AAA (Authentication, Authorization, and Accounting) is the backbone of network access control, and the 200-301 exam expects you to know the differences between the two dominant protocols: RADIUS and TACACS+. Choosing the wrong protocol in a design scenario can lead to security holes or operational headaches. This chapter dissects both protocols at the packet level, compares their features, and shows you exactly what Cisco tests — including the traps that separate a pass from a fail.
Jump to a section
Imagine a large hotel with multiple floors and restricted areas. The hotel uses two different systems for guest access. RADIUS is like a single electronic key card that opens your room door. When you swipe it at the door, the lock sends a request to a central server: 'Can this card open room 312?' The server checks its database and replies with a simple 'yes' or 'no' — it doesn't tell the lock what else the guest is allowed to do. The lock trusts the response and opens. The key card is encrypted between the card and the lock, but the lock never sees the full identity of the guest — just a token. TACACS+ is like a VIP passport that you show to a security guard at the hotel entrance. The guard examines the passport, verifies your photo, checks the hotel's guest list, and then decides: 'You may enter the lobby, use the pool, and access the business center, but not the executive lounge.' The guard makes separate decisions for each area based on the same passport. The entire conversation between you and the guard is encrypted. The guard also keeps a log of everywhere you go. In networking terms: RADIUS combines authentication and authorization into one response (simple yes/no), uses UDP, and encrypts only the password. TACACS+ separates authentication, authorization, and accounting into three distinct phases, uses TCP, and encrypts the entire packet body. Cisco devices support both, but TACACS+ is Cisco-proprietary and gives finer-grained command authorization — critical for device administration. RADIUS is the standard for network access (like 802.1X).
What Are AAA and Why Do We Need Protocols?
AAA stands for Authentication, Authorization, and Accounting. Authentication verifies who the user is (username/password, certificate). Authorization determines what the user is allowed to do (access a VLAN, run specific commands). Accounting tracks what the user did (login/logout times, commands executed). Without AAA protocols, each network device would need its own local user database, which doesn't scale. AAA protocols centralize this into a server (like Cisco ISE, FreeRADIUS, or ACS).
RADIUS (Remote Authentication Dial-In User Service) was originally developed by Livingston Enterprises for dial-up access. It is defined in RFC 2865 (Authentication and Authorization) and RFC 2866 (Accounting). TACACS+ (Terminal Access Controller Access-Control System Plus) is a Cisco-proprietary enhancement of the original TACACS protocol. Both provide AAA, but their architectures differ significantly.
How RADIUS Works: Packet-Level Mechanics
RADIUS uses UDP ports 1812 for Authentication/Authorization and 1813 for Accounting (older implementations may use 1645/1646). The client (NAS – Network Access Server, e.g., a switch or wireless controller) sends an Access-Request packet to the RADIUS server. This packet contains the username, password (encrypted using a shared secret via MD5 hash), and other attributes like NAS-IP-Address and Called-Station-ID. The server responds with one of three packets:
Access-Accept: User is authenticated and optionally authorized (attributes like VLAN assignment, ACL name).
Access-Reject: User is denied.
Access-Challenge: Server asks for additional verification (e.g., OTP token).
Authorization is embedded in the Access-Accept packet — there is no separate authorization exchange. This means the NAS must trust the server's single response for both auth and authz. Accounting is separate: the NAS sends Accounting-Request (Start) when a session begins and Accounting-Request (Stop) when it ends. The server replies with Accounting-Response.
RADIUS uses a shared secret (plaintext string known to both client and server) to encrypt only the password field in the Access-Request. The rest of the packet (including username, attributes) is sent in cleartext. This is a security limitation. The shared secret is also used to compute an MD5 hash for integrity, but not for confidentiality of the entire packet.
How TACACS+ Works: Packet-Level Mechanics
TACACS+ uses TCP port 49. This gives reliable delivery — no need for retransmission logic in the protocol itself. TACACS+ separates the three A's into distinct packet types:
Authentication: The client sends an Authentication Start packet. The server can respond with GET_USERNAME, GET_PASSWORD, GET_DATA, or PASS/FAIL. This allows multi-legged authentication (e.g., challenge-response).
Authorization: After authentication succeeds, the client sends an Authorization Request (with the user's name and the service/command they want). The server responds with either PASS or FAIL, along with authorization attributes (e.g., permit or deny specific commands).
Accounting: The client sends an Accounting Start/Stop/Update packet. The server acknowledges.
