Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.
6.8.2. TACACS+ vs RADIUS
Both protocols provide centralized AAA, but they were designed for different use cases and make different trade-offs.
TACACS+ (Cisco-developed):
- Encrypts the entire packet—command contents are hidden
- Separates authentication, authorization, and accounting into independent processes
- Gives you granular control: "This user can run
show ip routebut notconfigure terminal" - Best for: Device administration (managing routers and switches)
RADIUS (Open standard):
- Only encrypts the password—other attributes are cleartext
- Combines authentication and authorization in one step
- Designed for high-volume access control (thousands of users connecting)
- Best for: Network access (VPN, wireless, 802.1X)
| Feature | TACACS+ | RADIUS |
|---|---|---|
| Protocol | TCP 49 | UDP 1812/1813 |
| Encryption | Full packet | Password only |
| AAA separation | Yes (granular control) | No (A&A combined) |
| Vendor | Cisco-developed | Open standard (RFC 2865) |
| Best for | Device admin CLI access | User network access |
The decision framework: If you're controlling who can SSH to your switches and what commands they can run, use TACACS+. If you're authenticating wireless users or VPN connections, use RADIUS.
⚠️ Exam Trap: TACACS+ uses TCP (reliable, connection-oriented). RADIUS uses UDP (faster, but AAA server failure requires retries). Know the ports: TACACS+ = 49, RADIUS = 1812/1813.