RADIUS and TACACS – CompTIA Security+ SY0-401: 5.1


A well-designed network will use a single authentication method for all services. In this video, you’ll learn how RADIUS and TACACS can be used to centralize the authentication process.

<< Previous Video: Mitigating Risk in Static EnvironmentsNext: Kerberos >>


Remote access administration is a key component of today’s enterprise networks, and it’s something we even take advantage of when we’re using these resources across the internet. If we’re logging into Facebook, if we’re logging into Google, if we’re logging into Yahoo, we could be connecting to one of many different servers that those organizations might have anywhere in the world. And somehow we’re able to put in our user name and password and magically we gain access to those resources.

That’s not because Google and Yahoo and Facebook have copied their entire user database to every single server they happen to have. What they have is a method that goes back to a single authentication server, and that authentication server is able to give you access and rights and permissions to those particular resources.

You might log in in different locations. You might be logging in from your desktop. You might be logging in on a VPN tunnel from somewhere outside of your network. You might be logging into a router to provide administration, and you simply use the same user name and password that you would use for every single one of these. It doesn’t matter. That’s one of the nice things about this centralized management is you don’t have to remember a lot of user names and passwords. You use the same authentication credentials whatever you might be doing.

This is an important security concept of AAA. It’s authentication, authorization, and accounting. This AAA concept is one where it’s able to check the credentials that you’re using with your user name and password. It’s able to provide the proper access to the network based on who you might be. And it’s also able to track when you logged in and when you logged off, and perhaps other things in between. Those concepts become extremely important when dealing with security. And, of course, they’re going to be part of this remote access authentication.

One very common way to gain access to a network and get authenticated is through something called RADIUS. RADIUS stands for remote authentication dial-in user service. The first RADIUS RFC was our RFC 2058. The most current version is RFC 2865. You have people in your environment that are logging in remotely from over the internet. They may be people on wireless client devices or they may be your users inside of your network that simply need to authenticate in their normal way.

In each one of these devices, your remote access server, your wireless access point on your intranet based devices, all of these have RADIUS clients on them already. And when you log in– let’s say these people out on remote access are logging into this remote access server– you’ve previously configured this remote access server to say, if anybody ever needs to authenticate, let’s use the RADIUS protocol and let’s communicate back to this centralized AAA server to be able to authenticate those people.

So when I try to log in remotely, the first thing I’m prompted for is a user name and password. I might also be prompted for another piece of information for additional two-factor authentication. A random number or some other type of information. I’ll provide all of that to that client that pops up asking for those credentials. That is sent to this AAA server. And RADIUS usually uses UDP over port 1812 by default to provide that access.

The AAA server checks my user name, checks my password, maybe checks that two-factor authentication information. And if everything is legitimate, it logs me in and makes a note of when I entered the network. And then when I log off, it’s also going to make a note of when I logged off. It’s that process that allows me to centralize this. Doesn’t matter if I’m coming in remotely. Doesn’t matter if I’m a wireless client. Doesn’t matter if I’m on my local intranet. Everybody’s able to get the same type of authentication using the same user name and the same password that they always use.

One option to RADIUS is something called TACACS. TACACS stands for terminal access controller access-control system. And it has been around for a long time. The original TACACS standard is created in RFC 1492. It was written up. And this was originally created to control access to the dial-up lines to ARPANET. So this is before the internet really ever became the internet.

This is one where you wanted to restrict who had access to these dial-up lines, so these guys got together and created a remote authentication protocol that would do that. Well, later on, there was another type of TACACS called extended TACACS or XTACACS. This is something Cisco created that extended the capabilities of TACACS. It’s proprietary to Cisco, but it’s one that allowed Cisco to add additional support for accounting and auditing.

These days, you don’t tend to see TACACS or XTACACS. Usually you see TACACS+. It is the most modern version of this. It’s also Cisco proprietary, but it’s one that adds additional authentication requests and response codes. You just have to remember that it’s not backwards compatible with these other TACACS formats.

One of the things that a lot of administrators like about TACACS+ is that TACACS+ uses TCP over port 49 to communicate, and that’s a little bit different than RADIUS that uses UDP. And many administrators feel that that TCP connection oriented and reliable protocols is one that has a little bit more advantages over RADIUS.

But in the big picture, both RADIUS and TACACS+ are performing similar functions. Usually it depends on the type of network or the type of devices you have on your network, and what they expect to use to be able to perform the centralized authentication.