Choose the right user-authentication protocol

Choose the right user-authentication protocol

If you're implementing a VPN, you will need some method of authenticating users. Most VPN hardware solutions have their own proprietary "local" authentication database, which allows you to keep a list of users, their passwords, and authorization information in the VPN hardware. However, if you need a redundant solution or have a lot of users, or generally are looking for something more secure, with better logging capabilities, etc. then you may need an authentication system external to the VPN appliance. The two common protocols used to allow VPN hardware to talk to an external database (such as an NT Domain) are RADIUS, which stands for Remote Authentication Dial-In User Service, and TACACS+, which stands for Terminal Access Controller Access Control System. Which one should you use?

Which is better for you? TACACS+ or RADIUS? It depends, as with most things.

The RADIUS protocol encrypts the password, but not the rest of the packet. A sniffer will display username and possibly other information in clear text. TACACS+ encrypts the entire payload beyond the TACACS header.

RADIUS uses UDP and TACACS+ users TCP. This means TACACS+ will send more packets and use more bandwidth to perform the same job, but it will be reliable instead offering its best effort. Using TCP offers a lot of little advantages. Aggregated, they are considerable.

TACACS+ also uses more bandwidth because it separates the authentication and authorization function, which

    Requires Free Membership to View

    Login

    SearchEnterpriseWAN.com members gain immediate and unlimited access to breaking industry news, best practices for designing and managing Wide Area Networks, WAN Security, and more -- all at no cost. Join me on SearchEnterpriseWAN.com today!

    Kate Gerwig, Editorial Director

    By submitting your registration information to SearchEnterpriseWAN.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchEnterpriseWAN.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

allows you, for whatever reason, to use a separate protocol for authentication. RADIUS combines these functions.

RADIUS has more flexibility on the accounting side. So if you need to keep track of activity beyond the typical logging of login successes and failures, you'll want to explore these differences closely.

Last, while TACACS+ is a Cisco proprietary extension of the practically obsolete original TACACS protocol, it is supported by a lot of different vendors from linux support in the pppd software to Juniper and Shiva. Cisco offers a freeware server at ftp://anonymous@ftp-eng.cisco.com/pub/tacacs/. Even so, RADIUS is supported by almost all vendors, even though their respective implementations may not be 100% compatible.

Thomas Alexander Lancaster IV is a consultant and author with over ten years experience in the networking industry, focused on Internet infrastructure.


This was first published in October 2002

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

Back to top