If you've ever configured AAA on a Cisco device, you've faced the choice between RADIUS and TACACS+. This decision matters for the CCNA 200-301 exam (objective 5.3) because Cisco tests not just which protocol encrypts what, but how each behaves in real enterprise networks. Getting this wrong on the exam—or in production—can mean exposing user passwords or locking yourself out of a router. Let's dissect these two protocols so you never confuse them again.
Jump to a section
Imagine two hotels. Hotel RADIUS uses a single key card that opens both your room and the gym. When you check in, the front desk gives you one card that works for everything—but the front desk only checks if you're a guest, not which specific rooms you can enter. If you try the gym, the door sends a quick query: 'Is this card valid?' The front desk says yes or no, and that's it. The door never knows your name, only that the card is valid. This is RADIUS: one authentication for all services, with the network device (the door) only getting a simple accept/reject. Now Hotel TACACS+ has a security guard at every door. When you swipe your card, the guard asks for your ID, checks a list of exactly which rooms you're allowed to enter, and even logs how long you stayed. The guard can also say 'You can enter the gym but only between 6 AM and 8 PM.' Each door has its own guard with its own rules. This is TACACS+: separate authentication, authorization, and accounting per service. The guard (network device) knows exactly who you are and what you can do. In RADIUS, the front desk (AAA server) handles everything and only tells the door 'yes' or 'no'. In TACACS+, the door itself makes decisions based on detailed instructions from the security company (AAA server). That's why TACACS+ gives you per-command authorization on a router, while RADIUS only says 'you can log in'.
RADIUS (Remote Authentication Dial-In User Service) and TACACS+ (Terminal Access Controller Access-Control System Plus) are both AAA protocols used to centralize authentication, authorization, and accounting for network devices. They allow a router, switch, or firewall to offload user management to a dedicated server (like Cisco ISE or FreeRADIUS). The CCNA exam expects you to know the differences in encryption, transport, and functionality.
How They Work: Packet-Level Mechanics
RADIUS uses UDP (ports 1812 for authentication/authorization, 1813 for accounting; older systems use 1645/1646). Because UDP is connectionless, RADIUS handles retransmissions itself—if no response within a timeout (default 5 seconds), the client resends after a retry interval (default 3 seconds) up to a maximum retries (default 3). RADIUS encrypts only the password in the Access-Request packet using a shared secret and MD5 hash. The rest of the packet—username, service type, etc.—is sent in cleartext. This is a critical exam point: RADIUS does NOT encrypt the entire packet.
TACACS+ uses TCP (port 49). TCP provides reliable delivery, so no retransmission logic at the application layer. TACACS+ encrypts the entire body of the packet (all fields except the standard TCP header and the TACACS+ header). The header includes a type field (1=Authentication, 2=Authorization, 3=Accounting) and a sequence number. Encryption uses a shared secret and MD5 or SHA-based hash (depending on implementation).
AAA Separation: The Key Difference
RADIUS combines authentication and authorization into one packet. The Access-Request contains both the user's credentials and the service they're requesting (e.g., 'I want to SSH'). The server responds with an Access-Accept that includes authorization attributes (e.g., privilege level, ACLs). This means you cannot authenticate without also authorizing a service. TACACS+ separates the three A's: first an Authentication packet exchange, then a separate Authorization request, then Accounting. This allows scenarios like authenticating a user but denying authorization for a specific command.
Defaults and Timers
RADIUS UDP ports: 1812 (auth), 1813 (accounting)
RADIUS timeout: 5 seconds (default on Cisco IOS)
RADIUS retransmit count: 3 (default)
TACACS+ TCP port: 49
TACACS+ timeout: 5 seconds (default)
TACACS+ single connection: disabled by default (each session opens a new TCP connection)
IOS CLI Verification
To see configured AAA servers:
show running-config | section radius
show running-config | section tacacsTo test connectivity:
test aaa group radius username cisco password cisco new-code
test aaa group tacacs+ username cisco password cisco new-codeExample output for show radius statistics:
RADIUS Statistics:
Total RADIUS packets sent: 12
Total RADIUS packets received: 10
Total RADIUS timeouts: 2
Total RADIUS retransmits: 1
...Interaction with Related Protocols
RADIUS is often used with 802.1X for port-based authentication on switches. The switch acts as a RADIUS client (authenticator), the endpoint is the supplicant, and the RADIUS server is the authentication server. TACACS+ is used for device administration (SSH, console). Both can coexist: RADIUS for network access, TACACS+ for management access.
Choose RADIUS or TACACS+
First, determine the use case. If you need to authenticate users for network access (e.g., wireless, VPN, 802.1X), choose RADIUS. If you need to authenticate administrators for device management (console, SSH, enable), choose TACACS+. Many enterprises run both. On the exam, scenario questions will give clues: 'administrators logging into routers' → TACACS+; 'users connecting to Wi-Fi' → RADIUS.
