Re: TACACS+ vs. RADIUS

["Alex Nedelcu" <alexpheno () gmail com>]

The authentication server should be located in the private area of
your network, preferably separated from the other computers via a
vlan. If you put it in your dmz with other servers you risk getting
compromised.
Regarding the choice of protocol, it depends highly on what you want
to deploy, if you want to use AAA for the management of administrative
access on Cisco  equipment you should go with the proprietary solution
and choose TACACS+, if you want flexibility, low costs and high
quality accounting eg. for a remote access VPN, you should go with
RADIUS.

On 6/4/07, Nick Owen <nickowen () mindspring com> wrote:
> Excellent points Nikhil.  I would only add that if you ever want to
> roll-out two-factor authentication you should go with radius.  While we
> support TACACS+, many two-factor systems do not.  Plus, there are a
> number of good, free radius servers such as Freeradius and Microsoft's
> IAS server.   IIRC, IAS will first validate that the user is active in
> AD, then proxy the auth request to a 3rd party server.
>
> As for location, keep in mind that these protocols are encoded, but not
> encrypted.
>
> hth,
>
> Nick
> --
> Nick Owen
> WiKID Systems, Inc.
> 404.962.8983
> http://www.wikidsystems.com
> Commercial/Open Source Two-Factor Authentication
> irc.freenode.net: #wikid
>
>
> Nikhil Wagholikar wrote:
> > Hello Rlafosse,
> >
> > Here is a short description about differences between RADIUS & TACACS
> > implementation:
> >
> > 1.  Make:
> >
> > RADIUS is a Industry standard developed by Livingston.
> > TACACS is CISCO proprietory.
> >
> > 2. Command Execution rights:
> >
> > RADIUS has no provision given to users as to which command that they
> > can run on the router.
> > TACACS has two provisions provided to user for the commands that they
> > can run on the router:
> > a. Based on users
> > b. Based on groups
> >
> > 3. Protocol Support:
> >
> > RADIUS doesn't offer support to traditional protocols like ARA, X.25 PAD
> > & NASI.
> > TACACS provides support to multiple protocols.
> >
> > 4. AAA Segregation:
> >
> > RADIUS combines Authentication & Authorization.
> > TACACS clearly segregates/separates Authentication, Authorization &
> > Accounting.
> >
> > 5. Protocol Utilization:
> >
> > RADIUS works on UDP whereas TACACS works on TCP.
> >
> > 6. Encrption level:
> >
> > RADIUS only encrypts the password in the requested packet connection.
> > TACACS encrypts the whole body of requested packet connection.
> >
> > So now we can clearly analyze the difference & understand that TACACS
> > implementation is much secured as compared to RADIUS implementation.
> >
> > Happy AAA implementation.
> >
> > ----------
> > Nikhil Wagholikar
> > Security Analyst
> >
> > NII Consulting
> > Web: www.niiconsulting.com
> >
> >
> > On 6/2/07, Lafosse, Ricardo <rlafosse () sfwmd gov> wrote:
> >> Hello all,
> >> I am considering implementing either RADIUS or TACACS+ any insight or
> >> experiences would be helpful. Also where would be the most beneficial
> >> location to place it on my infrastructure (DMZ)?
> >>
> >> Cheers,
> >> Ricardo
> >>
> >>
> >>
> >