Networking Security Cisco

RADIUS and TACACS+

AAA protocols for centralized authentication, authorization, and accounting of network access and device administration

RADIUS and TACACS+

Authentication, Authorization, and Accounting (AAA) Protocols

Both RADIUS and TACACS+ are AAA protocols that centralize network access control - think of them as the security checkpoint for your network infrastructure.

  • Authentication: “Who are you?” - Verifies user identity
  • Authorization: “What can you do?” - Determines user permissions
  • Accounting: “What did you do?” - Logs user activities for auditing

Protocol Comparison

Feature RADIUS TACACS+
Transport Protocol UDP (ports 1812/1813) TCP (port 49)
Encryption Password only Entire packet
AAA Functions Combined Auth/Authz Separates all three
Packet Types 4 types 6 types
Vendor Open standard (RFC 2865) Cisco proprietary
Primary Use Network access (dial-up, wireless) Device administration
Reliability Less reliable (UDP) More reliable (TCP)

RADIUS (Remote Authentication Dial-In User Service)

Key Characteristics

  • UDP-based protocol - faster but less reliable than TCP
  • Encrypts only the password in Access-Request packets (security limitation)
  • Combines authentication and authorization in single process
  • Port 1812 for authentication, port 1813 for accounting
  • Originally designed for dial-up access (hence the name), now used for wireless, VPN, and switch port access

RADIUS Packet Flow

  • Access-Request → Client sends credentials to RADIUS server
  • Access-Accept → Server grants access with authorization attributes
  • Access-Reject → Server denies access
  • Access-Challenge → Server requests additional information (used for multi-factor authentication)

Real-World Use Cases

  • Wireless networks (WPA2-Enterprise with 802.1X)
  • VPN authentication
  • Network Access Control (NAC) solutions
  • ISP dial-up and broadband authentication

TACACS+ (Terminal Access Controller Access-Control System Plus)

Key Characteristics

  • TCP-based protocol (port 49) - provides reliable delivery
  • Encrypts the entire packet body (superior security to RADIUS)
  • Separates AAA functions - each can be handled by different servers
  • Cisco proprietary but widely supported
  • Designed specifically for device administration and command authorization

TACACS+ Advantages

  • Granular command authorization - can authorize specific commands per user
  • Reliable transport - TCP ensures packet delivery
  • Better security - full packet encryption prevents eavesdropping
  • Flexible deployment - can separate AAA servers for different functions

Command Authorization Example 

1
2
3
4

! User "junior-admin" can only use show commands
username junior-admin privilege 1
! User "senior-admin" can use configuration commands  
username senior-admin privilege 15

Vocabulary

AAA: Authentication, Authorization, and Accounting - the three pillars of network access control

NAS (Network Access Server): The device (router, switch, wireless controller) that forwards authentication requests to the AAA server

Shared Secret: Pre-configured password used to encrypt communication between NAS and AAA server

RADIUS Client: The network device (NAS) that sends authentication requests - not the end user

Privilege Levels: Cisco’s 0-15 authorization levels (0=minimal access, 15=full admin access)

Implementation Considerations

When to Use RADIUS

  • Wireless network authentication (most common modern use)
  • Large number of concurrent users
  • Standards-based environment (multi-vendor)
  • Network access control scenarios

When to Use TACACS+

  • Administrative access to network devices
  • Granular command authorization required
  • High-security environments (government/military installations)
  • Cisco-centric infrastructure

Deployment Best Practices

  • Always use backup AAA servers - single point of failure otherwise
  • Configure local fallback authentication for emergency access
  • Use strong shared secrets (minimum 22 characters recommended)
  • Implement accounting for compliance and troubleshooting
  • Consider network latency when placing AAA servers

Notes

  • Critical Rule: If AAA server is unreachable, device behavior depends on configuration - can either deny all access or fall back to local authentication
  • RADIUS uses UDP which means no guaranteed delivery - packets can be lost during network congestion
  • TACACS+ command authorization creates significant processing overhead - consider performance impact
  • Both protocols send shared secrets in configuration files - protect device configurations accordingly
  • Modern deployments often use both: RADIUS for user access (wireless/VPN) and TACACS+ for administrative access
  • 802.1X implementations typically use RADIUS with EAP (Extensible Authentication Protocol) for enhanced security
  • Exam Tip: Remember the transport protocols - RADIUS uses UDP, TACACS+ uses TCP (more reliable for critical admin access)