The entire TACACS+ packet body is encrypted using a shared secret (MD5-based, but the secret is used to generate a pseudo-random pad that XORs the entire body). Only the TACACS+ header (12 bytes) is in cleartext. This provides full confidentiality for all AAA information.
Key States, Timers, and Defaults
RADIUS:
Default retransmit timeout: 5 seconds (Cisco IOS).
Maximum retransmits: 3 (default).
Dead timer: 10 seconds (if no response, server is marked dead).
Ports: UDP 1812 (auth), 1813 (acct).
Shared secret length: up to 128 characters.
TACACS+:
Default timeout: 5 seconds.
Single connection mode: TCP persistent connection (no per-packet retransmit).
Port: TCP 49.
Shared secret length: up to 128 characters.
IOS CLI Verification Commands
To configure RADIUS on a Cisco IOS device:
! Configure RADIUS server
radius server ISE
address ipv4 192.168.1.100 auth-port 1812 acct-port 1813
key mySecretKey
!
! Apply to login authentication
aaa new-model
aaa authentication login default group radius localTo verify RADIUS:
show running-config | section radius
show radius server-group
show radius statisticsExample output of show radius statistics:
RADIUS Statistics:
Total Packets In: 150
Total Packets Out: 200
Retransmissions: 5
Timeouts: 2
Dead Servers: 0To configure TACACS+:
! Configure TACACS+ server
tacacs server ISE
address ipv4 192.168.1.100
key mySecretKey
!
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa accounting exec default start-stop group tacacs+To verify TACACS+:
show tacacsExample output:
TACACS+ Server: 192.168.1.100/49
Socket opens: 10
Socket closes: 8
Total packets sent: 50
Total packets received: 48
Timeouts: 2How They Interact with Related Protocols
Both protocols integrate with 802.1X (port-based access control). The authenticator (switch) acts as a RADIUS or TACACS+ client, relaying EAP messages between the supplicant and the AAA server. RADIUS is the standard for 802.1X because RFC 3579 defines how to carry EAP over RADIUS. TACACS+ can also support 802.1X but is less common. For device administration (SSH/console), TACACS+ is preferred due to command authorization.
RADIUS Authentication Flow
1. User connects to the NAS (e.g., VPN concentrator). NAS prompts for username/password. 2. NAS encapsulates the credentials in a RADIUS Access-Request packet. The password is encrypted using the shared secret (MD5 hash). The packet is sent via UDP to the RADIUS server (port 1812). 3. The RADIUS server checks the credentials against its database. If valid, it sends an Access-Accept (which may include authorization attributes like VLAN ID or ACL). If invalid, Access-Reject. If more info needed, Access-Challenge (e.g., for OTP). 4. NAS receives the response. If Access-Accept, it grants access with the specified attributes. If Access-Reject, it denies access. 5. NAS sends an Accounting-Start (UDP 1813) to log the session. Server acknowledges with Accounting-Response.
TACACS+ Authentication Flow
1. User initiates a connection to a network device (e.g., SSH to a router). Device (TACACS+ client) sends an Authentication START packet to the TACACS+ server (TCP 49). This packet contains the action (login) and optional data. 2. Server replies with a CONTINUE packet asking for username (GET_USERNAME). 3. Client prompts user, then sends a CONTINUE packet with the username. 4. Server replies asking for password (GET_PASSWORD). 5. Client prompts, sends CONTINUE with password. 6. Server verifies and sends either PASS or FAIL. The entire exchange is encrypted except the header. After auth, the client can perform separate authorization and accounting exchanges.
TACACS+ Authorization for Commands
1. After authentication, user enters a command (e.g., 'show running-config'). 2. The device sends a TACACS+ Authorization REQUEST packet to the server. It includes the username, the service (shell), and the command (cmd=show, cmd-arg=running-config). 3. The server checks its authorization policies (e.g., user 'admin' can run any command, user 'oper' can only run 'show' commands). 4. Server responds with either PASS (command allowed, possibly with additional attributes like privilege level) or FAIL (command denied). 5. If PASS, the device executes the command. If FAIL, the device displays 'Command authorization failed' and does not execute. This per-command granularity is a key advantage of TACACS+.
RADIUS Accounting for Session
1. When a session starts (e.g., PPP link comes up), the NAS sends a RADIUS Accounting-Request (Start) to the server (UDP 1813). It includes attributes like Acct-Status-Type=Start, Acct-Session-Id, NAS-IP-Address, User-Name. 2. Server logs the start and replies with Accounting-Response. 3. During the session, interim updates may be sent (Acct-Status-Type=Interim-Update) with current usage data. 4. When the session ends, the NAS sends an Accounting-Request (Stop) with Acct-Status-Type=Stop, Acct-Input-Octets, Acct-Output-Octets, Acct-Session-Time. 5. Server logs and responds. The NAS may retransmit if no response (due to UDP unreliability).
