Data Collection Protocols: AAA (RADIUS, Diameter, and TACACS+)

RADIUS, Diameter, and TACACS+ are three protocols for carrying Authentication, Authorization, and Accounting (AAA) information between a Network Access Server (NAS) that wants to authenticate its links or end users and a shared authentication server. The end user connects to the NAS, which in turn becomes a AAA client trying to authenticate the end user to the AAA server.

This section concentrates on the last "A" of AAA (even though most of the time AAA is not primarily used for billing, but for authentication and authorization). However, when binding the accounting information with the authentication informs, the AAA protocols offer an interesting advantage for billing: the authenticated username.


Remote Authentication Dial-In User Service (RADIUS) is a client/server protocol developed by the IETF. The RADIUS client is typically a NAS, and the RADIUS server is usually a daemon process running on a UNIX or Windows server.

The RADIUS client (that is, the NAS) passes user information to designated RADIUS servers and acts on the returned response. RADIUS servers receive user connection requests via the NAS, authenticate the user, and then provide the NAS with configuration information necessary for it to deliver a specific service to the user.

Transactions between the RADIUS client and RADIUS server are authenticated with a shared secret key, which is never sent over the network. In addition, user passwords are sent encrypted between the RADIUS client and RADIUS server to eliminate the possibility that someone snooping on an insecure network could determine a user's password.

The accounting features of the RADIUS protocol can be used independently of RADIUS authentication or authorization. The NAS, which provides a service to the dial-in user (such as PPP or Telnet) is responsible for passing user accounting information to a designated RADIUS accounting server. At the start of service delivery, the NAS generates an "Accounting Start" packet describing the type of service being delivered and the user accessing the service. This packet is sent to the RADIUS accounting server, which returns an acknowledgment (the Accounting-Response) to the NAS, acknowledging that the "Accounting Start" packet has been received. At the end of the service delivery, the NAS client generates an "Accounting Stop" packet, describing the type of service that was delivered and session statistics such as elapsed time, input and output octets, and input and output packets. Here is the complete list of RADIUS accounting attributes, as described in RFC 2866: Acct-Status-Type, Acct-Delay-Time, Acct-Input-Octets, Acct-Output-Octets, Acct-Session-Id, Acct-Authentic, Acct-Session-Time, Acct-Input-Packets, Acct-Output-Packets, Acct-Terminate-Cause, Acct-Multi-Session-Id, and Acct-Link-Count. If the RADIUS server returns no response to the RADIUS client within a defined timeout, the request is resent a number of times. The RADIUS client can also forward requests to an alternate RADIUS server or servers in case the primary server is down or unreachable.

The UDP transport is a major issue in RADIUS accounting, where packet loss may translate directly into revenue loss.

For further references on RADIUS, refer to Table 3-9, which mainly focuses on the RADIUS accounting references. Note, for completeness, that other RADIUS RFCs are available: 2548, 2618, 2619, 2809, 2882, 3162, 3575, 3576, 3579, and 3580.

Table 3-9. RADIUS References
2620InformationalRADIUS Accounting Client MIBManaged objects used to manage RADIUS accounting clients
2621InformationalRADIUS Accounting Server MIBManaged objects used to manage RADIUS accounting servers
2865StandardRemote Authentication Dial-In User Service (RADIUS)Protocol specifications for authentication, authorization, and configuration information
2866StandardRADIUS AccountingSpecifies the RADIUS Accounting protocol
2867InformationalRADIUS Accounting Modifications for Tunnel Protocol SupportDefines new RADIUS Accounting attributes and new values for tunneling in dialup networks
2868InformationalRADIUS Attributes for Tunnel Protocol SupportRADIUS attributes designed to support the provision of compulsory tunneling in dialup networks
2869InformationalRADIUS ExtensionsAttributes for carrying authentication, authorization, and accounting information

Note that the IETF RADIUS Extensions Working Group currently is focusing on extensions to the RADIUS protocol required to enable its use in applications such as IP telephony and local-area network AAA. To keep backward compatibility, the working group decided not to define new transports (such as TCP and SCTP).


Terminal Access Controller Access Control System Plus (TACACS+) is a Cisco-proprietary AAA protocol. Even though it's proprietary, TACACS+ is well-known across the industry. It is recommended for rich feature support because it allows command authorization and accounting. The biggest difference compared to RADIUS is that TACACS+ runs on the top of TCP and encrypts the full packet, not just the password section.


The Diameter protocol, standardized by the IETF Authentication, Authorization and Accounting working group, is the successor to the RADIUS protocol and was developed to overcome several limitations of RADIUS.

AAA protocols such as TACACS+ and RADIUS were initially deployed to provide dialup Point-to-Point Protocol (PPP) and terminal server access. Over time, with the growth of the Internet and the introduction of new access technologies, including wireless, DSL, Mobile IP, and Ethernet, routers and network access servers (NAS) have increased in complexity and density, putting new demands on AAA protocols.

Diameter introduced a couple of improvements compared to RADIUS:

  • Application-layer acknowledgments and failover algorithms

  • Mandatory IPsec and optional TLS supports

  • Reliable transport mechanisms (TCP, SCTP)

  • Support for server-initiated messages

  • Data object security is supported but not mandatory

  • Capability negotiation between clients and servers

  • Peer discovery and configuration

Table 3-10 lists the Diameter references.

Table 3-10. Diameter References
3588StandardDiameter Base ProtocolProtocol description
3589InformationalDiameter Command Codes for Third Generation Partnership ProjectManaged objects used to manage RADIUS accounting clients

For completeness, RFC 3589 also deals with Diameter, but not with accounting. Note also that several Diameter IETF drafts currently are in progress.

Part II: Implementations on the Cisco Devices