i don't well understand those part ... about RADIUS and TACACS, this part is about when to use which protocol
can you explain me with example please?


•Mainly used for network access
TACACS+ does not support translation of EAPoL packets for authentication
TACASC+ does not support common network-access authorization attributes

•Mainly used for device administration
RADIUS does not support command authorization and command accounting


  • Radius was originally invented to assist in authenticating customers using dialup to connect to their ISP. The ISP had the need to prove that these people were legitimate customers, after which, they would be granted network access. That's why it is called Remote Authentication Dial-In User Service. However if the end-goal of the remote user is to login to the network device itself, gain control of the CLI and configure/debug that device...RADIUS wasn't really developed for that.

    For that purpose, TACACS was invented. And while BOTH can serve in authenticating users (whether they need network access, or management access to a router, switch, etc), TACACS is better for authenticating users who are trying to gain shell access (i.e. access to the command-line) because TACACS:
    1. Encrypts the entire packet (which is important when you're sending passwords, and configuration information to/from a router/switch...you don't want people snooping on that stuff).
    2. TACACS provides granular control over which, specific commands a remote user is allowed to issue to the box. Radius can't really do that.

    Hope that helped!

Sign In or Register to comment.