5.1.d Describe device security using IOS AAA with TACACS+ and RADIUS

5.1.d [i] AAA with TACACS+ and RADIUS

RADIUS is an access server that uses AAA protocol and combines authentication and authorization. It is a system of distributed security that secures remote access to networks and network services against unauthorized access. TACACS + provides session encryption and can provide CLI authorization by user groups.

RADIUS comprises three components:

● A protocol with a frame format that utilizes User Datagram Protocol (UDP)/ IP

● A server

● A client

RADIUS uses UDP while TACACS + uses TCP. TCP offers several advantages over UDP. TCP offers a connection -oriented transport , while UDP offers best-effort delivery. RADIUS requires additional programmable variables such as retransmit attempts and time-outs to compensate for best-effort transport, but it lacks the level of built-in support that a TCP transport offers:

● TCP usage provides a separate acknowledgment that a request has been received, within (approximately) a network round-trip time (RTT), regardless of how loaded and slow the backend authentication mechanism (a TCP acknowledgment) might be.

● TCP provides immediate indication of a crashed, or not running, server by a reset (RST). You can determine when a server crashes and returns to service if you use long-lived TCP connections. UDP cannot tell the difference between a server that is down, a slow server, and a non-existent server.

● Using TCP keepalives, server crashes can be detected out-of-band with actual requests. Connections to multiple servers can be maintained simultaneously, and you only need to send messages to the ones that are known to be up and running.

● TCP is more scalable and adapts to growing, as well as congested, networks.

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Locations 5110-5113).  . Kindle Edition.

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml