in network infrastructure if you needed to authenticate and grant some access to a user or device, surely you have about heard AAA Server.
RADIUS and TACACS are two known protocols in AAA procedure that have some diffrance.
each of them has different uses. usually, TACACS use for device authentication and RADIUS use for network authentication.
| Radius | Accounting packet | Authentication Packet | NO Authorization Packet | Standard | UDP 1812/1813 Or 1645/1646 | EAP Based Authentication | Only payload encrypted | CoA |
| TACACS | Accounting packet | Authentication Packet | Authorization Packet | CISCO | TCP 49 | X | Entire packet encrypted | X |
In RADIUS protocol, Authorization attributes are different in each vendor and will send in authentication packet. In the other hand, because in device access we need to transfer authorization packets frequently So its suitable for network access and not suitable for device access.
BECAUSE authentication packet will send only in the beginning of connection .
TACACS’s authentication method are weak so For device access its better use TACACS protocol.
For example SSH in very secure by itself.
*** CoA ***
In Radius Protocol , authorization only perform at the beginning of connection, and it don’t run while the connection
But it has a feature named CoA (Change of authorization) that it needs to an agent installed on supplicant.
This agent sends the state of supplicant if it changed, so AAA server re-authorized the user again.