The Remote Authentication Dial-In User Service (RADIUS) is used to centrally authenticate users when remote access or network access is used.
Assume a large company has employees that regularly go on the road selling, consulting, teaching, or other reasons. However, they need access to the back end network. RADIUS provides authentication when the employees dial-in.
The company could have offices spread across the country and users are encouraged to dial-in to the closest office. For example, when they're in California, they should dial-in to a server in California. When in Florida, they should dial-in to a server in Florida. Each server could hold authentication details for each employee in a local database. However, if this is done, when an employee is added or removed from a database on one server, the database must be updated on every server in every region. This becomes too much work.
Instead, a RADIUS server is used for central authentication. All remote access servers send their authentication requests to the RADIUS server. In this way, only one authentication database (on the RADIUS server) needs to be maintained.
TACACS+ is a Cisco alternative to RADIUS. TACACS+ provides two significant benefits.
- It is more secure than RADIUS since it encrypts the entire authentication process
(RADIUS only encrypts the password) - It interacts with Kerberos allowing it to work with Microsoft networks.
Good luck with your studies.
Darril Gibson