The family of AAA protocols, which stands for Authentication, Authorization, and Accounting, were originally designed as remote access control mechanisms and network service providers through a modem and dial-in services, but they continue to be presently implemented in multiple architectures.
AAA Protocols are for centralized remote access control technologies.
AAA protocols help protect internal LAN authentication systems and other servers from remote attacks. When using a separate system for remote access, a successful attack on the system only affects the remote users.
Authentication, Authorization, and Accounting services are often provided by a dedicated AAA Server, a program that performs these functions.
1. RADIUS (Remote Authentication Dial-In User Service): RADIUS provides centralized authentication for remote connections. It is typically used when an organization has more than one network access server or remote access server. A user can connect to any network access server, which then passes on the user’s credentials to the RADIUS server to verify authentication and authorization and to track accounting. In this context, the network access server is the RADIUS client and a RADIUS server acts as an authentication server. The RADIUS server also provides AAA services for multiple RAS servers. RADIUS can use call-back security for an extra layer of protection. Users call in and after authentication, the RADIUS server terminates the connection and initiates a call back to the users’ predefined phone number. If a user’s authentication credentials are compromised, the callback security prevents an attacker from using them. RADIUS uses UPD and encrypts only the exchange of the password. It doesn’t encrypt the entire session but additional protocols can be used to encrypt the data session. RADIUS only encrypts the password and NOT user name
2. TACACS + (Terminal Access Controller, Access Control system): It a CISCO proprietary, initially introduced as TACACS & XTACACS as RADIUS alternate. TACACS+ is the latest and improved version over TACACS & XTACACS. TACACS+ separates Authentication, Authorization, and Accounting into separate processes, which can be hosted on three separate servers if desired. TACACS+ encrypts all of the authentication information, not just the password. TACACS+ uses TCP port 49 and provides more reliability for packet transmissions.
Comparison
Features
RADIUS
TACACS+
Transport Protocol
Port
Communication & Encryption
Can Authenticate?
Network device/Primary use
Desired for?
Default is UDP, RADIUS support TLS over TCP; if required as custom
1645/1646 or 1812/1813
Less secure, only encrypt password
NO
Network Access
AAA users/ Clients
TCP
49
More Secure, encrypt the whole packet including user name, password & attributes
Yes
Device Administration
AAA Administrator
3. Diameter: Its an enhanced version of RADIUS and supports a wide range of protocols like IP, Mobile IP, and VOIP. It supports extra commands; it is desirable in a situation where roaming support is required such as with wireless devices and smartphones. While Diameter is an upgrade to RADIUS, it is not backward compatible with RADIUS.
Diameter uses TCP port 3868 or stream control transmission protocol (SCTP) port 3868 providing better reliability than UDP used by RADIUS and TLS for encryption.
Diameter also supports IPSec.