TACACS+ uses the Transmission Control Protocol (TCP) and RADIUS uses the User Datagram Protocol (UDP). Some administrators recommend using TACACS+ because TCP is seen as a more reliable protocol. Whereas RADIUS combines authentication and authorization in a user profile, TACACS+ separates the two operations.
RADIUS | TACACS+ |
Combines authentication & authorization. | Separates all 3 elements of AAA, making it more flexible. |
Encrypts only the password. | Encrypts the username and password. |
Requires each network device to contain Authorization configuration. | Central management for authorization configuration. |
No command logging. | Full command logging. |
Minimal vendor support for authorization. | Supported by most major vendors. |
UDP- Connectionless UDP ports 1645/1646, 1812/1813 | TCP- Connection oriented TCP port 49 |
Designed for subscriber AAA | Designed for administrator AAA |
Many vendors support the TACACS+ protocol, including Adtran, Alcatel/Lucent, Aruba ,
Brocade/Foundry, Cisco/Linksys, Ericsson/Redback, Extreme, Fortinet, Fujitsu, HP/3Com,
Huawei, Juniper/Netscreen, Netgear, Nortel, and others.