Summary: RADIUS suits network access control (802.1X, VPN) with UDP transport and session-level accounting; TACACS+ excels at device administration with TCP, full encryption, and per-command authorisation.
| Attribute | RADIUS | TACACS+ |
|---|---|---|
| Transport | UDP (1812/1645 auth, 1813/1646 acct) | TCP (port 49) |
| Encryption | Password field only (MD5) | Entire packet body (AES) |
| Connection model | Stateless (UDP per request) | Stateful (persistent TCP) |
| Reliability | Application-level retry required | TCP guaranteed delivery |
| Per-command authorisation | No | Yes |
Single Access-Request packet containing user credentials. Only the password is encrypted.
radius server CORP-RADIUS
address ipv4 10.10.10.50
key RadiusSecret123
aaa group server radius RADIUS_SERVERS
server name CORP-RADIUS
aaa authentication login default group RADIUS_SERVERS
Authentication exchange is fully encrypted. The KDC session key protects all data in transit.
tacacs server ISE
address ipv4 10.10.10.100
key TacacsSecret456
aaa group server tacacs+ TACACS_SERVERS
server name ISE
aaa authentication login default group TACACS_SERVERS local
Returns session-level attributes applied to the entire connection — coarse-grained:
Per-command control is not supported.
Each command is authorised individually — fine-grained:
aaa authorization commands 15 default group TACACS_SERVERS local
When a user types a command, IOS-XE queries the TACACS+ server in real time. The server responds PERMIT or DENY based on the configured command sets. This is critical for device administration — prevents privileged users from running destructive commands.
| Attribute | RADIUS | TACACS+ |
|---|---|---|
| Granularity | Session level | Per-command |
| What is logged | Session start/stop, bytes | Each command with arguments and timestamp |
| Use case | Billing, session tracking | Audit trail for device changes |
TACACS+ accounting records every command a user runs, providing a full audit trail. RADIUS records only session open/close events.
Example IOS-XE 802.1X with RADIUS:
aaa new-model
radius server ISE-NAC
address ipv4 10.10.10.50
key RadiusKey123
aaa group server radius ISE_NAC
server name ISE-NAC
aaa authentication dot1x default group ISE_NAC
aaa authorization network default group ISE_NAC
dot1x system-auth-control
Example IOS-XE device admin with TACACS+:
aaa new-model
tacacs server ISE
address ipv4 10.10.10.100
key TacacsKey456
aaa group server tacacs+ ISE_ADMIN
server name ISE
aaa authentication login default group ISE_ADMIN local
aaa authorization exec default group ISE_ADMIN local
aaa authorization commands 15 default group ISE_ADMIN local
aaa accounting commands 15 default start-stop group ISE_ADMIN
line vty 0 15
login authentication default
authorization exec default
| Feature | RADIUS | TACACS+ |
|---|---|---|
| Per-command authorisation | ✗ | ✓ |
| Full packet encryption | ✗ | ✓ |
| TCP reliability | ✗ | ✓ |
| 802.1X native support | ✓ | ✗ |
| Command-level accounting | ✗ | ✓ |
| ISE Network Access | ✓ | — |
| ISE Device Admin | — | ✓ |
| VPN/PPP auth | ✓ | Limited |