Security Agreement Considerations

Security Agreement Considerations

Selecting a aegis agreement can be a alarming assignment for administrators.

Many factors charge be taken into consideration. For example, will this

security agreement facilitate alone Cisco routers? Should one or two servers

be committed in case of failure? Is one agreement easier to configure than

the others?

The two best broadly acclimated aegis protocols are RADIUS and

TACACS+. Which one should be implemented in your enterprise?

Several factors will access your decision:

 Vendor interoperability RADIUS enjoys abutment from more

vendors than TACACS+.

 Transport agreement considerations RADIUS uses UDP as the

transport band protocol, admitting TACACS+ uses TCP, making

RADIUS the faster adjustment of the two, back UDP has less

overhead. What this agency is that TACACS+ cartage is more

reliable than RADIUS traffic. If any disruption occurs (such as

corrupted or alone packets), TACACS+ will retransmit

unacknowledged packets, admitting RADIUS will not.

 Packet encryption RADIUS alone encrypts the countersign portion

of the access-request packet from the AAA applicant to the

AAA server. The blow of the packet is beatific in bright text, which

can be captured and beheld by a arrangement or agreement analyzer.

TACACS+ encrypts the absolute anatomy of the packet except

the TACACS+ header.

 Aerial RADIUS uses beneath CPU aerial and consumes

less anamnesis than TACACS+.

 Affidavit and allotment RADIUS combines

authentication and authorization. The access-accept packets

exchanged by the RADIUS applicant and the server contain

authorization information. This makes it difficult to separate

the two elements. TACACS+ separates authentication, authorization,

and accounting, acceptance for advantages such as

multiprotocol use. For example, TACACS+ could accommodate the

authorization and accounting elements, and Kerberos may be

used for the allotment element.

 Agreement abutment RADIUS does not abutment the following

protocols, but TACACS+ does:

 AppleTalk Remote Access (ARA) protocol

 NetBIOS Frame Agreement Control protocol

 Novell Asynchronous Casework Interface (NASI)

 X.25 PAD connection

It is additionally important to accept that assertive appearance in anniversary AAA

client will alone assignment with one of the protocols (RADIUS, or TACACS+)

and not the other. For example, the PIX firewall alone supports TACACS+

for allotment casework and alone supports RADIUS for downloadable

access lists.

A abundant allegory of RADIUS and TACACS+ is accessible at

www.cisco.com/warp/public/480/10.html.