Radius Vs Tacacs+

Radius is the main player for end point device authorisation and authentication for Network Access. It is an IETF standard for AAA. RADIUS is the transport protocol for Extensible Authentication Protocol (EAP), along with many other authentication protocols. With IEEE 802.1X, RADIUS is used to extend the layer-2 Extensible Authentication Protocol (EAP) from the end-user to the authentication server. Authentication and authorization are not separated in a RADIUS transaction. 

TACACS+ is commonly used for Device administration, even though RADIUS is capable of providing device administration AAA. Device administration can be interactive in nature, with the need to authenticate once, but authorize many times during a single administrative session in the command-line of a device:a router or switch may need to authorize a user’s activity on a per-command basis. TACACS+ is designed to accommodate this per command authorization need.



Cisco Identity Services Engine (ISE) has been updated in later versions (2.0 +) to support both Radius and Tacacs+. In upcoming posts i plan to dig into Cisco ISE.