High-Level Comparison of RADIUS, TACACS+, and Diameter

Whereas AAA describes the concept of authentication, authorization, and accounting, RADIUS and TACACS implement AAA solutions. Remote Authentication Dial-In User Service (RADIUS) provides the communication between a NAS and a RADIUS server. The Terminal Access Controller Access Control System (TACACS) implementation of AAA existed before RADIUS and is still applied today. RADIUS is an IETF standard, and TACACS is described in RFC 927 and RFC 1492 as an informational standard only. Cisco extended the TACACS definition by adding security features and the option to split the AAA server into three separate servers; this new definition was called TACACS+. Although the TACACS+ and RADIUS protocols provide similar functionality, they have several key differences, such as the transport mechanism (UDP, TCP), performance impact, standard definition, and packet encryption. The most fundamental difference is the network transport protocol: RADIUS uses UDP to exchange information between the NAS and the AAA server, whereas TACACS+ uses TCP. On one hand, RADIUS is well suited for user authentication and accounting to network access and services. On the other hand, TACACS+ provides additional features such as per-command authorization. An example is a policy defined by a network administrator in which operators need to authenticate before accessing network devices and authorization is required for configuration changes.

Table 9-1 compares TACACS+ and RADIUS functionality.

Table 9-1. TACACS+ and RADIUS Comparison
TransportTCP (reliable; more overhead)UDP (unreliable; higher performance)
Authentication and AuthorizationCan be separated (more flexible)Combined
Multiprotocol SupportSupported (IP, Apple, NetBIOS, Novell, X.25)IP only
Access to Router CLI CommandsSupports two methods to control the authorization of router commands on a per-user or per-group basisNot supported
EncryptionPacket payloadPasswords only

As mentioned, RADIUS was developed with a dial-in infrastructure in mind. New technologies, such as broadband and high-speed wireless, combined with new applications, such as IP telephony and video, significantly enhance the requirements for authentication and authorization. The informational RFC 2989 summarizes AAA protocol requirements for network access, with input taken from documents produced by the IETF Network Access Server Requirements Next Generation (NASREQ), Roaming Operations (ROAMOPS), and IP Routing for Wireless/Mobile Hosts (MOBILEIP) working groups, among others.

At this point, Diameter becomes relevant, because it addresses these requirements. The Diameter protocol is an enhanced version of RADIUS that provides multiple enhancements while still being backward-compatible. Details on the Diameter protocol appear in the separate "Diameter Details" section at the end of this chapter.

This chapter's focus is on RADIUS and Diameter, as it is the IETF standard protocols for accounting records in dial-in, broadband, wireless, and IP telephony networks.

Part II: Implementations on the Cisco Devices