CiscoCCNPEnterprise NetworkingBeginner25 min read

What Is RADIUS vs TACACS+ in Networking?

Also known as: RADIUS, TACACS+, AAA protocol, Cisco security, ENCOR exam

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

RADIUS and TACACS+ are like two different security guard systems for a computer network. RADIUS checks if you are allowed in and what you can do all in one step, while TACACS+ checks your identity and then separately decides what you can do, giving more control. Both help keep networks safe by making sure only approved people can access important equipment and data.

Must Know for Exams

For the Cisco CCNP Enterprise certification, specifically the ENCOR (350-401) exam, the distinction between RADIUS and TACACS+ appears in several exam objectives, particularly under Security. The exam blueprint includes topics like AAA concepts, device access control, and network security. You are expected to know the differences between the two protocols, including their transport protocols, encryption methods, and how they handle AAA functions. Multiple-choice questions often test these points directly.

For example, a question might ask which protocol encrypts the entire packet, and you must know that TACACS+ encrypts the entire body while RADIUS only encrypts the password. Another common question tests whether the protocol uses TCP or UDP, where RADIUS uses UDP and TACACS+ uses TCP. The separation of AAA functions is a frequent topic: TACACS+ separates authentication, authorization, and accounting into three distinct processes, while RADIUS combines authentication and authorization. These are the kinds of factual differences that exam questions love to probe.

Beyond the ENCOR exam, these protocols also appear in the CCNP Security curriculum, in the SCOR (350-701) exam, and in the CCNA (200-301) exam at a more introductory level. The CCNA Security section expects candidates to understand the basics of AAA and the role of RADIUS and TACACS+. For CCNP, the expectations are higher. You need to be able to compare and contrast the two in scenario-based questions. For instance, you might be given a scenario where a company needs detailed command-level logging for compliance reasons. You would need to identify TACACS+ as the appropriate choice because of its granular accounting capabilities.

In the ENCOR exam specifically, you may also encounter questions about the configuration of AAA on Cisco IOS devices. While the exam does not require memorizing exact syntax for every command, you should understand the general configuration steps, such as specifying the AAA server, the key (shared secret), and the type of protocol (RADIUS or TACACS+). Understanding the reasons behind the configuration choices helps you answer scenario-based questions correctly.

Simple Meaning

Imagine you work in a large office building with many different rooms, some of which contain sensitive information. To get into the building, you need to show your ID card to a guard at the front desk. That guard checks a list to see if you are an employee. Once you are inside, you might need a different key or badge to enter the server room, the accounting office, or the executive suite. RADIUS and TACACS+ are like two different systems that handle this process for a computer network.

RADIUS is like a combined guard and rule-maker. When you try to log into a network, RADIUS checks your username and password against a central database. If the credentials are correct, RADIUS also tells the network what you are allowed to do, like which files you can open or which websites you can visit. It does everything in one communication, which makes it fast but less flexible if you want to change just the password without changing permissions.

TACACS+ is like a security system that separates the tasks. First, it checks if you are who you say you are. Then, separately, it decides what you are allowed to do. This separation means you can change your password without affecting your permissions, or you can change what you are allowed to do without touching your password. TACACS+ also keeps a detailed log of every command you type on a network device, like a router or switch. This makes it very popular for managing network equipment, especially in large companies that use Cisco devices.

Both protocols help network administrators control who gets into the network and what they can do once inside. The choice between them depends on what the network needs. If you need speed and simplicity for many users accessing a service like Wi-Fi, RADIUS is common. If you need detailed control over who can run specific commands on a router, and you want a complete record of everything they do, TACACS+ is usually the better choice.

Full Technical Definition

RADIUS, which stands for Remote Authentication Dial-In User Service, and TACACS+, which stands for Terminal Access Controller Access-Control System Plus, are both AAA protocols. AAA stands for Authentication, Authorization, and Accounting. These three functions are the core of network access control: Authentication verifies who you are, Authorization determines what you are allowed to do, and Accounting records what you did.

