Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1234
Views
2
Helpful
9
Replies

Radius/TACACS in functionality

Leftz
Level 4
Level 4

‎05-02-2023 07:28 AM

Hi Not very clear the difference of the two. Below is difference between Radius and TACACS. What is meaning of "Generally used for network access" and "Generally used for administration" Anyone can give example to explain? Thanks

 

zshowip_0-1683035796983.png

 

0 Helpful
9 Replies 9

M02@rt37
VIP
VIP

‎05-02-2023 07:34 AM

Hello @Leftz,

Radius is typically used for network access authentication, which means it is used to authenticate users who are accessing the network from remote locations or wireless devices. For example, a company might use Radius to authenticate employees who need to access the corporate network from a remote location, such as a home office or a coffee shop. In this case, the employee would enter their username and password, which would be authenticated by the Radius server to grant them access to the network.

TACACS+, on the other hand, is typically used for administrative access authentication. This means it is used to authenticate users who are responsible for configuring, managing, and maintaining network devices such as routers, switches, and firewalls. For example, a network administrator might use TACACS+ to authenticate themselves when they need to access a router or switch to perform configuration changes or software updates.

Radius is generally used for authenticating users who are accessing the network from remote locations or wireless devices, while TACACS+ is generally used for authenticating users who are responsible for managing and maintaining network devices.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

MHM Cisco World
VIP
VIP

‎05-02-2023 07:36 AM

Yes the TACACS can use for admin since it support Authz each commend. (separate Authz.)

0 Helpful

Leftz
Level 4
Level 4

‎05-02-2023 11:53 AM

Thank you very much for your nice explanation! 

TACUCS is for administrator. If network devices have only Radius without TACUCS, what symptom/issue does administrator would see when he access network device? 

0 Helpful

M02@rt37
VIP
VIP
In response to Leftz

‎05-02-2023 12:43 PM - edited ‎05-02-2023 12:44 PM

You're welcome @Leftz,

With RADIUS authentication alone, the administrator can only control access to the device based on the user's credentials. They cannot implement more granular access control policies, such as limiting access based on specific commands or device functions. RADIUS authentication does not provide extensive auditing capabilities. The administrator may not be able to track user activity or access attempts as effectively as they could with TACACS+.

TACACS+ provides more comprehensive device management capabilities than RADIUS authentication alone.

Overall, while RADIUS authentication can provide basic access control to a network device, implementing TACACS+ provides additional features and capabilities that can help the administrator better manage the device and ensure network security.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

Leftz
Level 4
Level 4

‎05-02-2023 12:59 PM

Now Radius exist in production network system, and we want to replace Radius with TACACS. can we just install and configure tacacs at each devices and ISE, and then delete Radius? thanks

M02@rt37
VIP
VIP
In response to Leftz

‎05-02-2023 01:34 PM

@Leftz,

Assuming that TACACS is the right choice for your organization, you will need to plan the migration carefully. Simply installing and configuring TACACS on each device and ISE and then deleting RADIUS will likely result in service disruptions and potential security issues.

Instead, you should plan a phased migration that involves testing and validating the TACACS configuration before fully deploying it. This may involve configuring TACACS in parallel with RADIUS and gradually transitioning devices and users to the new protocol.

Additionally, you will need to ensure that all devices and applications that rely on RADIUS for authentication and authorization are updated to use TACACS instead. This may require changes to your network infrastructure and applications, and could potentially require downtime for some services.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

MHM Cisco World
VIP
VIP
In response to Leftz

‎05-02-2023 01:42 PM

from CCIE ISE ciscolive 
Mixed ISE cube with separate PSNs I think is best 
NOTE:-same ciscolive dont talk about use Tacacs for network access it use only for admin 

Screenshot (437).png

jonas.resende
VIP Alumni
VIP Alumni

‎05-02-2023 01:14 PM

Hi @Leftz, check if it helps you. This is in Portuguese, but you can use auto translate.

https://community.cisco.com/t5/artigos-seguran%C3%A7a/cisco-ise-radius-vs-tacacs-quem-ganha-essa-batalha/ta-p/4726083

0 Helpful
Customers Also Viewed These Support Documents