Verify AAA Configuration on IOS
Use `show aaa servers` to see both RADIUS and TACACS+ server status. Example output: ``` RADIUS: id 1, priority 1, host 192.168.1.100, auth-port 1812, acct-port 1813 State: current UP, duration 5d2h Dead: total 0, retransmit 3, timeout 5 TACACS+: id 2, priority 1, host 192.168.1.100, port 49 State: current UP, duration 5d2h Single-connect: disabled ``` Also `debug radius` and `debug tacacs` for live troubleshooting. Use `test aaa` command to simulate authentication: `test aaa group radius user1 password1`.
Troubleshooting AAA Issues
Common issues: 1. Shared secret mismatch – check `key` on both sides. 2. Wrong ports – ensure RADIUS auth port 1812 (not 1645). 3. Server unreachable – check IP routing and firewall rules (UDP 1812/1813, TCP 49). 4. Authorization failure – verify the user is in the correct group on the server. 5. Accounting not working – ensure accounting method list is applied. Use `debug radius authentication` or `debug tacacs authentication` to see packet exchanges. For RADIUS, look for 'Access-Accept' or 'Access-Reject'. For TACACS+, look for 'PASS' or 'FAIL'. Also check `show radius statistics` for retransmissions – high retransmits indicate network issues or server overload.
In a typical enterprise, RADIUS is used for network access control (NAC) scenarios. For example, when an employee connects their laptop to a wired switch port, the switch acts as a RADIUS client. The employee's credentials (or machine certificate) are forwarded to a RADIUS server (like Cisco ISE). The server authenticates the user and returns a VLAN assignment (e.g., VLAN 10 for corporate devices, VLAN 20 for guests). This is the 802.1X + RADIUS combination. The switch then dynamically places the port into the correct VLAN. Accounting tracks when the user connected and disconnected. Performance-wise, RADIUS over UDP can be problematic in lossy networks — retransmissions can cause delays. Using a RADIUS load balancer or multiple servers with failover is common.
TACACS+ is the go-to for device administration. Network engineers managing hundreds of routers and switches use TACACS+ to centralize authentication and authorize specific commands. For instance, junior engineers might only be allowed 'show' commands, while senior engineers can configure interfaces. This is implemented via TACACS+ authorization. Accounting logs every command entered, which is invaluable for auditing and compliance (e.g., PCI-DSS). A common deployment pattern is to have primary and secondary TACACS+ servers, and fall back to local authentication if both are unreachable. The TCP reliability of TACACS+ means fewer retransmission issues, but it can be more resource-intensive on the server due to persistent connections.
Misconfigurations happen. A classic mistake is using RADIUS for device administration and expecting command authorization. RADIUS does not support per-command authorization in the same way — it only returns a privilege level (0-15). So if you need granular command control, TACACS+ is required. Another pitfall: forgetting to apply the AAA method list to the console or VTY lines. You can configure AAA globally, but if the line doesn't reference the method list, it won't use AAA. Always check with show line con 0 and show line vty 0 4 to see the configured authentication.
The 200-301 exam tests AAA under Objective 5.3: 'Compare and contrast RADIUS and TACACS+'. You will not be asked to configure AAA from scratch, but you must know the key differences. The exam loves to present scenario questions where you must choose the correct protocol. Common traps:
Encryption scope: Many candidates think RADIUS encrypts the entire packet. Wrong. RADIUS only encrypts the password. TACACS+ encrypts the entire packet body. The exam may ask: 'Which protocol encrypts the entire payload?' Answer: TACACS+.
Transport protocol: RADIUS uses UDP; TACACS+ uses TCP. A question might say: 'Which protocol provides reliability through its transport?' Answer: TACACS+ (TCP). But remember: RADIUS has its own retransmission mechanism, so it is not completely unreliable — but TCP handles it natively.
Separation of AAA: RADIUS combines authentication and authorization in the Access-Accept packet. TACACS+ separates them into three distinct exchanges. A question might ask: 'Which protocol allows you to authenticate a user and then separately authorize each command?' Answer: TACACS+.
Port numbers: RADIUS auth port 1812/UDP, acct 1813/UDP. TACACS+ port 49/TCP. Some older questions use 1645/1646 — know that 1812/1813 are the IANA-assigned ports.
Vendor support: RADIUS is an open standard (RFC); TACACS+ is Cisco-proprietary. The exam may ask: 'Which protocol is an open standard?' Answer: RADIUS.