RADIUS was originally designed by Livingston Enterprises for dial-up connections and later standardized by the IETF in RFC 2865 and RFC 2866. It uses UDP as its transport protocol, typically on ports 1812 for authentication and 1813 for accounting. Because it uses UDP, RADIUS is connectionless and has less overhead, but it also means the protocol must handle retransmissions and timeouts on its own. RADIUS encrypts only the password field in the access-request packet, leaving other parts of the packet, such as the username and the service being requested, in plain text. This is a notable security limitation. The encryption of the password uses a shared secret and the MD5 hash algorithm. In terms of AAA, RADIUS combines authentication and authorization into one step. The server sends back an access-accept message that includes authorization attributes, such as the IP address to assign, the allowed services, and session timeout values. RADIUS is widely used for network access control, especially for wireless networks, VPNs, and broadband remote access.

TACACS+ is a Cisco-proprietary protocol, though it is documented in various Cisco publications. It is an evolution of the original TACACS and extended TACACS (XTACACS). TACACS+ uses TCP as its transport protocol, typically on port 49. Because TCP is connection-oriented, TACACS+ provides reliable delivery and built-in flow control. In TACACS+, the entire body of the packet is encrypted, not just the password. This provides much stronger security for all communication between the client and the server. The encryption uses a shared secret and a proprietary algorithm based on MD5. The most significant architectural difference is that TACACS+ separates authentication, authorization, and accounting into three distinct processes. Each function can use different servers or databases if needed. For example, authentication could be done against Active Directory, while authorization could use a separate local database on the TACACS+ server. This separation gives network administrators granular control over command-level authorization. TACACS+ can authorize individual commands typed on a network device, allowing or denying each command based on the user's role. It also provides detailed accounting records, logging every command entered, along with timestamps and the device on which it was executed.

In real IT environments, RADIUS is commonly used in scenarios involving many users accessing a network service, such as wireless LAN authentication using 802.1X. TACACS+ is more often found in network device management, where administrators need to control who can configure routers, switches, and firewalls. Cisco’s Identity Services Engine (ISE) can act as both a RADIUS and TACACS+ server, allowing organizations to use a single platform for both network access control and device administration.

Real-Life Example

Think of a high-security office building with multiple zones. The building has a main entrance, a separate server room, and an executive wing. Every employee gets an electronic badge that stores their identity.

RADIUS works like a combined check-in and zone assignment system. When you swipe your badge at the main entrance, the system checks your ID against a central database. If you are an employee, the system instantly unlocks the front door and also programs your badge to allow entry only to the zones you are permitted to access, such as the general office area. It does not allow you into the server room unless the original check also included that permission. The process is fast because it is all one transaction, but if you are promoted and need access to the server room, the system administrator must update both your identity and your permissions at the same time. Also, the security log only shows that you entered the building, not which specific rooms you entered after that.

TACACS+ is like a system where the front entrance guard only checks your identity, and then a separate set of guards at each door handle zone access. When you swipe your badge at the main entrance, the guard verifies you are an employee and lets you into the building. When you try to enter the server room, a guard there checks a different system to see if you have permission to enter that room. When you try to enter the executive wing, another guard checks yet another permission. Each decision is made separately. If you are promoted and gain server room access, the administrator updates only the server room permissions without changing your main entrance credentials. Also, every guard logs your entry attempt, providing a detailed trail of exactly where you went and when. This is much more flexible and gives much finer control over access to sensitive areas.

The analogy maps directly: the building is the network, the main entrance is the network access point, the server room is a router or switch, and the badges are user credentials. RADIUS handles everything in one step, while TACACS+ separates the checks for more control and better logging.

Why This Term Matters

In real IT work, especially in enterprise networking, cybersecurity, and system administration, the ability to control who accesses network resources and what they do with them is a fundamental security requirement. RADIUS and TACACS+ are the two primary protocols that make this possible in most medium to large networks. Understanding the difference between them is not just academic; it directly affects security posture, operational efficiency, and compliance with regulations.

For networking professionals, choosing between RADIUS and TACACS+ impacts how they manage user access. If you are setting up a corporate Wi-Fi network that thousands of employees will use, RADIUS is typically the right choice. It integrates well with 802.1X, which is the standard for port-based network access control. Many RADIUS servers can also handle dynamic VLAN assignment and policy enforcement, such as redirecting guest users to a captive portal. For example, a hospital might use RADIUS to ensure that only doctors on the surgical team can access the operating room network segment.

TACACS+ is indispensable for managing network devices themselves. In a large enterprise, dozens or hundreds of routers, switches, and firewalls need to be configured and maintained. Network administrators need to log into these devices to make changes. TACACS+ provides command-level authorization, meaning you can allow a junior engineer to type only certain commands, such as show commands, while denying them the ability to change running configurations. This level of granularity is crucial for preventing accidental or malicious misconfigurations that could cause network outages. The accounting function of TACACS+ also creates an audit trail. If a change causes a problem, you can see exactly who made the change, on which device, at what time, and what commands they typed. This is invaluable for troubleshooting and for meeting compliance requirements like PCI-DSS, HIPAA, or SOX.

In cloud infrastructure, both protocols play a role. Cloud-based network devices and VPN concentrators often support RADIUS for user authentication. TACACS+ is less common in the cloud but is still used for managing cloud-hosted network appliances when they are part of a hybrid environment. Understanding both protocols helps IT professionals design secure, auditable, and manageable networks.

How It Appears in Exam Questions

Exam questions about RADIUS and TACACS+ appear in several formats. The most common are direct comparison questions. These ask you to identify a specific feature of one protocol versus the other. For example, Which protocol encrypts only the password? The correct answer is RADIUS, while TACACS+ encrypts the entire packet body. Another common question: Which protocol uses TCP? TACACS+ uses TCP, while RADIUS uses UDP. These are straightforward but require memorization of the key differences.

Scenario-based questions present a network situation and ask you to choose the best protocol or identify a correct statement. For example, a question describes a company that wants to control which commands each administrator can type on routers and needs a detailed audit log of every command entered. The correct answer would be TACACS+, because it supports command-level authorization and detailed accounting. In another scenario, a company needs to authenticate thousands of wireless users quickly and efficiently. The best choice is RADIUS because it is lightweight, uses UDP, and is well-suited for high-volume network access.

Configuration questions may present a configuration snippet with blank spaces or incorrect parameters. You might be asked to fill in the missing protocol keyword, either RADIUS or TACACS+, or to identify which command is used to enable AAA with a specific protocol. For example, the command aaa authentication login default group radius would show that RADIUS is being used. A question might ask what the next step would be in configuring TACACS+.

Troubleshooting questions involve reading a scenario where authentication is failing. You might need to determine that the issue is a mismatched shared secret, or that TACACS+ is not working because TCP port 49 is blocked by a firewall. You must also understand that RADIUS uses UDP, so a firewall rule allowing UDP on port 1812 and 1813 is necessary.

Architecture questions might ask about the logical separation of AAA functions. For example, which protocol allows authentication and authorization to be handled by separate servers? TACACS+ allows this because the functions are distinct processes. RADIUS does not, as authentication and authorization are bundled into the same response.

Finally, some questions test knowledge of encryption. RADIUS encrypts only the password using MD5 and a shared secret. TACACS+ encrypts the entire packet body. A question might ask: Which statement accurately describes the encryption of each protocol?

Study encor

Test your understanding with exam-style practice questions.

Practise

Example Scenario

A medium-sized company, TechFlow Inc., has 200 employees. They use Cisco routers and switches to connect their offices. The network team consists of five administrators: two senior engineers and three junior technicians. The company wants to allow all 200 employees to use the corporate Wi-Fi with their laptops and phones. At the same time, the senior engineers need full access to configure routers and switches, but the junior technicians should only be able to view the configuration using show commands, not change anything. Additionally, the company must keep a detailed log of every command typed on network devices to meet compliance requirements.

TechFlow decides to implement two different protocols. For the corporate Wi-Fi, they use RADIUS. When an employee connects to the wireless network, the wireless controller sends the username and password to the RADIUS server. The server checks the credentials against Active Directory. If correct, the server sends back an access-accept message that also tells the controller which VLAN to put the user in. This is fast and works well for 200 users. The authentication and authorization happen together.

For managing the network devices, they use TACACS+. When a senior engineer logs into a router, the router sends the authentication request to the TACACS+ server. The server verifies the identity. Then, when the engineer types a command, the router sends a separate authorization request. The server checks the command against the engineer's permission profile and allows it. When a junior technician logs in, authentication works the same way, but when they type a configure command, the authorization request is denied, and the command is rejected. The TACACS+ server logs every command from both users. This gives TechFlow the fine-grained control and audit trail they need.

