[c-nsp] Central Authentication (Tacacs+ / Radius)
Oliver Boehmer (oboehmer)
oboehmer at cisco.com
Tue Apr 5 12:51:21 EDT 2005
Mohacsi Janos <> wrote on Tuesday, April 05, 2005 9:33 AM:
> On Mon, 4 Apr 2005, Network.Security wrote:
>
>> One thing to keep in mind in the Accounting Dept. with the Cisco ACS
>> is that it doesn't do (or I could never make it do) Radius Command
>> Accounting, I've never delved deep enough to know if it's a limit of
>> the Radius protocol or Cisco's bias towards TACACS, so if that's a
>> decision point for you... be mindful.
>>
> Cisco's bias towards TACACS is not true anymore. Cisco seems to be not
> developing any longer the TACACS protocol to support certain features
> like IPv6, while Radius (Cisco implementation also) is evolving
> constantly.
> If you select RADIUS, you will use more standardised methods.
>
>
> You can look at TACACS - RADIUS comparison page at:
> http://www.gazi.edu.tr/tacacs/docs/tac_rad_comp.html
>
> but this comparison is rather old now (1999), and RADIUS extensions
> are resolved most of deficiencies listed there.
Not sure if I want to agree. One of the differences (the lack of a
distinct "Authorization" protocol primitive in Radius) is still valid,
and so Tacacs+ remains the standard protocol to provide AAA services for
device management.
Radius is the standard for all other access control technologies, right,
but I personally don't see it replace tacacs for device management in
the near future (might be proven wrong)...
oli
More information about the cisco-nsp
mailing list