Choose the right user-authentication protocol

If you're implementing a VPN, you will need some method of authenticating users. Most VPN hardware solutions have their own proprietary "local" authentication database, which allows you to keep a list of users, their passwords, and authorization information in the VPN hardware. However, if you need a redundant solution or have a lot of users, or generally are looking for something more secure, with better logging capabilities, etc. then you may need an authentication system external to the VPN appliance. The two common protocols used to allow VPN hardware to talk to an external database (such as an NT Domain) are RADIUS, which stands for Remote Authentication Dial-In User Service, and TACACS+, which stands for Terminal Access Controller Access Control System. Which one should you use?

Which is better for you? TACACS+ or RADIUS? It depends, as with most things.

The RADIUS protocol encrypts the password, but not the rest of the packet. A sniffer will display username and possibly other information in clear text. TACACS+ encrypts the entire payload beyond the TACACS header.

RADIUS uses UDP and TACACS+ users TCP. This means TACACS+ will send more packets and use more bandwidth to perform the same job, but it will be reliable instead offering its best effort. Using TCP offers a lot of little advantages. Aggregated, they are considerable.

TACACS+ also uses more bandwidth because it separates the authentication and authorization function, which

    Requires Free Membership to View

allows you, for whatever reason, to use a separate protocol for authentication. RADIUS combines these functions.

RADIUS has more flexibility on the accounting side. So if you need to keep track of activity beyond the typical logging of login successes and failures, you'll want to explore these differences closely.

Last, while TACACS+ is a Cisco proprietary extension of the practically obsolete original TACACS protocol, it is supported by a lot of different vendors from linux support in the pppd software to Juniper and Shiva. Cisco offers a freeware server at ftp://anonymous@ftp-eng.cisco.com/pub/tacacs/. Even so, RADIUS is supported by almost all vendors, even though their respective implementations may not be 100% compatible.

Thomas Alexander Lancaster IV is a consultant and author with over ten years experience in the networking industry, focused on Internet infrastructure.

This was first published in October 2002

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.