Common Mistakes

Thinking that RADIUS encrypts the entire packet.

RADIUS only encrypts the password field within the packet using a shared secret and MD5 hash. The username, requested service, and other attributes are sent in plain text. This makes RADIUS less secure than TACACS+ in terms of packet confidentiality.

Remember that RADIUS encrypts only the password. TACACS+ encrypts the entire packet body. This is a key exam distinction.

Believing that both RADIUS and TACACS+ use the same transport protocol.

RADIUS uses UDP (User Datagram Protocol), which is connectionless and faster, but requires the application to handle retransmissions. TACACS+ uses TCP (Transmission Control Protocol), which provides reliable, connection-oriented delivery with built-in retransmission and flow control.

RADIUS equals UDP. TACACS+ equals TCP. Associate the extra 'C' in TACACS+ with 'Connection-oriented' or 'TCP'.

Assuming that RADIUS separates authentication, authorization, and accounting into three independent processes.

RADIUS combines authentication and authorization into a single step. The access-accept message includes both the success of authentication and the authorization attributes. Only accounting is a separate process. TACACS+ separates all three functions entirely.

RADIUS does Authentication and Authorization together (A+A). TACACS+ does Authentication then Authorization then Accounting separately (A, A, A).

Thinking that TACACS+ is an open standard like RADIUS.

RADIUS is an IETF standard (RFC 2865, 2866). TACACS+ is a Cisco-proprietary protocol, though its specification is publicly documented by Cisco. This means inter-vendor support for TACACS+ is limited mostly to Cisco products, while RADIUS is widely supported by many vendors.

RADIUS is industry-standard. TACACS+ is Cisco proprietary. In a multi-vendor network, RADIUS is more likely to work across all devices.

Confusing the default ports for the two protocols.

RADIUS uses UDP port 1812 for authentication and port 1813 for accounting. Some older implementations use ports 1645 and 1646. TACACS+ uses TCP port 49. Mixing these up can lead to firewall configuration errors and authentication failures.

RADIUS ports: 1812 (auth) and 1813 (acct), both UDP. TACACS+ port: 49, TCP.

Exam Trap — Don't Get Fooled

A question states: 'A company needs to log all commands typed by administrators on Cisco routers. Which protocol should be used? RADIUS or TACACS+?' Some learners might choose RADIUS because it is more common for network access, but the correct answer is TACACS+.

Always remember that command-level logging is a specific feature of TACACS+. RADIUS does not log individual commands. When you see a question that mentions logging all commands, command authorization, or per-command access control, the answer is almost always TACACS+.

Train yourself to match 'command logging' with 'TACACS+'.

Commonly Confused With

RADIUS vs TACACS+vsLDAP (Lightweight Directory Access Protocol)

LDAP is a protocol for accessing and maintaining directory information services, such as Active Directory. It is used to look up user information and authenticate users, but it does not handle authorization or accounting for network services the way RADIUS and TACACS+ do. RADIUS and TACACS+ are AAA protocols specifically designed for network access control, while LDAP is a directory access protocol. Many AAA servers use LDAP to query a directory for user credentials, but LDAP itself is not an AAA protocol.

A bank uses LDAP to look up a customer's account number and address. It uses RADIUS or TACACS+ to decide whether that customer can enter the bank vault or only the lobby.

RADIUS vs TACACS+vsKerberos

Kerberos is a network authentication protocol that uses tickets to allow nodes to prove their identity to each other in a secure manner. It is commonly used in Microsoft Windows domains. Unlike RADIUS and TACACS+, Kerberos does not have built-in accounting or command-level authorization. It focuses solely on authentication. RADIUS and TACACS+ offer a broader AAA framework that includes authorization and accounting.

Kerberos is like a ticket that proves you bought a pass to enter a theme park. RADIUS is like a system that checks your ticket, assigns you to specific rides, and logs which rides you actually go on.

RADIUS vs TACACS+vsDiameter

Diameter is a successor to RADIUS, designed to overcome its limitations. It uses TCP or SCTP instead of UDP, supports more reliable communication, and has built-in security using TLS or DTLS. Unlike RADIUS, Diameter can handle mobile network functions and has a more flexible attribute system. However, TACACS+ remains Cisco's preferred protocol for device management. Diameter is more complex and is primarily used in telecom and large-scale carrier networks, while RADIUS and TACACS+ are more common in enterprise IT.

