Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: TACACS+ vs. RADIUS

From: elias.tamas () uni-pen hu
Date: Thu, 07 Jun 2007 10:50:16 +0200
Hy. RADIUS is well accepted, FreeRadius is an open implementation, almost everything can work with it on any device or os. In not homogenic networks, radius is more superior than cisco's implementation.
We are using radius comapny-wide since for example most of our 3com middleware switches not supporting tacacs, as well as most of our wireless devices. In a homogenic cisco network it is truly the best solution, but in any other cases, I doubt... 


Idézet (Mohamed Farid <mfarid () mscc com eg>):


Dear Nikhil :
This is really more than enough ...
Thank you for your great description and support ...

Mohamed Farid ,,

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Nikhil Wagholikar
Sent: Tuesday, June 05, 2007 5:52 PM
To: security-basics () securityfocus com
Subject: Re: TACACS+ vs. RADIUS

Hello Mohamed Farid,

RADIUS is an AAA protocol; hence it supports all -- Authentication,
Authorization & Accounting. I commented that RADIUS combines
Authentication & Authorization -- by this I mean to say RADIUS doesn't
clearly separates Authentication & Authorization method/process; by no
way I meant that RADIUS doesn't support Accounting!!

As to your second query, my second point clearly specifies the same.

---------
Nikhil Wagholikar
Security Analyst

NII Consulting
Web: www.niiconsulting.com



On 6/5/07, Mohamed Farid <mfarid () mscc com eg> wrote:

Nikhil :
You mentioned that Radius supports Authentication and Authorization -
what about accounting ?

If I use Radius : Can I know what commands have been added by whom ?

or

it's available only for TACACS ?

Mohamed Farid ,,
Telecommunication & Security Department Manager ,,,

Mediterranean Smart Cards Company ,,
92 Tahreer Street. Dokki / Cairo / Egypt
Website    : www.mscc.com.eg
Email  : mfarid () mscc com eg
Phone : +2 02 3331439/+2 02 3331400
Fax      : +2 02 7621164
Mobile      : +2 0122258350

-----Original Message-----
From: listbounce () securityfocus com

[mailto:listbounce () securityfocus com]

On Behalf Of Nick Owen
Sent: Monday, June 04, 2007 9:09 PM
To: Nikhil Wagholikar
Cc: security-basics () securityfocus com; kkmookhey () niiconsulting com
Subject: Re: TACACS+ vs. RADIUS

Excellent points Nikhil.  I would only add that if you ever want to
roll-out two-factor authentication you should go with radius.  While

we

support TACACS+, many two-factor systems do not.  Plus, there are a
number of good, free radius servers such as Freeradius and Microsoft's
IAS server.   IIRC, IAS will first validate that the user is active in
AD, then proxy the auth request to a 3rd party server.

As for location, keep in mind that these protocols are encoded, but

not

encrypted.

hth,

Nick
--
Nick Owen
WiKID Systems, Inc.
404.962.8983
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
irc.freenode.net: #wikid


Nikhil Wagholikar wrote:
> Hello Rlafosse,
>
> Here is a short description about differences between RADIUS &

TACACS

> implementation:
>
> 1.  Make:
>
> RADIUS is a Industry standard developed by Livingston.
> TACACS is CISCO proprietory.
>
> 2. Command Execution rights:
>
> RADIUS has no provision given to users as to which command that they
> can run on the router.
> TACACS has two provisions provided to user for the commands that

they

> can run on the router:
> a. Based on users
> b. Based on groups
>
> 3. Protocol Support:
>
> RADIUS doesn't offer support to traditional protocols like ARA, X.25
PAD
> & NASI.
> TACACS provides support to multiple protocols.
>
> 4. AAA Segregation:
>
> RADIUS combines Authentication & Authorization.
> TACACS clearly segregates/separates Authentication, Authorization &
> Accounting.
>
> 5. Protocol Utilization:
>
> RADIUS works on UDP whereas TACACS works on TCP.
>
> 6. Encrption level:
>
> RADIUS only encrypts the password in the requested packet

connection.

> TACACS encrypts the whole body of requested packet connection.
>
> So now we can clearly analyze the difference & understand that

TACACS

> implementation is much secured as compared to RADIUS implementation.
>
> Happy AAA implementation.
>
> ----------
> Nikhil Wagholikar
> Security Analyst
>
> NII Consulting
> Web: www.niiconsulting.com
>
>
> On 6/2/07, Lafosse, Ricardo <rlafosse () sfwmd gov> wrote:
>> Hello all,
>> I am considering implementing either RADIUS or TACACS+ any insight

or

>> experiences would be helpful. Also where would be the most

beneficial

>> location to place it on my infrastructure (DMZ)?
>>
>> Cheers,
>> Ricardo
>>
>>
>>
>


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

This e-mail (including attachments) is classified as Mediterranean

Smart Cards Company confidential and proprietary information

The recipient hereby is committed to hold in strict confidence the

contents of this (e-mail, document, and information) and not to disclose
to any third party without the prior written consent of Mediterranean
Smart Cards Company.

Recipient will be held liable for any unauthorized disclosure.
It is intended solely for the addressee. Unless you are the addressee,

you may not read, copy, use or store this e-mail in any way, or permit
others to.

If you have received it in error, please notify the sender by return

e-mail and delete the message in its entirety, including any attachments

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *










----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
Previous By Date Next
Previous By Thread Next

Current thread: