Home Page


Email & Spam

Security Terminology

Security Topics

VPN & Cryptography




Which Network Firewall

Which Home Firewall

Network Firewall Buyers Guide


Firewall Terminology

Application Control

Application Layer Filtering

Firewall Authentication

High Availability, Failover, RAID, Clustering, & Redundancy

IPS & IDS Systems

Load Balancing & Link Balancing


Network Firewall Buyers Guide

Next-Gen vs UTM

Packet Filtering

Parental Control

Perimeter Network or DMZ

Personal or Hardware Firewall?

Ports Protocols and IP Addresses


Stateful Packet Filtering



What is a Firewall?

Which home Firewall?

Which Network Firewall?

Zero Day Protection


Security Products Guide

Which Anti-Virus Software?

Which Firewall?

Which Spam Filter?

Which Internet Security Suite?


What is Guide

What is a Firewall?

What is a Virus?

What is Spam?


Essential Security Guides

Securing Windows XP Guide

Securing Windows Vista Guide

A Guide to Wireless Security



Top 8 Internet Security Tips

Why both, Firewall and Anti Virus?

Free or purchased security - Which one?





Radius and TACACS Authentication Guide



The AAA protocol is made up of and makes use of three important requirements, authentication, authorisation and accounting.

Authentication itself basically determines if a user or entity is allowed access. This is usually defined by a usernames and password. Authorisation is to determine what the user is allowed to access and defines the level of access they have.

When a user is authenticated, and the server determines who they are, they can then assign them the correct level of access (authorisation). However this is not mandatory to pass any authentication checks in order to progress to authorisation. For example if a user is not authenticated. The server does not know who they are, but may still give them basic rights; for example guest access.

The third service is accounting, which is basically logging. It is able to log all actions for security reasons.

Radius, Diameter, TACACS, XTACACS and TACACS+ all are used for authentication purposes and make use of AAA.  Radius and TACACS+ are widely popular and used today which I will mention further below.


Remote authentication dial in user server provides authentication, authorisation and accounting services. Basically Radius stores user names and password for authentication purposes.  Radius is often used in ISP environments. Radius works on UDP PORT 1812. Radius like TACACS works in a client server scenario.

Radius supports dynamic password and call-back security. Radius can now be used in other areas of authentication and not just in dialup scenarios. Radius is an open protocol and provides centralised based authentication. Depending on the vendor’s use of Radius, radius supports many authentication mechanisms.



A Terminal access control access control system, or today’s version of this protocol known as TACACS+ truly separates authentication, authorisation and accounting. TACACS+ is a TCP based access protocol on port 49.

XTACACS made improvements to the original TACACS by separating the authentication, authorisation and accounting services. Finally the TACACS+ added some further features such as two factor authentication.

Comparing Radius and TACACS+

Both TACACS+ and Radius support various authentication methods such as PAP and CHAP, token cards, EAP and other mechanisms. They are both commonly used in dial in environments, such when a client needs to authenticate to their ISP for an internet connection. The username and password the client provides on their Windows system for example is authenticated at the other end by a Radius or TACACS server in an ISP data centre.

Radius is open source and TACACS+ is a Cisco proprietary protocol. TACACS+ has some strength in usability and security over Radius, the most obvious one is the true separation of AAA and the built in two factor authentication. However the big limitation with TACACS+ is the price. Cisco Access Control systems supports the use of Radius and TACACS+ which comes with a heavy price. However if your serious about authentication and want rich control over users then TACACS+ should be considered.

The major advantage to RADIUS is that it’s free. However it comes with its limited functionality such the authentication and authorisation are combined, giving no flexibility to how they can be configured individually.

TACACS+ uses the reliable TCP protocol, where Radius uses UDP.

Further Radius TACACS+ points

The client in a Radius\TACACS setup is known as a NAS (Network access server). The client communicates with the Radius or TACACS server which resides on a Windows or Linux system. An example of this setup is when using two factor authentication. Many two factor vendors such as Secure Envoy and RSA use Radius as the authentication server. If a user was to authenticate via a firewall, most firewalls if not all support the use of Radius and can be setup to work as a NAS\radius client, which communicates with the Radius server which is part of the vendors full product.

So a user requests access to a resource behind a firewall, which it provides the required credentials. The firewall acting as a NAS passes these credentials on to the Windows\Linux based Radius server sitting somewhere on the network. If the radius server finds the client’s credentials matches the one in its database access is granted.

Just to be aware, in both Radius and TACACS+ between the PC and NAS no encryption takes place. However this can still be encrypted via other means such as a VPN. Encryption does take place however between the NAS (Radius client) and Radius server.