RADIUS and TACACS+
The Cisco Secure ACS supports two remote access protocols, the RADIUS protocol and the TACACS+ protocol. TACACS has three variations, all of which are supported by Cisco IOS:
TACACS— TACACS is the original protocol that Cisco developed in response to RADIUS. It is incompatible with TACACS+ and has a lot of its own commands that are supported on Cisco IOS. It provides password checking, authentication, and basic accounting functions.
Extended TACACS (XTACACS)— XTACACS is an extension to the original TACACS protocol. This adds functionality to the TACACS protocol by introducing features such as more complex authentication and accounting methods.
TACACS+— TACACS+ is the most recent of the TACACS protocols. This protocol is not compatible with TACACS or XTACACS. It provides full AAA features through the Cisco IOS AAA commands and the use of a TACACS+ server, such as the Cisco Secure ACS.
All three of the above TACACS versions are supported by Cisco IOS, although Cisco Secure ACS only supports TACACS+.
RADIUS
The RADIUS protocol was developed by Livingston Enterprises and operates as a protocol to offer authentication and accounting services. Several large access server vendors have implemented RADIUS, and it has gained support among a wide customer base, including Internet service providers (ISPs). RADIUS is considered to be a standard and open-source protocol.
RADIUS is currently made up of the authentication service and the accounting service. Each of these two are documented separately and hold separate RFCs. The authentication service is explained in RFC 2058, and the accounting service is explained in RFC 2059.
RADIUS operates under the client/server model where a network access server operates as the RADIUS client and a centralized software-based server operates as the RADIUS server. The RADIUS client sends authentication requests to the RADIUS server. The RADIUS server acts upon this request to forward a reply to the RADIUS client. The RADIUS client then uses this reply to grant or deny access to the requesting host.
The RADIUS client can be any network access server that supports the RADIUS protocol. Cisco IOS from release 11.2 also supports RADIUS commands as part of its AAA model. This means that any Cisco router with IOS 11.2 or later can be used to authenticate inbound or outbound connections through RADIUS.
The RADIUS server component is a software application that is based around the RFC 2058 and RFC 2059 standards. Various vendors have released RADIUS servers, including Livingston and Merit. As previously discussed, Cisco Systems released the Cisco Secure ACS to act as a RADIUS server and to furnish the requests from RADIUS clients. The RADIUS server is usually a dedicated workstation or server with the required software installed.
RADIUS communicates using the User Datagram Protocol (UDP) as its transport protocol. All retransmissions and timeouts are handled by the RADIUS software on the client and server to provide the service not offered by the connectionless transport layer protocol.
TACACS+
The TACACS+ is the latest revision of the TACACS access control protocol. The first release of TACACS was improved on by Cisco Systems and named Extended TACACS (XTACACS). TACACS+ was then released and is the current version that is supported both by Cisco IOS and the Cisco Secure ACS. TACACS+ is a Cisco proprietary protocol and therefore is not classified as an industry standard. Other vendors' equipment generally will not support TACACS+; however, various companies are releasing TACACS+ server software to compete with the Cisco Secure ACS.
TACACS+ consists of three main services: the authentication service, the authorization service, and the accounting service. Each of these services is implemented independently of one another. This gives you the flexibility to combine other protocols with TACACS+.
TACACS+ operates under the client/server model where a network access server operates as the TACACS+ client and a centralized software-based server operates as the TACACS+ server. The TACACS+ client sends authentication requests to the TACACS+ server. The TACACS+ server acts upon this request to forward a reply to the TACACS+ client. The TACACS+ client then uses this reply to grant or deny access to the requesting host.
The TACACS+ client can be any network access server that supports the TACACS+ protocol. Cisco IOS from release 11.1 also supports TACACS+ commands as part of its AAA model. This means that any Cisco router with IOS 11.1 or later can be used to authenticate inbound or outbound connections through TACACS+.
The TACACS+ server component is a software application. Cisco Systems released the Cisco Secure ACS to act as a TACACS+ server and to furnish the requests from TACACS+ clients. The TACACS+ server is usually a dedicated workstation or server with the required software installed.
TACACS+ communicates using the Transmission Control Protocol (TCP) as its transport protocol. This connection-oriented protocol has the advantage of built-in error checking and retransmission functionality. The whole of the TCP packet, apart from the TACACS+ header, is encrypted to provide security on the local segment from eavesdropping.
Differences Between RADIUS and TACACS+
There are quite a few distinct differences between RADIUS and TACACS+. These differences can be vital in deciding which protocol to implement.
The main differences are shown in Table 9-1.
| RADIUS | TACACS+ |
|---|---|
| Uses UDP as the transport protocol | Uses TCP as the transport protocol |
| Encrypts only the password | Encrypts the entire body of the packet |
| Combines authentication and authorization | Uses the AAA architecture that separates authentication, authorization, and, accounting |
| RFC-based industry standard | Cisco proprietary |
| No support for ARA, NetBIOS, NASI, or X.25 connections | Multiprotocol support |
| No authorization | Authorization is supported as part of the AAA architecture |
| Does not allow the control of commands that can be executed at the router CLI | Allows control of commands that can be executed at the router CLI by either user or group |
RADIUS uses UDP as its transport layer protocol, whereas TACACS+ uses TCP. There are several advantages of TCP over UDP but the main one is that TCP is considered a connection-oriented protocol and UDP is considered a connectionless-oriented protocol. This means that TCP has built-in mechanisms to protect against communication errors, and the protocol itself ensures delivery. With UDP, software at a higher layer has to be responsible for the safe delivery of the packets, which can add overhead to the integrity of the application.
When a user attempts authorization against a RADIUS client, the RADIUS client sends an access-request packet to the RADIUS server. This packet contains the user's login credentials such as the username and password pair. RADIUS only encrypts the password part of this packet and leaves the rest in clear text. This allows the sniffing of the username and could lead to a dictionary brute-force attack. TACACS+ encrypts the entire access-request packet and only leaves the TACACS header unencrypted for debugging purposes.
RADIUS combines both authentication and authorization services within the access-accept packet. With TACACS+, you can separate the authentication and authorization services because each of the AAA services is independent. For example, you could authenticate using another protocol such as Kerberos and still use TACACS+ for authorization. This cannot be done using only RADIUS services.
TACACS+ supports a wide range of access protocols. RADIUS does not support the following protocols that TACACS+ does support:
AppleTalk Remote Access (ARA) Protocol
NetBIOS Frame Protocol Control Protocol
Novell Asynchronous Services Interface (NASI)
X.25 Pad Connection
RADIUS does not allow you to control command access to the Cisco router CLI. With TACACS+, you can enable controls on a user or group level to specify exactly what commands a user or group can enter on a Cisco router with a supporting IOS version installed. This feature can be very useful for controlling the management of the internetworking devices within your organization. This can also be combined with AAA accounting to provide a robust, scalable solution to device management.