| RADIUS |
TACACS+ |
| RADIUS stands for Remote Authentication Dial-In User Service. |
TACACS+ is an abbreviation of Terminal Access Controller Access-Control System Plus. |
| Documented in RFC 2865. |
Described in RFC 1492. |
| RADIUS uses User Datagram Protocol (UDP) as Transport Layer Protocol. |
TACACS+ uses Transmission Control Protocol (TCP) as Transport Layer Protocol. |
| RADIUS uses UDP port 1812 or 1645 for authentication and port 1813 or 1646 for accounting. |
TACACS uses TCP port 49 to communicate between the client and server. |
| RADIUS provides no support for the external authorization of commands. |
TACACS+ provides control over the authorization of commands, allowing granular control. |
| RADIUS encrypts passwords only, leaving other information unencrypted. |
TACACS+ encrypts all packets. |
| RADIUS bundles authentication and authorization, making it impossible to perform them separately. Accounting can be used separately. |
TACACS+ separates Authentication, Authorization, and Accounting, making it possible to use different protocols for authentication and authorization or accounting. |
| RADIUS does not support command accounting. |
TACACS+ supports command accounting. |
| RADIUS is an open-standard protocol that works with virtually all modern devices. |
TACACS+ is Cisco’s proprietary protocol and works with Cisco devices only. |
| RADIUS supports only one privilege level (limited to privilege mode) |
TACACS+ supports multiple privilege levels. |
| RADIUS supports 802.1x. port-based network access control |
TACACS+ does not support 802.1x port-based network access control. |
| RADIUS is mainly a network access protocol. |
TACACS+ is mainly used for device administration using Access Control Server (ACS) servers. |
| RADIUS has no multiprotocol support – IP only. |
TACACS+ has multiprotocol support (IP, Novell, NetBIOS, Apple, X.25). |
| RADIUS cannot authenticate network devices. |
TACACS+ can authenticate network devices. |
