RADIUS is a client/server protocol used to provide interoperability between different vendors to achieve secure networks through AAA (authentication, authorization and accounting). RFC 2865 describes the authentication piece of RADIUS and the accounting part of RADIUS is explained in RFC 2866. RADIUS Authentication and Authorization use UDP port 1812 and RADIUS Accounting uses UDP port 1813. In older deployments of RADIUS UDP ports 1645 and 1646 were used but were in conflict with another service called ‘diametrics’. RADIUS uses attributes to define parameters for the session which are usually called A-V pairs. Attribute 26 is a vendor-specific attribute which allows each vendor to support their own parameters. RADIUS combines the authentication and authorization and only encrypts the password so it is less secure overall than TACACS+.
The following are common RADIUS responses:
- Access-Request
- Access-Accept
- Access-Reject
- Accounting-Request
- Accounting-Response
- Access-Challenge
TACACS+ is a Cisco proprietary security protocol that can be used to provide authentication of users. TACACS+ is a very modular approach to AAA as it can use ACLs to on a per-user basis and also separates out each service (authentication, authorization and accounting). It uses TCP port 49 for reliable transport and the previous TACACS protocol is documented in RFC 1492. Unlike RADIUS all data between the client and server is encrypted creating a much more secure protocol.
Below are some responses received from the TACACS+ server:
- Accept
- Reject
- Error
- Continue
