Authentication Protocols: KERBEROS VS TACACS VS RADIUS

Authentication Protocols

Kerberos v5

Kerberos is nothing but a computer-network authentication protocol defined in RFC 1510 and was developed by MIT. The protocol states how clients communicate with a network authentication service. It is used as default authentication protocol in windows operating systems.

Similar to NTLM, kerberos uses the domain name, user name, and password to represent the client’s identity. The Kerberos Key Distribution Center issues a ticket to the client, and a ticket is presented to the server once a connection is established. Both - the client and server computers must both be in the same domains, and those domains must possess a trust relationship.

  • Uses the entire principal name for key salting algorithm.
  • For encoding, it uses the ASN.1 coding system.
  • It provides ticket support facilities such as forwarding, renewing and postdating tickets.
  • It contains multiple IP addresses and other addresses for types of network protocols.
  • It also provides reasonable transitive cross-realm authentication support.

Kerberos when implemented with a Data Encryption Standard cipher is weak in encryption and can be mitigated by making use of new ciphers like AES instead of DES. Microsoft, back in November 2014, did rectify an exploitable vulnerability in windows implementation of the KDC. The vulnerability allowed users to ‘elevate’ their privileges, up to Domain level.

  • Single point of failure: It needs continuous availability of a central server and when the kerberos server is down, new users cannot log in.
  • The administration protocol is not standardized and differs between server implementations.
  • Setting own kerberos keys is required when each network service requires a different host name.
  • It requires user accounts, user clients and the service on the server to all have a trusted relationship.
  • It requires strict time requirements, which means the clocks of the involved hosts must be synchronized within configured limits.


TACACS is an authentication protocol used for remote communication with any server housed in a UNIX network. TACACS provides a technique of determining user network control access via remote authentication server communication. The protocol uses port 49 by default. It complements the independent authentication, authorization, and accounting (AAA) architecture.

IP Suite
It uses TCP, which offers several advantages over UDP. TCP offers a connection-oriented transport, while UDP offers best-effort delivery. It is more scalable and adapts to grow, as well as congested, networks.

Packet Encryption
It encrypts the entire body of the packet but leaves a standard header. Within the header is a field that indicates whether the body is encrypted. For debugging, the body of packets should be unencrypted. During normal operation, the packet is encrypted for more secure communications.

Multiprotocol Support
  • AppleTalk Remote Access (ARA) protocol
  • NetBIOS Frame Protocol Control protocol
  • Novell Asynchronous Services Interface (NASI)
  • X.25 PAD connection

Router Management
It provides two methods to control the authorization of router commands on a pre-user or per-group basis.

The amount of traffic generated between the client and the server differs. These examples illustrate the traffic between the client and server for TACACS when used with router management with AAA.


RADIUS is nothing but Remote Authentication Dial-In User Service, is a client-server protocol and software that enables remote authentication. The protocol was developed by Livingston Enterprises, Inc. and is an access server authentication and accounting protocol.

IP Suite
RADIUS is based on the User Datagram Protocol and is a client/server protocol. The below figure shows how the dial-in user and the RADIUS server communicates -

In order to run RADIUS all you need is a computer (ideally a server) with the appropriate system resources required for the chosen RADIUS server software you have chosen to use.

We just need the hardware that is required for the normal functioning of the software. Software depends on what features you need as there are a variety of RADIUS server packages that are available for installation. Some are OS dependent that they will run on only a specific OS and others will work on any OS you may need.

The server can act as a proxy client to other RADIUS servers or other kinds of authentication servers. Normally, it is used by ISPs for managing authentication, authorization, and accounting for internet services such as ADSL, dial-up, and various forms of broadband.

Have anything to share? Share it in the comments below.
Next Post »

Subscribe to our mailing list

* indicates required
Select your Interested Topics.