Local and RADIUS/TACACS+ Authentication

Detailed Explanation

1. What is Local Authentication?

Local authentication stores usernames and passwords directly on the device (such as a router or switch).
Use Cases:

Small networks with few administrators
Out-of-band management or as backup when AAA servers are unreachable

Advantages: Simple to set up, no external dependencies
Limitations: Not scalable; requires account management on every device; local credentials may be less secure.

2. What is RADIUS Authentication?

RADIUS (Remote Authentication Dial-In User Service) is a centralized AAA (Authentication, Authorization, Accounting) protocol, widely used for:

802.1X (wired/wireless access)
VPN authentication
Central device management

Key Features:

Central credential management (e.g., Cisco ISE, FreeRADIUS)
UDP-based (ports 1812, 1813)
Provides accounting—logs user activity

3. What is TACACS+ Authentication?

TACACS+ (Terminal Access Controller Access-Control System Plus) is a Cisco-designed AAA protocol, mainly for device administration.

Separates authentication, authorization, and accounting
TCP-based (port 49)
Encrypts the entire payload (greater security for admin access)

4. Differences Between RADIUS and TACACS+

Feature	RADIUS	TACACS+
Protocol	UDP (1812/1813)	TCP (49)
AAA Handling	Combines AAA	Separates AAA
Encryption	Encrypts only password	Encrypts entire payload
Primary Use Case	User access (Wi-Fi, VPN)	Device admin (CLI access)
Vendor	Multi-vendor	Cisco-focused

5. Use Cases for Local vs. RADIUS/TACACS+

Local Authentication: Small/simple networks, backup/fallback admin access
RADIUS/TACACS+: Enterprise networks, centralized policy control, compliance
RADIUS: User or device network access (802.1X, VPN)
TACACS+: Device admin and command authorization

6. Configuration Basics

Local User Account (Cisco IOS):

username admin privilege 15 secret cisco123

RADIUS Client Example:

aaa new-model
radius-server host 192.168.1.10 key rad123
aaa authentication login default group radius local

TACACS+ Client Example:

aaa new-model
tacacs-server host 192.168.1.20 key tacacskey
aaa authentication login default group tacacs+ local

Tip: In both RADIUS and TACACS+ examples, local is specified as backup if the AAA server is unreachable.

7. AAA Model Overview

Authentication: Who are you? (username/password)
Authorization: What are you allowed to do?
Accounting: What did you do? (logs, duration, commands, etc.)

RADIUS and TACACS+ both provide AAA. TACACS+ offers finer command-level authorization.

8. Security Considerations

RADIUS: Encrypts only the password, not the full packet.
TACACS+: Encrypts the entire payload (preferred for device admin).
Use strong shared secrets; secure management networks.

9. Integration with Network Devices

Supported on: Cisco, Juniper, HP, Aruba, Palo Alto, and more
Server software: Cisco ISE, FreeRADIUS, Microsoft NPS, Cisco Secure ACS, etc.

10. Troubleshooting Authentication Issues

Problem	Diagnostic Steps	Solution
Login fails	Check server reachability, shared key, user list	Correct IP/key, user, or test locally
Slow logins	Check server response, network latency	Optimize server, reduce hops
Fallback not working	Check AAA method order	Ensure local is listed after group

Helpful Tools: debug aaa authentication, show aaa servers, syslog messages, server logs

11. Scalability and Management

RADIUS/TACACS+: Centralized user management and global policies—ideal for large networks
Local: Manual management per device—inefficient for scale

12. Fallback and Redundancy

Define local authentication as a backup in case RADIUS/TACACS+ is unreachable.
Configure multiple servers for high availability.

Example:

radius-server host 192.168.1.10 key rad123
radius-server host 192.168.1.11 key rad123

Example Scenario:
A company wants all Wi-Fi users to authenticate via RADIUS, but network admins should use TACACS+ for CLI access.

Wi-Fi APs configured to point to a RADIUS server for user authentication
Switches/routers use TACACS+ server for administrative logins
aaa authentication login default group tacacs+ local

Key Points and Exam Tips

Key Point	Description
Local	Quick/simple; not scalable. Always configure a fallback local account.
RADIUS	Best for user access; UDP; encrypts only password; combines AAA.
TACACS+	Best for admin/device control; TCP; encrypts entire payload; separates AAA.
AAA	Authentication, Authorization, Accounting
Centralized AAA	Reduces admin overhead, improves audit and compliance.
Debugging	Use `debug aaa authentication` and logs for troubleshooting.
Documentation	Document server IPs, keys, and failover.

When and Where to Use Each:
Local: Small or isolated setups, or as a backup admin method.
RADIUS: User/device network access (VPN, 802.1X, wireless).
TACACS+: Network device admin access with detailed authorization/auditing.

Local and RADIUS/TACACS+ Authentication Quiz

1. What is local authentication?

A. Authentication managed by an external server B. Authentication where credentials are stored on the device itself C. Authentication using RADIUS servers only D. Authentication through cloud services

Correct answer is B. Local authentication stores and verifies user credentials directly on the network device.

2. Which protocol is UDP-based and commonly used for user access authentication?

A. TACACS+ B. SSH C. HTTPS D. RADIUS

Correct answer is D. RADIUS uses UDP (ports 1812 for authentication and 1813 for accounting) and is widely used for user access.

3. What is a key feature of TACACS+ compared to RADIUS?

A. Encrypts the entire payload, including usernames and authorization data B. Uses UDP protocol C. Combines AAA into a single process D. Supports only device management authentication

Correct answer is A. TACACS+ encrypts the full payload, providing greater security especially for admin access.

4. Which port is the default for TACACS+ protocol?

A. 1812 B. 22 C. 49 D. 443

Correct answer is C. TACACS+ uses TCP port 49 by default.

5. What does AAA stand for in network authentication?

A. Authorization, Access, Audit B. Authentication, Authorization, Accounting C. Access, Audit, Authentication D. Authentication, Access, Alert

Correct answer is B. AAA stands for Authentication, Authorization, and Accounting.

6. Why is local authentication not recommended for large networks?

A. It requires manual account management on each device B. It uses TCP protocol C. It encrypts the entire payload D. It requires internet access

Correct answer is A. Local authentication lacks scalability because each device must be configured separately.

7. Which of the following is a characteristic of RADIUS?

A. Encrypts entire payload B. Uses TCP protocol C. Mainly used for device management D. Combines authentication, authorization, and accounting into one process

Correct answer is D. RADIUS combines AAA into a single process, but encrypts only passwords.

8. Which command configures a device to use RADIUS for authentication with fallback to local?

A. aaa authentication login default group tacacs+ local B. aaa authentication login default group radius local C. radius-server host 192.168.1.20 key rad123 D. tacacs-server host 192.168.1.10 key tacacskey

Correct answer is B. This command tries RADIUS first, then local if RADIUS is unreachable.

9. What is a major security advantage of TACACS+ over RADIUS?

A. Uses UDP for faster communication B. Combines authentication and accounting only C. Encrypts entire payload including authorization data D. Does not require shared secrets

Correct answer is C. TACACS+ encrypts the entire packet, providing greater security.

10. In which scenario is local authentication typically used?

A. Small networks or fallback when AAA servers are unreachable B. Large enterprise networks with centralized control C. User authentication for Wi-Fi access D. Device management with granular command control

Correct answer is A. Local authentication is used in small setups or as a fallback method.

← Back to Home