the TACACS+ server is not available the authentication is sent to RADIUS, if RADIUS is enabled. However, if TACACS+ authentication fails, then requests are not sent to RADIUS.

Following is a list of differences between TACACS+ and RADIUS.

TACACS+

RADIUS

Separates Authorization, Authentication and Accounting (AAA). As a result, you can selectively implement one or more TACACS+ services. With TACACS+ you can use different servers for each service.

Combines authentication and authorization.

Uses TCP.

TCP is connection-oriented.

TCP immediately indicates if a server crashes or is not running. TCP offers an acknowledgement that a request has been received.

Uses UDP.

UDP is best-effort delivery.

RADIUS uses re-transmit attempts and timeouts to make up for the support TCP has.

Encrypts the entire body of the packet, which includes the password and username.

Encrypts only the password from the client to the server.

Used for administrator access. Usually used for administrator access to network devices.

Used for subscriber access. Usually used to authenticate remote users to a network.

Can control which access level of commands a user or group can access.

Cannot control which access level of commands can be used.