RADIUS or TACACS+: The Right Network Security Protocol to Manage Users
Securing industrial networks involves many layers to keep data and infrastructure safe. And it requires more than deploying firewalls and intrusion detection systems. Managing user access is a critical part of ensuring operational continuity, safety and data integrity.
AAA (authentication, authorization, and accounting) protocols (which are a form of network security protocols) establish the rules and standards that dictate how users can interact with the network. They verify identity, manage permissions and authentication, maintain activity logs, etc. While there are several AAA protocols that can fulfill this role, there are two that are widely known:
- RADIUS (Remote Authentication Dial-In User Service)
- TACACS+ (Terminal Access Controller Access-Control System Plus)
Both network security protocols are used to manage user access. To simplify management of access policies and security checks, they can be linked to various directory services and implement centralized user-access management.
RADIUS and TACACS+ follow different approaches and architectures and offer different functions. Which network security protocol is better suited to your environment? Let's find out.
What you need to know about RADIUS
As an established network security protocol, RADIUS is used for Wi-Fi network user logins in many organizations. With RADIUS, central administration is possible for distributed network structures, which makes it attractive for large companies.
How does RADIUS work?
RADIUS is based on client-server architecture. A RADIUS client, a network access server (NAS) or authenticator and a RADIUS server are required for dial-in via the RADIUS protocol.
The RADIUS client is installed on the endpoints and starts the dial-in request. This is transmitted as an access request packet to the NAS, which forwards the information about the user to the RADIUS server. The server then:
- Compares the data from the packet with the user database
- Grants or denies dial-in permission
- Establishes the corresponding connection to the network
RADIUS relies on user datagram protocol (UDP) as its transport protocol. Authentication and authorization are bundled into a single request, but this isn't always the best approach for far-reaching security requirements. As a result, it's often suitable for deployment scenarios where simple access control is sufficient. It can be used with a large number of network devices and is easy to implement.
How secure is RADIUS?
RADIUS only encrypts the password in the packet. Other package components, such as usernames and billing information, are only protected by the protocol itself.
Because RADIUS is based on UDP, there are fewer control mechanisms available for packet transmission. Therefore, it's more susceptible to certain types of network attacks than TACACS+.
What you need to know about TACACS+
Also based on a client-server architecture, TACACS+ is often used to manage administrator access to network devices, such as routers and switches. It's suited for environments that require more control and detailed administration of user authorizations and activities but is currently only supported by a few major network device manufacturers.
Compared to RADIUS, TACACS+ has more detailed and flexible authorization functions. It can be used to implement complex security policies and instructions.
How does TACACS+ work?
An authentication request is sent from the network device to the TACACS+ server. The server compares the login information with a database or a directory service and verifies it. The TACACS+ server sends a response to the network device with permission or denial of network access.
After successful authentication, the network device sends an authorization request to the TACACS+ server. The server verifies which commands and actions the user is allowed to execute, and the network device receives that list of authorized commands and actions.
TACACS+ uses transmission control protocol (TCP) as the transport protocol. Authentication, authorization, and accounting processes are divided into separate functions and requests, making it possible to introduce separate authentication solutions and enabling detailed management and control.
However, separating AAA services in TACACS+, along with its comprehensive functions, entails a high configuration and administration effort. It also requires more network and server resources.
How secure is TACACS+?
Overall, TACACS+ offers more security measures. One example is packet encryption. While RADIUS encrypts only the password, TACACS+ encrypts the entire contents of a packet, which improves cybersecurity and makes it suitable for the new requirements of security solutions.
Because it uses TCP, it offers more reliable transmission. TCP also enables better error control: If a server crashes or stops, it's indicated immediately.
The right security protocol depends on your environment
RADIUS and TACACS+ both contribute to better network security in their own ways.
RADIUS is sufficient for most scenarios and offers simple implementation along with manageable administrative effort.
TACACS+ offers more functions and better security measures, providing better network protection for security-critical areas.
If you need help determining which network security protocol is best for your organization and environment, Belden can help you make the right choice.
Discover how Belden can fortify your industrial cybersecurity.
Liens connexes
À propos de l'auteur
Sarah Kolberg a rejoint l’équipe Belden en tant que responsable marketing de contenu logiciel en avril 2023. Basée en Allemagne, elle participe à la production de contenus sur la cybersécurité industrielle.