Decision rule for scenario questions: If the scenario involves network access (wireless, VPN, 802.1X), choose RADIUS. If it involves device administration (SSH to routers) and command authorization, choose TACACS+. If the question mentions 'accounting', both can do it, but TACACS+ separates it. If the question mentions 'encryption of entire packet', choose TACACS+. Always read the question carefully — sometimes they ask for the 'Cisco-proprietary' protocol.
RADIUS uses UDP ports 1812 (auth) and 1813 (accounting).
TACACS+ uses TCP port 49.
RADIUS encrypts only the password; TACACS+ encrypts the entire packet body.
RADIUS combines authentication and authorization; TACACS+ separates them into three phases.
TACACS+ supports per-command authorization; RADIUS does not.
RADIUS is an open standard; TACACS+ is Cisco-proprietary.
For network access (802.1X), use RADIUS. For device administration, use TACACS+.
These come up on the exam all the time. Here's how to tell them apart.
RADIUS
Uses UDP (ports 1812/1813)
Encrypts only password
Combines authentication and authorization
Open standard (RFC)
Best for network access (802.1X, VPN)
TACACS+
Uses TCP (port 49)
Encrypts entire packet body
Separates authentication, authorization, accounting
Cisco-proprietary
Best for device administration (command authorization)
Mistake
RADIUS encrypts the entire packet.
Correct
RADIUS encrypts only the password field using MD5 hash. The rest of the packet (username, attributes) is sent in cleartext.
Candidates assume 'encryption' applies to the whole message because the shared secret is used, but the encryption scope is limited.
Mistake
TACACS+ uses UDP for faster performance.
Correct
TACACS+ uses TCP port 49, which provides reliable, connection-oriented transport.
Many confuse TACACS+ with RADIUS; they think both use UDP because they are both AAA protocols.
Mistake
RADIUS and TACACS+ both support command authorization equally.
Correct
Only TACACS+ supports per-command authorization (granular control). RADIUS can return a privilege level (0-15) but not specific command allow/deny.
Candidates may think 'authorization' means the same thing in both protocols, but the granularity differs.
Mistake
RADIUS is Cisco-proprietary.
Correct
RADIUS is an open standard (RFC 2865, 2866). TACACS+ is Cisco-proprietary.
Cisco heavily promotes both, but RADIUS is widely used across vendors.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
RADIUS does not support per-command authorization natively. It can return a privilege level (0-15) in the Access-Accept packet, which indirectly controls command access (e.g., privilege level 15 allows all commands). However, for granular command-level control (e.g., allow 'show' but not 'configure'), TACACS+ is required. In exam scenarios, remember: command authorization = TACACS+.
RADIUS uses UDP port 1812 for authentication and authorization, and UDP port 1813 for accounting. Older implementations may use 1645 and 1646, but 1812/1813 are the IANA-assigned ports. The 200-301 exam expects you to know 1812 and 1813. TACACS+ uses TCP port 49.
TACACS+ is generally considered more secure because it encrypts the entire packet body, including the username and authorization attributes. RADIUS only encrypts the password. However, both rely on a shared secret and MD5-based encryption, which is not the strongest. For modern environments, use RADIUS over TLS (RadSec) or TACACS+ with strong secrets. On the exam, remember: TACACS+ encrypts the entire payload.
Yes, you can configure multiple AAA servers of different types. For example, you might use RADIUS for network access (dot1x) and TACACS+ for device administration (SSH). In IOS, you define separate server groups and apply them to different method lists. This is common in enterprises.
Authentication verifies the identity of the user ('Who are you?'). Authorization determines what the user is allowed to do ('What can you do?'). In RADIUS, these are combined in the Access-Accept packet. In TACACS+, they are separate exchanges. Accounting logs what the user did. The exam often asks to distinguish these three functions.
Historically, RADIUS was designed for dial-up access where packet loss was low and simplicity was key. UDP avoids the overhead of TCP connection setup and teardown, which is beneficial for many short-lived authentication requests. However, RADIUS implements its own retransmission and timeout mechanisms. TACACS+ uses TCP for reliability, which is better for persistent connections like device administration.
The command `aaa new-model` enables the AAA access control system on a Cisco device. It must be configured before any AAA commands (like authentication, authorization, accounting) take effect. Without it, the device uses legacy authentication methods (e.g., local login only). It is a global configuration command and is required for both RADIUS and TACACS+ configurations.
You've just covered RADIUS vs TACACS+: AAA Protocol Comparison — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?