Cisco CCNP Certification Exam Tutorial: Knowing RADIUS and TACACS+ For Your ISCW Exam

May 4
15:15

2008

Chris Bryant

Chris Bryant

  • Share this article on Facebook
  • Share this article on Twitter
  • Share this article on Linkedin

As part of your CCNP certification exam studies, particularly for the ISCW exam, you need to be very clear on the differences between TACACS+ and RADIUS. Learn all about these differences in this exclusive article!

mediaimage

As part of your CCNP certification exam studies,Cisco CCNP Certification Exam Tutorial:  Knowing RADIUS and TACACS+ For Your ISCW Exam Articles particularly for the ISCW exam, you need to be very clear on the differences between TACACS+ and RADIUS.

 

As a CCNA and future CCNP, you've already configured authentication in the form of creating a local database of usernames and passwords for both Telnet access and PPP authentication.  This is sometimes called a self-contained AAA deployment, since no external server is involved.

It's more than likely that you'll be using a server configured for one of the following security protocols:

TACACS+, a Cisco-proprietary, TCP-based protocol

RADIUS, an open-standard, UDP-based protocol originally developed by the IETF

An obvious question is "If there's a TACACS+, what about TACACS?"  TACACS was the original version of this protocol and is rarely used today.

Before performing AAA Authentication configuration, there are some other TACACS+ / RADIUS differences you should be aware of:

While TACACS+ encrypts the entire packet, RADIUS encrypts only the password in the initial client-server packet.

RADIUS actually combines the authentication and authorization processes, making it very difficult to run one but not the other. 

TACACS+ considers Authentication, Authorization, and Accounting to be separate processes.   This allows another method of authentication to be used (Kerberos, for example), while still using TACACS+ for authorization and accounting.

RADIUS does not support the Novell Async Services Interface (NASI) protocol, the NetBIOS Frame Protocol Control protocol, X.25 Packet Assembler / Disassembler (PAD), or the AppleTalk Remote Access Protocol (ARA or ARAP).  TACACS+ supports all of these.

RADIUS implementations from different vendors may not work well together, or at all.

RADIUS can't control the authorization level of users, but TACACS+ can.

We’ll discuss the uses of both of these protocols in a future CCNP certification tutorial!   Look for more CCNA, CCENT, and CCNP tutorials right here on this same website!