As part of your CCNP certification exam studies, particularly for the ISCW exam, you need to be very clear on the differences between TACACS+ and RADIUS.
As a CCNA and future CCNP, you've already configured authentication in the form of creating a local database of usernames and passwords for both Telnet access and PPP authentication.? This is sometimes called a self-contained AAA deployment, since no external server is involved.
It's more than likely that you'll be using a server configured for one of the following security protocols:
TACACS+, a Cisco-proprietary, TCP-based protocol
RADIUS, an open-standard, UDP-based protocol originally developed by the IETF
An obvious question is "If there's a TACACS+, what about TACACS?"? TACACS was the original version of this protocol and is rarely used today.
Before performing AAA Authentication configuration, there are some other TACACS+ / RADIUS differences you should be aware of:
While TACACS+ encrypts the entire packet, RADIUS encrypts only the password in the initial client-server packet.
RADIUS actually combines the authentication and authorization processes, making it very difficult to run one but not the other.?
TACACS+ considers Authentication, Authorization, and Accounting to be separate processes.?? This allows another method of?authentication to be used (Kerberos, for example), while still using TACACS+ for authorization and accounting.
RADIUS does not support the Novell Async Services Interface (NASI) protocol, the NetBIOS Frame Protocol Control protocol, X.25 Packet Assembler / Disassembler (PAD),?or the AppleTalk Remote Access Protocol (ARA or ARAP).? TACACS+ supports all of these.
RADIUS implementations from different vendors may not work well together, or at all.
RADIUS can't control the authorization level of users, but TACACS+ can.
We’ll discuss the uses of both of these protocols in a future CCNP certification tutorial!?? Look for more CCNA, CCENT, and CCNP tutorials right here on this same website!