1

What is AAA?
AAA services are like a security package, which provides a massive security to a
device.
AAA stands for Authentication, authorization and accounting.
Authentication:
Validate who you are, instead of enable secret now u have username and
password to login.
Authorization:
Tells you what you can do. Define different users privileges and access levels.
Accounting:
Use for monitoring and for keeping history. Tracks what you did on a device.
By using AAA u can control PPP links, aux port, dialup modem, VTY, VPN access
anything that required password.
AAA Protocols:
There are two famous protocols use for AAA services that are
Radius
Tacacs
Radius server is open standard where as Tacacs+ server is Cisco proprietary. You
can also use the Microsoft Active directory services as AAA server
From a security standpoint, a primary difference is that:
TACACS+ is more secure since it encrypts the entire authentication
process.
RADIUS encrypts just the password.
Remote Authentication Dial-In User Service (RADIUS) is a generic standard that
uses centralized authentication when more than one remote access server is
being used. Instead of maintaining a database of authorized users on each
remote access server, the database is maintained on the RADIUS server, and all
of the remote access servers forward the authentication requests to this RADIUS
server.
Terminal Access Controller Access-Control System Plus (TACACS+) is used as an
alternative over RADIUS. TACACS+ is proprietary to Cisco, but can interact with
Kerberos
making
it
compatible
in
a
Microsoft
network.
RADIUS uses UDP while TACACS+ uses TCP.
Radius

Remote authentication dial in user server provides authentication, authorisation

and accounting services. Basically Radius stores user names and password for
authentication purposes. Radius is often used in ISP environments. Radius works
on UDP PORT 1812. Radius like TACACS works in a client server scenario.
Radius supports dynamic password and call-back security. Radius can now be
used in other areas of authentication and not just in dialup scenarios. Radius is
an open protocol and provides centralised based authentication. Depending
on the vendors use of Radius, radius supports many authentication
mechanisms.

TACACS
A Terminal access control access control system, or todays version of this
protocol known as TACACS+ truly separates authentication, authorisation and
accounting. TACACS+ is a TCP based access protocol on port 49.
XTACACS made improvements to the original TACACS by separating the
authentication, authorisation and accounting services. Finally the TACACS+
added some further features such as two factor authentication.
Comparing Radius and TACACS+
Both TACACS+ and Radius support various authentication methods such as PAP
and CHAP, token cards, EAP and other mechanisms. They are both commonly
used in dial in environments, such when a client needs to authenticate to their
ISP for an internet connection. The username and password the client provides
on their Windows system for example is authenticated at the other end by a
Radius or TACACS server in an ISP data centre.
Radius is open source and TACACS+ is a Cisco proprietary protocol. TACACS+
has some strength in usability and security over Radius, the most obvious one is
the true separation of AAA and the built in two factor authentication. However
the big limitation with TACACS+ is the price. Cisco Access Control systems
supports the use of Radius and TACACS+ which comes with a heavy price.
However if your serious about authentication and want rich control over users
then TACACS+ should be considered.
The major advantage to RADIUS is that its free. However it comes with its limited
functionality such the authentication and authorisation are combined, giving no
flexibility to how they can be configured individually.
TACACS+ uses the reliable TCP protocol, where Radius uses UDP.