If RADIUS is a reliable sedan, Diameter is a heavy-duty truck with more features for complex routes, and TACACS+ is a specialized security van for carrying valuables.

RADIUS vs TACACS+vs802.1X

802.1X is a standard for port-based network access control. It is not a protocol like RADIUS or TACACS+ but rather a framework that uses an authentication protocol, typically EAP (Extensible Authentication Protocol), and a backend AAA server, often RADIUS. TACACS+ is rarely used with 802.1X. The confusion arises because people think 802.1X is an alternative to RADIUS, but in fact, they work together: 802.1X is the mechanism, and RADIUS is the backend server that does the actual AAA.

802.1X is the security guard at the door checking your badge. RADIUS is the office database the guard calls to verify you are an employee and to see which rooms you can enter.

Step-by-Step Breakdown

1

User Initiates Connection

The user or device attempts to connect to a network resource. This could be a wireless network, a VPN, or a direct login to a router or switch. The network device, acting as the AAA client, receives this request and prompts the user for credentials such as a username and password.

2

AAA Client Sends Authentication Request

The network device packages the credentials into an authentication request and sends it to the AAA server. For RADIUS, this is a RADIUS Access-Request packet sent via UDP. For TACACS+, it is a TACACS+ authentication request sent via TCP. The request includes the username and a password that is either encrypted (RADIUS: only password encrypted; TACACS+: entire packet encrypted).

3

AAA Server Verifies Identity

The AAA server checks the credentials against its user database, which could be a local database, Active Directory, LDAP, or another identity store. If the credentials match an authorized user, the server prepares a positive response. If they do not match, the server sends a reject message. This is the Authentication phase.

4

Server Sends Access Decision

If authentication succeeds, the server sends back a response. In RADIUS, this is an Access-Accept packet that also includes authorization attributes, such as allowed VLAN, IP address, and session timeout. In TACACS+, the server first sends an authentication success message, and then a separate authorization process begins. TACACS+ does not bundle authorization with authentication.

5

User Gains Access (Authorization Applied)

The network device applies the authorization rules received from the server. For RADIUS, these rules are in the Access-Accept packet. For TACACS+, the device sends a separate authorization request for each action, such as a command typed on a router. The server responds allowing or denying that specific action. This fine-grained control is a key advantage of TACACS+.

6

Accounting Begins

Once the user is authenticated and authorized, the device starts sending accounting records to the AAA server. For RADIUS, accounting updates are sent periodically and at session end, including start time, stop time, and data usage. For TACACS+, accounting records include detailed logs of every command typed, along with timestamps and device identifiers. This provides a complete audit trail.

Practical Mini-Lesson

To understand how RADIUS and TACACS+ work in practice, imagine you are a network administrator setting up AAA for a medium-sized enterprise. You will likely need both protocols, each for different purposes.

First, configure a RADIUS server for network access. Users connecting to the corporate Wi-Fi will authenticate through the wireless LAN controller (WLC). You set up a RADIUS server, often a free one like FreeRADIUS, or a commercial solution like Cisco ISE. On the WLC, you configure the RADIUS server IP address, shared secret, and UDP ports 1812 and 1813. You create a policy that maps users to VLANs based on their Active Directory group. For example, employees from the finance department get a VLAN that grants access to accounting servers. When a user logs in, the WLC sends a RADIUS Access-Request. The server checks against AD, finds the user is in the finance group, and sends back an Access-Accept with the attribute that assigns the finance VLAN. The user gets on the network. This is fast and works well for many users.

Second, configure a TACACS+ server, possibly the same ISE instance, for device management. You configure the Cisco routers and switches to use TACACS+ for login authentication. On each device, you enter global configuration mode and use commands like aaa new-model, then aaa authentication login default group tacacs+, and then tacacs-server host 10.1.1.100 key MySecretKey. You also configure authorization and accounting. For authorization, you use aaa authorization exec default group tacacs+ to control which administrators get privileged EXEC access, and aaa authorization commands 0 default group tacacs+ to authorize user-level commands. For command authorization at privilege level 15, you use commands 15. For accounting, you use aaa accounting exec default start-stop group tacacs+ and aaa accounting commands 0 default start-stop group tacacs+ to log all commands.

