RE: TACACS+ vs. RADIUS

["Mohamed Farid" <mfarid () mscc com eg>]

Nikhil :
You mentioned that Radius supports Authentication and Authorization -
what about accounting ?

If I use Radius : Can I know what commands have been added by whom ? or
it's available only for TACACS ?

Mohamed Farid ,, 
Telecommunication & Security Department Manager ,,,
 
Mediterranean Smart Cards Company ,,
92 Tahreer Street. Dokki / Cairo / Egypt
Website    : www.mscc.com.eg
Email  : mfarid () mscc com eg
Phone : +2 02 3331439/+2 02 3331400
Fax      : +2 02 7621164
Mobile      : +2 0122258350

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Nick Owen
Sent: Monday, June 04, 2007 9:09 PM
To: Nikhil Wagholikar
Cc: security-basics () securityfocus com; kkmookhey () niiconsulting com
Subject: Re: TACACS+ vs. RADIUS

Excellent points Nikhil.  I would only add that if you ever want to
roll-out two-factor authentication you should go with radius.  While we
support TACACS+, many two-factor systems do not.  Plus, there are a
number of good, free radius servers such as Freeradius and Microsoft's
IAS server.   IIRC, IAS will first validate that the user is active in
AD, then proxy the auth request to a 3rd party server.

As for location, keep in mind that these protocols are encoded, but not
encrypted.

hth,

Nick
-- 
Nick Owen
WiKID Systems, Inc.
404.962.8983
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
irc.freenode.net: #wikid


Nikhil Wagholikar wrote:
> Hello Rlafosse,
>
> Here is a short description about differences between RADIUS & TACACS
> implementation:
>
> 1.  Make:
>
> RADIUS is a Industry standard developed by Livingston.
> TACACS is CISCO proprietory.
>
> 2. Command Execution rights:
>
> RADIUS has no provision given to users as to which command that they
> can run on the router.
> TACACS has two provisions provided to user for the commands that they
> can run on the router:
> a. Based on users
> b. Based on groups
>
> 3. Protocol Support:
>
> RADIUS doesn't offer support to traditional protocols like ARA, X.25
PAD
> & NASI.
> TACACS provides support to multiple protocols.
>
> 4. AAA Segregation:
>
> RADIUS combines Authentication & Authorization.
> TACACS clearly segregates/separates Authentication, Authorization &
> Accounting.
>
> 5. Protocol Utilization:
>
> RADIUS works on UDP whereas TACACS works on TCP.
>
> 6. Encrption level:
>
> RADIUS only encrypts the password in the requested packet connection.
> TACACS encrypts the whole body of requested packet connection.
>
> So now we can clearly analyze the difference & understand that TACACS
> implementation is much secured as compared to RADIUS implementation.
>
> Happy AAA implementation.
>
> ----------
> Nikhil Wagholikar
> Security Analyst
>
> NII Consulting
> Web: www.niiconsulting.com
>
>
> On 6/2/07, Lafosse, Ricardo <rlafosse () sfwmd gov> wrote:
> > Hello all,
> > I am considering implementing either RADIUS or TACACS+ any insight or
> > experiences would be helpful. Also where would be the most beneficial
> > location to place it on my infrastructure (DMZ)?
> >
> > Cheers,
> > Ricardo


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * 
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * 
This e-mail (including attachments) is classified as Mediterranean Smart Cards Company confidential and proprietary 
information 
The recipient hereby is committed to hold in strict confidence the contents of this (e-mail, document, and information) 
and not to disclose to any third party without the prior written consent of Mediterranean Smart Cards Company. 
Recipient will be held liable for any unauthorized disclosure.
It is intended solely for the addressee. Unless you are the addressee, you may not read, copy, use or store this e-mail 
in any way, or permit others to. 
If you have received it in error, please notify the sender by return e-mail and delete the message in its entirety, 
including any attachments
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * 
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *