Choose the right user-authentication protocol

Discussion of RADIUS and TACACS+.

If you're implementing a VPN, you will need some method of authenticating users. Most VPN hardware solutions have

their own proprietary "local" authentication database, which allows you to keep a list of users, their passwords, and authorization information in the VPN hardware. However, if you need a redundant solution or have a lot of users, or generally are looking for something more secure, with better logging capabilities, etc. then you may need an authentication system external to the VPN appliance. The two common protocols used to allow VPN hardware to talk to an external database (such as an NT Domain) are RADIUS, which stands for Remote Authentication Dial-In User Service, and TACACS+, which stands for Terminal Access Controller Access Control System. Which one should you use?

Which is better for you? TACACS+ or RADIUS? It depends, as with most things.

The RADIUS protocol encrypts the password, but not the rest of the packet. A sniffer will display username and possibly other information in clear text. TACACS+ encrypts the entire payload beyond the TACACS header.

RADIUS uses UDP and TACACS+ users TCP. This means TACACS+ will send more packets and use more bandwidth to perform the same job, but it will be reliable instead offering its best effort. Using TCP offers a lot of little advantages. Aggregated, they are considerable.

TACACS+ also uses more bandwidth because it separates the authentication and authorization function, which allows you, for whatever reason, to use a separate protocol for authentication. RADIUS combines these functions.

RADIUS has more flexibility on the accounting side. So if you need to keep track of activity beyond the typical logging of login successes and failures, you'll want to explore these differences closely.

Last, while TACACS+ is a Cisco proprietary extension of the practically obsolete original TACACS protocol, it is supported by a lot of different vendors from linux support in the pppd software to Juniper and Shiva. Cisco offers a freeware server at Even so, RADIUS is supported by almost all vendors, even though their respective implementations may not be 100% compatible.

Thomas Alexander Lancaster IV is a consultant and author with over ten years experience in the networking industry, focused on Internet infrastructure.

This was first published in October 2002

Dig deeper on Internet and application security



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: