Understand Authentication
Authentication is a way of identifying a user before permitting access to the network and network services. When Authentication is enabled, the network access server uses information retrieved from the user's profile, which is located either in the local user database or on the security server, to configure the user's session. Once this is done, the user will be granted access to a requested service only if the information in the user profile allows it. Cisco NCS 4000 series uses the RADIUS/TACACS+ server for authenticating remote users.
RADIUS
Remote Authentication Dial In User Service (RADIUS) is a networking protocol that provides centralized authentication, authorization, and accounting (AAA) management for users who connect and use a network service. RADIUS is a client/server protocol that runs in the application layer that uses User Datagram Protocol (UDP) for transport.
The RADIUS server process runs in background on a UNIX or Microsoft Windows server and client would be the Cisco network element (NE). RADIUS clients run on Cisco routers and sends the authentication requests to a central RADIUS server that contains all the user authentication and network service access information.
TACACS+
Terminal Access Controller Access-Control System Plus (TACACS+) is a new protocol developed by Cisco and released as an open standard. TACACS+ uses TCP for transport. TACACS+ protocol is a security application that provides centralized validation of users attempting to gain access to a network element. Since, TCP is connection oriented protocol, TACACS+ does not have to implement transmission control. RADIUS, however, does have to detect and correct transmission errors like packet loss, timeout and others, as it rides on UDP that is connectionless. RADIUS encrypts only the user password as it travels from the RADIUS client to RADIUS server. All other information, for example, username, authorization, and accounting are transmitted in clear text. Therefore, it is vulnerable to various types of attacks. TACACS+ encrypts all the information mentioned above and therefore does not have the vulnerabilities present in the RADIUS protocol.