On the TACACS+ server, you create a user profile for a junior technician named Bob. Bob is allowed only to use show commands, not configure anything. When Bob logs into a switch, the switch sends a TACACS+ authentication request. The server authenticates Bob and returns a success. Bob is now at the user EXEC prompt. He types show running-config. The switch sends a TACACS+ authorization request for that specific command. The server checks Bob's profile, sees that show commands are allowed, and returns an accept. Bob sees the configuration. Bob types configure terminal. The switch sends another authorization request. The server checks and sees configure commands are not in Bob's allowed list, so it denies the request. The switch rejects the command and shows an error. The TACACS+ server also logs both the allowed and denied commands. This level of control prevents junior staff from accidentally breaking network configurations.

A common problem is mismatched shared secrets. If the RADIUS or TACACS+ client and server have different shared secrets, authentication will fail. Always double-check the secret on both sides. Another issue is firewall rules. Since RADIUS uses UDP, it is more prone to packet loss and requires the firewall to allow UDP ports 1812 and 1813. TACACS+ uses TCP, so it requires TCP port 49 to be open. If authentication times out, check the firewall first.

In practice, Cisco ISE can serve both roles, making it a unified platform for network access and device management. Understanding how to configure and troubleshoot both protocols is a core skill for any network professional aiming for CCNP or security certifications.

Memory Tip

RADIUS uses UDP and encrypts only the password. TACACS+ uses TCP and encrypts the entire packet. For command-level logging, always choose TACACS+.

Covered in These Exams

Related Glossary Terms

Frequently Asked Questions

Which protocol should I use for Wi-Fi authentication?

RADIUS is the standard protocol for Wi-Fi authentication, especially when combined with 802.1X and EAP. It is fast, widely supported, and designed for high-volume network access.

Can I use TACACS+ for wireless authentication?

Technically yes, but it is not common and not recommended. TACACS+ is designed for device management, not for high-scale network access like wireless. RADIUS is the standard choice for 802.1X and Wi-Fi.

Does TACACS+ require a Cisco device to work?

TACACS+ is a Cisco-proprietary protocol. While some other vendors have implemented it, it is primarily used with Cisco network devices. RADIUS is a standards-based protocol and works with equipment from virtually all vendors.

Why does TACACS+ encrypt the entire packet but RADIUS does not?

TACACS+ was designed by Cisco with stronger security in mind, encrypting the entire packet body to protect all information in transit. RADIUS was developed earlier and only encrypts the password to reduce overhead. Modern deployments often use IPsec or TLS to secure RADIUS traffic as a workaround.

Is one protocol faster than the other?

RADIUS uses UDP, which is connectionless and has lower overhead, so it can be faster for simple authentication requests. TACACS+ uses TCP, which adds connection setup overhead. However, for command-by-command authorization, TACACS+ is designed to handle many small transactions efficiently.

What is the main exam difference I need to remember for the ENCOR exam?

The key difference is that RADIUS combines authentication and authorization into one step and uses UDP, while TACACS+ separates all three AAA functions and uses TCP. Also, TACACS+ encrypts the entire packet, and RADIUS encrypts only the password.

Can I run both RADIUS and TACACS+ on the same server?

Yes. Cisco ISE (Identity Services Engine) supports both protocols simultaneously. You can configure one server to handle RADIUS for network access and TACACS+ for device management. This is a common enterprise setup.

Summary

RADIUS and TACACS+ are both AAA protocols used to control access to network resources, but they serve different purposes and have key technical differences. RADIUS is an open standard that uses UDP, encrypts only the password, and combines authentication with authorization into a single step. It is ideal for authenticating many users on network services like Wi-Fi, VPN, and wired network access.

TACACS+ is a Cisco-proprietary protocol that uses TCP, encrypts the entire packet, and separates authentication, authorization, and accounting into three distinct processes. It excels in device management scenarios where granular control over commands and detailed audit logs are required. For the CCNP ENCOR exam, you need to know these differences cold, including transport protocols, encryption methods, default ports, and the separation of AAA functions.

In practice, many enterprises deploy both protocols, using RADIUS for user network access and TACACS+ for securing and auditing administrative access to network devices. Understanding when and why to use each protocol is a fundamental skill for any network security professional.