Home > Support > Technical Documentation > Junos Space > Network Director>Understanding Central Network Access Using RADIUS and TACACS+

Remote Access Dial In User Service (RADIUS) and TerminalAccess Controller Access-Control System Plus (TACACS+) are two commonsecurity protocols used to provide centralized access into networks.RADIUS was designed to authenticate and log remote network users,while TACACS+ is most commonly used for administrator access to networkdevices like routers and switches. Both protocols provide centralizedAuthentication, Authorization, and Accounting (AAA) management forcomputers that connect and use a network service.

Authentication - Who is allowed togain access to the network? Traditionally authorized users providea username and password to verify their identity for both RADIUS andTACACS+.Authorization - What services cana user access once they are authenticated? It is unlikely that youwant your finance people to have access to the developer database.Visitors may have access only to the Internet, while only IT staffcan access the entire passwords database.Accounting - What services did eachuser access and for how long? Accounting records record the user"sidentification, network address, point of attachment and a uniquesession identifier—these statistics are tracked and added tothe user’s record. This is useful when time on the system isbilled to individuals or departments.

Why Do I Want Remote Authentication ?

Remote authentication enables you to keep your username andpasswords in one place, on a central server. The advantage to usingRADIUS or TACACS+ on this central server is that you don"t configurechanges on each separate network device when a user is added or deleted,or when a user changes a password. You only make one change to theconfiguration on the server and then devices continue to access theserver for authentication. Although authentication is the most wellknown function of RADIUS and TACACS+, there are two additional functionsprovided, authorization and accounting.

Note:Instead of using a flat database on the RADIUS server, you canrefer to external sources such as SQL, Kerberos, LDAP, or Active Directoryservers to verify user credentials.

Why Not Just Rely on Firewalls and Filters for Access Control?

Routers and firewalls usually control access to services usingfilters based on source and/or destination IP addresses and ports.This means that restrictions are applied to devices and not to individualclients. For example if I enable traffic from to accessa particular web server, then anyone who is sitting at the machinewith the address of automatically has access to this server.Using RADIUS or TACACS+, that same person sitting at the machine withthe address of also has to provide a username and passwordto access a service.

You are watching: Which of the following protocols can be used to centralize remote access authentication

What About Using LDAP For Authentication?

Lightweight Directory Access Protocol (LDAP) is a client/serverprotocol used to access and manage directory information. It readsand edits directories over IP networks and runs directly over TCP/IPusing simple string formats for data transfer. Directory servers includeinformation about various entities on your network, such as user names,passwords, rights associated with user names, metadata associatedwith user names, devices connected to the network, and device configuration.

Use LDAP to obtain directory information, such as email addressesand public keys. If you want to make directory information availableover the Internet, this is the way to do it. LDAP works well for captiveportal authentication. However, LDAP does not implement 802.1X securityeasily. 802.1X was essentially designed with RADIUS in mind, so 802.1Xchallenge/response protocols like MSCHAPv2 work well with RADIUS.

Where Is RADIUS Installed on the Network?

RADIUS includes three components: an authentication server,client protocols, and an accounting server. The RADIUS server portionof the protocol is usually a background process running on a UNIXor Microsoft Windows server.

With RADIUS, the term client refers to a network access device(NAD) that provides the client part of the RADIUS service—wirelessaccess points, a modem pool, a switch, a network firewall, or anyother device that needs to authenticate users can be configured asa NAD to recognize and process connection requests from outside thenetwork edge. When a NAD receives a user"s connection request, itmay perform an initial access negotiation with the user to obtainidentity/password information. Then the NAD passes this informationto the RADIUS server as part of an authentication/authorization request.

Note:RADIUS requires that each network client device be configured.

How Is TACACS+ Installed on the Network?

TACACS+ logon authentication protocol uses software runningon a central server to control access by TACACS-aware devices on thenetwork. The server communicates with switches or other TACACS-awaredevices automatically—these devices do not require further configurationif they are TACACS-aware. The TACACS+ protocol is supported by mostenterprise and carrier-grade devices.

Install the TACACS+ Service as close as possible to the userdatabase, preferably on the same server. TACACS+ needs to be closelysynchronized with your Domain, and any network connection issues,DNS problems, or even time discrepancies can cause a critical servicefailure. Installing TACACS+ on the same server as the user databasecan also improve performance.

TACACS+ servers should be deployed in a fully trusted internalnetwork. If you keep your TACACS+ service within your trusted network,you need to open only one port, TCP 49. There should not be any directaccess from untrusted or semi-trusted networks.

Note:RADIUS is typically deployed in a semi-trusted network, andTACACS+ uses internal administrative logins, so combining these serviceson the same server could potentially compromise your network security.

See more: Moose Heyliger Band Of Brothers, Stephen Mccole As Frederick T

Table 1: RADIUS and TACACS+




Primary Use

Authenticate and log remote network users

Provide administrator access to network devices like routersand switches

Authentication and Authorization

Authentication and Authorization checking are bundled together.When the client device requests authentication from the server, theserver replies with both authentication attributes and authorizationattributes. These functions can not be performed separately.

All three AAA functions (authentication, authorization, andaccounting) can be used independently. Therefore, one method suchas kerberos can be used for authentication, and a separate methodsuch as TACACS+ can be used for authorization.


The accounting features of the RADIUS protocol can be used independentlyof RADIUS authentication or authorization.


User Datagram Protocol (UDP)/IP with best-effort is used fordelivery on ports 1645/1646, 1812/1813

TCP used for delivery on port 49. Also has multiprotocol supportfor AppleTalk Remote Access (ARA) protocol, NetBIOS Frame ProtocolControl protocol, Novell Asynchronous Services Interface (NASI), andX.25 PAD connection.

Encryption applied to


Username and password

802.1X Security

If you want to use 802.1x port-based network access control,you have to use the RADIUS client because the TACACS+ client doesnot support that feature.