Configure AAA New Model
Enable AAA globally with `aaa new-model`. This command changes the behavior of login authentication and must be present for any AAA configuration. Without it, the router uses local authentication only. After enabling, all lines (console, vty) will use AAA by default. Be careful: if you haven't defined a method list, you might lock yourself out. Always configure at least one method before enabling `aaa new-model` if working remotely.
Define RADIUS Server
Use `radius server <name>` to define a RADIUS server. Enter the IP address with `address ipv4 <ip> auth-port 1812 acct-port 1813`. Set the shared secret with `key <secret>`. Example: ``` radius server ISE address ipv4 10.1.1.100 auth-port 1812 acct-port 1813 key Cisco123 ``` Alternatively, the older command `radius-server host <ip> key <secret>` still works but is less granular.
Define TACACS+ Server
Similar to RADIUS: `tacacs server <name>` then `address ipv4 <ip>` and `key <secret>`. Example: ``` tacacs server TACACS address ipv4 10.1.1.200 key Cisco123 ``` You can also set the timeout with `timeout <seconds>` and single-connection mode with `single-connection`. Single-connection reuses one TCP connection for multiple sessions, reducing overhead.
Create Authentication Method List
Define a method list for login authentication: `aaa authentication login <list-name> group radius local`. This tells the router to try RADIUS first, then fall back to local database. For TACACS+: `aaa authentication login <list-name> group tacacs+ local`. Apply the list to lines with `login authentication <list-name>`. Example: ``` aaa authentication login ADMIN group tacacs+ local line vty 0 4 login authentication ADMIN ``` If the server is unreachable, the router uses local accounts.
Configure Authorization and Accounting
For authorization: `aaa authorization exec <list-name> group tacacs+ local` (for shell access) or `aaa authorization commands 15 <list-name> group tacacs+ local` (for privilege 15 commands). Accounting: `aaa accounting exec <list-name> start-stop group tacacs+`. RADIUS combines auth and authorization, so you don't need separate authorization commands for network access. For device admin, TACACS+ is preferred because it supports per-command authorization.
In a typical enterprise, you'll see RADIUS deployed for wireless LAN authentication. Users enter their domain credentials, the wireless LAN controller (WLC) forwards them via RADIUS to Cisco ISE or Microsoft NPS. The RADIUS server checks Active Directory and returns an Accept with attributes like VLAN assignment or ACL name. This happens at scale: a WLC might handle thousands of authentications per second. If the RADIUS server goes down, new users can't connect—so redundancy is critical. You'd configure multiple RADIUS servers with different priorities.
For device administration, TACACS+ is the go-to. Network engineers SSH into routers and switches; TACACS+ authenticates them, authorizes specific commands (e.g., only senior engineers can reload), and logs every command typed. This is invaluable for compliance. A common scenario: a junior engineer accidentally enters 'reload' — TACACS+ can deny that command if not authorized. With RADIUS, you can't do that; once authenticated, the user gets full access based on privilege level.
Misconfiguration examples: Using RADIUS for device admin without fallback — the RADIUS server fails, and you're locked out. Solution: always include 'local' as a fallback. Another: forgetting to apply the authentication list to the console line — if the server is down, console access still works with local credentials (if configured). Also, using UDP for RADIUS means you must ensure network path doesn't drop packets; otherwise, retransmissions can cause delays. TACACS+ with TCP is more reliable but adds TCP overhead.
Performance: RADIUS servers can handle high throughput due to UDP, but each request is stateless. TACACS+ sessions are stateful; each authentication uses a TCP connection, which can be mitigated with 'single-connection' mode. In large deployments, you might dedicate separate servers for RADIUS (network access) and TACACS+ (admin access).
Exam objective 5.3 covers 'Configure and verify AAA for device access using RADIUS and TACACS+'. The 200-301 tests your ability to differentiate the two protocols and to configure basic AAA. Common wrong answers:
'RADIUS encrypts the entire packet.' WRONG. RADIUS only encrypts the password; the rest is in cleartext. TACACS+ encrypts the entire packet body.
'TACACS+ uses UDP.' WRONG. TACACS+ uses TCP port 49; RADIUS uses UDP ports 1812/1813.
'RADIUS separates authentication and authorization.' WRONG. RADIUS combines them; TACACS+ separates all three.
'Both protocols support per-command authorization.' WRONG. Only TACACS+ supports per-command authorization; RADIUS does not.
Specific values: RADIUS default timeout 5 seconds, retransmit 3. TACACS+ default timeout 5 seconds. Port numbers: RADIUS auth 1812, acct 1813; TACACS+ 49. Encryption: RADIUS encrypts password only; TACACS+ encrypts entire payload.
