TACACS+ VS RADIUS question

mgmguy1mgmguy1 Member Posts: 485 ■■■■□□□□□□
in Network+
I have a question. Why does RADIUS use UDP ?

RADIUS uses uses UDP ports 1812 or 1645 for Authentication and 1813 or 1646 for Accounting and manages all AAA fuctions in a single profile but TACACS+ utilizes TCP port 49 and separates authentication and authorization. My book does not say why RADIUS uses UDP ? Can someone clear this up for me ?

Thanks
"A lot of fellows nowadays have a B.A., M.D., or Ph.D. Unfortunately, they don't have a J.O.B."

Fats Domino
· Share on FacebookShare on Twitter

Comments

  • matradleymatradley Member Posts: 549
    mgmguy1 wrote:
    I have a question. Why does RADIUS use UDP ?

    RADIUS uses uses UDP ports 1812 or 1645 for Authentication and 1813 or 1646 for Accounting and manages all AAA fuctions in a single profile but TACACS+ utilizes TCP port 49 and separates authentication and authorization. My book does not say why RADIUS uses UDP ? Can someone clear this up for me ?

    Thanks
    From what I understand, and regarding this article - http://en.wikipedia.org/wiki/RADIUS , it is UDP because, during the Authentication process, the information like IP, lease time, and so fourth is sent. The reason why UDP is used is to send information quickly without having to create a "circuit" between source and destination. This is so that if the user is not capable of receiving the information, an acknowledgement does not have to be sent and the port does not have to stay open until the ACK. This same method is used between routers using RIP and OSPF as well as for BootP and DHCP. The information is sent, if you do not receive it, that is too bad - there's no real reliability. However, when looking at Cisco based TACACS+, the authentication TCP is used because it is a connection-oriented acknowledge protocol. Have a look at this article - http://en.wikipedia.org/wiki/TACACS+ .

    So, mainly, as I am sure you know, UDP is a connectionless protocol and TCP is a connection-oriented protocol.
    From Security+ book by Sybex:
    "One of the nice things about technology is that it's always changing. One of the bad things about technology is that it's always changing."
    · Share on FacebookShare on Twitter
  • mgmguy1mgmguy1 Member Posts: 485 ■■■■□□□□□□
    Thank you, this clears this up for me a bit
    "A lot of fellows nowadays have a B.A., M.D., or Ph.D. Unfortunately, they don't have a J.O.B."

    Fats Domino
    · Share on FacebookShare on Twitter
  • mgmguy1mgmguy1 Member Posts: 485 ■■■■□□□□□□
    Team, I have two questions.

    RADIUS only encrypts the password portion of the access-request packet from the client to the server. The rest of the packet is sent in clear text, which can be captured and viewed by a network monitoring tool. My question is....Can you use IPsec to encrypt the rest of the packet?

    Question # 2
    TACACS+ encrypts the entire body of the packet, but does not encrypt the TACACS+ header. The header contains a field that indicates whether the body of the packet is encrypted or not.

    Is this saying the header is is sent in clear text ? And if so what would you use to make sure it's not sent in clear text ?
    "A lot of fellows nowadays have a B.A., M.D., or Ph.D. Unfortunately, they don't have a J.O.B."

    Fats Domino
    · Share on FacebookShare on Twitter
Sign In or Register to comment.