TACACS+ VS RADIUS question

I have a question. Why does RADIUS use UDP ?

RADIUS uses uses UDP ports 1812 or 1645 for Authentication and 1813 or 1646 for Accounting and manages all AAA fuctions in a single profile but TACACS+ utilizes TCP port 49 and separates authentication and authorization. My book does not say why RADIUS uses UDP ? Can someone clear this up for me ?

Thanks

Find more posts tagged with

SAVE $250 on Your CompTIA Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CompTIA Boot Camps

Comments

matradley

mgmguy1 wrote:

I have a question. Why does RADIUS use UDP ?

RADIUS uses uses UDP ports 1812 or 1645 for Authentication and 1813 or 1646 for Accounting and manages all AAA fuctions in a single profile but TACACS+ utilizes TCP port 49 and separates authentication and authorization. My book does not say why RADIUS uses UDP ? Can someone clear this up for me ?

Thanks

From what I understand, and regarding this article - http://en.wikipedia.org/wiki/RADIUS , it is UDP because, during the Authentication process, the information like IP, lease time, and so fourth is sent. The reason why UDP is used is to send information quickly without having to create a "circuit" between source and destination. This is so that if the user is not capable of receiving the information, an acknowledgement does not have to be sent and the port does not have to stay open until the ACK. This same method is used between routers using RIP and OSPF as well as for BootP and DHCP. The information is sent, if you do not receive it, that is too bad - there's no real reliability. However, when looking at Cisco based TACACS+, the authentication TCP is used because it is a connection-oriented acknowledge protocol. Have a look at this article - http://en.wikipedia.org/wiki/TACACS+ .

So, mainly, as I am sure you know, UDP is a connectionless protocol and TCP is a connection-oriented protocol.

mgmguy1

Thank you, this clears this up for me a bit

mgmguy1

Team, I have two questions.

RADIUS only encrypts the password portion of the access-request packet from the client to the server. The rest of the packet is sent in clear text, which can be captured and viewed by a network monitoring tool. My question is....Can you use IPsec to encrypt the rest of the packet?

Question # 2
TACACS+ encrypts the entire body of the packet, but does not encrypt the TACACS+ header. The header contains a field that indicates whether the body of the packet is encrypted or not.

Is this saying the header is is sent in clear text ? And if so what would you use to make sure it's not sent in clear text ?