Simplicity is the ultimate sophistication

Font Size





Free AAA: Tacacs+ vs Radius

Here is a short article that will help and guide you in case you have to select one of these two protocols for controlling the access to your devices. The first thing you have to bear in mind is that while Tacacs is a propietary protocol (Cisco) Radius is an open standard protocol and it is natively supported by many applications and network devices. Plese see below a comparision table between the two protocols:




Transport: TCP (connection)

Transport: UDP (no connection)

CHAP is bidirectional

CHAP is unidirectional (server to client)

Multiprotocol support

Doesn’t support:

  • Novell Asynchronous Services Interface (NASI)
  • X.25 PAD connection
  • Net BIOS Frame Protocol Control protocol
  • AppleTalk Remote Access protocol (ARAP)

Encrypts entire packet

Encrypts only passwords within the packet

Independent AAA architecture

Authentication and authorization combined

Best choice for router management

Industry standard

Assign commands to privilege levels and have the router use TACACS+ to verify that the user is authorized at the specified privilege level.

Explicitly define the commands allowed on a per-user or a per-group basis on the TACACS+ server.

No such a feature

For Cisco's point of view on this topic you can read this article.

Free Tacac docs

Free Radius

  • Wikipedia's list of Radius Servers (most of the servers on this page are free)

Microsoft IAS

Some time you can consider this as "free" in the sense that if you already have a MS Windows server arround this service can be installed and connected with your AD or local Microsoft User database


Add comment

Security code

Home Tools Free AAA: Tacacs+ vs Radius