AAA Protocols : RADIUS and TACACS+



Networks need to be protected against any unknown access. In other words, network administrators need to control the users that can access to the network. They need to check who they are, what are they allowed for and what did they do. These three questions are the main explanation of AAA (Authentication, Authorization, Accounting). There are some protocols are used for this purposes. The two common ones are TACACS+ and RADIUS. In this lesson we will see, TACACS vs RADIUS.


What is AAA? AAA is the abbreviation of Authentication, Authorization, Accounting. 

  • Authentication : Who are you?
  • Authorization : What do you allowed to do?
  • Accounting : What did you do?


There is also another AAA protocol called “Diameter” that we will talk about later. Here, we will focus on RADIUS and TACACS+.


RADIUS is the abbreviation of “Remote Access Dial-In User Service” and TACACS+ is the abviation of “Terminal Access Controller Access-Control System”. As you see, it is better to use abbreviations and you will always come across the abraviations not the whole name.


You can find the main differences between RADIUS and TACACS+ in the below table. In the following RADIUS and TACACS+ lessons, we will discuss these AAA Protocols and their characteristics detaily.



Generally these two protocols are used at the same time in the networks if we compare tacacs vs radius. Because, the have their own common duties and all of these duties are very common for a network.


First of all, using RADIUS and TACACS+ together is common but a recommended best practice is doing this in different servers in the networks. Because, the working type of each protocol is different and a network needs the common duty of these two important protocol. Here, a server will be used as RADIUS Server and another will be used as TACACS+ Server.


Secondly, the important point is the location of RADIUS and TACACS+ Servers. Users will be in an untrusted network and they would like to enter the network via RADIUS. RADIUS will be used to subscribe users to the network. Here, RADIUS Server can be reside in a semi-trusted network.


This must be more secure for TACACS+. TACACS+ Server must be in a tusted network. Because, TACACS+ Server provide device authentication and any unwanted users can cause a potantial risks on your network if your server reside in an untrusted network.

Lesson tags: AAA, RADIUS, TACACS+
Back to: CCNA 200-301 > AAA

Leave a Reply

Your email address will not be published. Required fields are marked *

CCNA 200-301