Decision rule for scenario questions: If the question mentions 'network access' (wireless, VPN, 802.1X), pick RADIUS. If it mentions 'device administration' (router/switch login, command authorization), pick TACACS+. If it mentions 'separate authentication and authorization', pick TACACS+. If it mentions 'encrypts entire packet', pick TACACS+.
Calculation traps: None directly, but be aware of timeout and retransmit counts for RADIUS. For example, if RADIUS timeout is 5 seconds and retransmits 3 times, total wait time before failure is 5 + 5 + 5 + 5 = 20 seconds (initial + 3 retransmits). Some questions might ask how long until a server is marked dead.
RADIUS uses UDP ports 1812 (auth) and 1813 (accounting); TACACS+ uses TCP port 49.
RADIUS encrypts only the password; TACACS+ encrypts the entire packet payload.
RADIUS combines authentication and authorization; TACACS+ separates all three AAA functions.
TACACS+ supports per-command authorization; RADIUS does not.
Default RADIUS timeout is 5 seconds with 3 retransmits; TACACS+ timeout is 5 seconds.
Use 'aaa new-model' to enable AAA globally; always include a local fallback to avoid lockout.
RADIUS is typically used for network access (802.1X, VPN); TACACS+ for device administration.
These come up on the exam all the time. Here's how to tell them apart.
RADIUS
Uses UDP (ports 1812/1813)
Encrypts only password
Combines authentication & authorization
No per-command authorization
Commonly used for network access (wireless, VPN)
TACACS+
Uses TCP (port 49)
Encrypts entire packet body
Separates authentication, authorization, accounting
Supports per-command authorization
Commonly used for device administration (router/switch login)
Mistake
RADIUS encrypts the entire packet.
Correct
RADIUS only encrypts the password using MD5 hash of shared secret. The username, service type, and other attributes are sent in cleartext.
Because RADIUS was designed for dial-up where only password secrecy was critical; full packet encryption would add overhead.
Mistake
TACACS+ uses UDP like RADIUS.
Correct
TACACS+ uses TCP port 49 for reliable, connection-oriented communication. RADIUS uses UDP for speed.
Many candidates assume both are UDP because they serve similar purposes; the exam tests this distinction frequently.
Mistake
RADIUS and TACACS+ both support per-command authorization.
Correct
Only TACACS+ supports per-command authorization. RADIUS does not have a mechanism for authorizing individual commands after login.
Because RADIUS was designed for network access (authenticate once, get full access), not for granular device administration.
Mistake
TACACS+ combines authentication and authorization into one packet.
Correct
TACACS+ separates authentication and authorization into distinct packet exchanges. RADIUS combines them.
The names 'AAA' imply three separate functions, but RADIUS merges two of them; candidates often assume both are fully separate.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Yes, you can, but it's not recommended. RADIUS can authenticate users for device administration, but it does not support per-command authorization. Once authenticated, the user gets the privilege level assigned by the server. For granular control over commands, TACACS+ is superior. Also, RADIUS combines authentication and authorization, so you cannot authorize a user without authenticating them first. For device administration, TACACS+ is the Cisco best practice.
'aaa authentication login' defines how a user proves their identity (password, etc.). 'aaa authorization exec' determines what privileges the user gets after authentication (e.g., privilege level 1 or 15). TACACS+ can perform both separately; RADIUS does authorization as part of the authentication response (Access-Accept includes attributes like service type and privilege level).
Yes, absolutely. Many enterprises run both: RADIUS for network access (e.g., 802.1X on switches, wireless) and TACACS+ for device administration. You configure separate server groups and method lists. For example, use 'aaa authentication login default group tacacs+ local' for vty lines, and 'aaa authentication dot1x default group radius' for 802.1X.
'aaa new-model' enables the AAA security services on a Cisco device. Without it, the router uses legacy authentication methods (local, line password). Once enabled, all lines (console, vty, aux) automatically use AAA authentication unless overridden. It also changes the behavior of the 'enable' password to use the enable secret. It is a prerequisite for all AAA commands.
RADIUS was originally designed for dial-up access where connection setup overhead was undesirable; UDP is faster and lighter. The RADIUS client handles retransmissions. TACACS+ was developed later with a focus on reliability and security; TCP provides guaranteed delivery and flow control, which is important for command authorization and accounting where packet loss could cause security gaps.
By default, each TACACS+ session (e.g., each SSH login) opens a new TCP connection to the server. 'Single-connection' mode reuses a single TCP connection for multiple sessions, reducing the overhead of TCP handshakes. This can improve performance but requires the server to support it. Configure with 'tacacs server <name> single-connection'.
Use the 'test aaa' command. For example: 'test aaa group radius username cisco password cisco new-code' or 'test aaa group tacacs+ username cisco password cisco new-code'. This sends an authentication request to the server and displays the result. It's a great troubleshooting tool.
You've just covered RADIUS vs TACACS+ — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?