TACACS+/RADIUS
TACACS+
Terminal Access Controller Access Control System Plus (TACACS+) protocol which is providing detailed accounting information and flexible administrative control over authentication and authorization process. TACACS+ is the result of evolution of TACACS and extended TACACS (XTACACS).Is CISCO proprietary protocol and use TCP protocol to provide reliable delivery of AAA requests. A shared secret key is also used between AAA client and AAA server running the TACACS+ protocol.
In TACACS+ each portion of AAA is performed separately.
Communication
Communication between network access server (NAS) and AAA client is based on TCP (reliable delivery) and use port 49. Benefits in TCP are acknowledgement requests from NAS or AAA. In addition to TCP ack, TACACS+ has ability adapt to congestion and bandwidth. E.x. is the utilization of TCP windowing, TACACS+ can also determine when AAA server is not available using TCP.
Encrypting TACACS+
Encryption is another difference between TACAS+ and RASIUS. TACACS+ encrypt entire packet whilst RADIUS has only clear text communication. Encryption is between the AAA client and AAA server. This is not encryption like 3DES-IPsec or RSA but it is rather combination of a hashing algorithm and an XOR function. MD5 is used to hash a secret key provided on both ends.
TACACS+ Operation
First operation is authentication, second is authorization and third one is accounting.
TACACS+ Auth
When authentication takes place, three packet exchanges:
START – user attempts to connect
REPLY – sent by AAA server
CONTINUE – used by AAA client to return username and password
RADIUS
Remote Authentication Dial-In User Services (RADIUS) is open standard and use UDP protocol. This protocol performs authentication and authorization at the same time and accounting separately.
Sources:
Cisco Access Control Security: AAA Administrative Services [Brandon Carroll]