Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
HarshChavda
Staff
Staff

Created on ‎09-20-2023 12:20 PM Edited on ‎09-20-2023 12:20 PM By Community Manager

Article Id 274887

Technical Tip: Comparing RADIUS and TACACS+ Authentication Protocols on FortiGate

Description This article provides a comprehensive comparison between RADIUS (Remote Authentication Dial-In User Service) and TACACS+ (Terminal Access Controller Access-Control System Plus) as they are implemented on FortiGates. 
Scope RADIUS and TACACS+ protocols, FortiGate.
Solution

RADIUS and TACACS+ are two of the most widely used protocols for remote authentication and access control. Both are supported by FortiGate.

 

Definitions:

  • RADIUS Server: A centralized server that is responsible for receiving authentication requests, verifying credentials, and returning the configuration information required for the client to deliver services to the user.
  • TACACS+ Server: A centralized server that handles authentication, authorization, and accounting separately and interacts with the network access server to grant or deny access.
  • RADIUS Client: A network device, such as a VPN server or a FortiGate, that sends authentication requests to a RADIUS server.
  • TACACS+ Client: A network device, such as a FortiGate, that communicates with the TACACS+ server to authenticate and authorize users. 

 Key Differences:

  • Protocol and transport mechanism:  RADIUS uses User Datagram Protocol (UDP) for transport. TACACS+ uses Transmission Control Protocol (TCP) for transport.
  • Port Numbers: RADIUS uses port 1812 for authentication and 1813 for accounting. TACACS+ uses port 49 for all AAA services. 
  • Primary Functions:  RADIUS is primarily designed for Authentication, Authorization, and Accounting (AAA), but combines authentication and authorization. TACACS+ is also designed for AAA but separates authentication, authorization, and accounting into distinct processes.
  • Encryption: RADIUS encrypts only the password field in the packet, leaving other attributes like username in plaintext. While TACACS+ encrypts the entire packet payload, providing a more secure communication channel.
  • Flexibility and Granular control:  RADIUS offers limited flexibility in authorization and relies on pre-defined attributes sent from the server. TACACS+ provides granular control over authorization, allowing command-level permissions and custom attributes.
  • Session Management: RADIUS does not support session multiplexing, meaning each service (authentication, authorization, accounting) may require a new session. TACACS+ supports session multiplexing, allowing multiple services to be handled within a single session.

RADIUS with FortiGate:

  • VPN Authentication: FortiGate commonly uses RADIUS for VPN user authentication. It is straightforward to set up and integrates well with FortiGate's VPN functionalities.
  • FortiToken Integration: To implement two-factor authentication (2FA) in the FortiGate environment, RADIUS integrates seamlessly with FortiToken.
  • FortiAnalyzer Reporting: FortiGate's RADIUS implementation can be easily integrated with FortiAnalyzer for generating detailed reports and analytics related to user authentication and activities.
  • Scalability: Given that RADIUS is UDP-based and has lower overhead, it's often considered more scalable, making it suitable for larger FortiGate deployments.


TACACS+ with FortiGate:

  • Administrative Access: TACACS+ is often the go-to choice for managing administrative access to FortiGate devices. It allows for granular, command-level control over what each admin can and cannot do.
  • FortiManager Integration: TACACS+ can be integrated with FortiManager for centralized policy and device management, making it easier to manage complex configurations across multiple FortiGate devices.
  • Enhanced Security: TACACS+ encrypts the entire payload, providing an extra layer of security that aligns well with FortiGate's focus on robust network security.
  • Advanced Auditing: If the FortiGate environment is subject to strict compliance requirements, TACACS+ offers more detailed accounting and auditing capabilities.

 

The choice between RADIUS and TACACS+ in a FortiGate environment hinges on various factors, including the scale of the deployment, security requirements, and the level of control needed over user activities.

While RADIUS may be more suitable for large-scale, less command-specific tasks, TACACS+ excels in high-security environments requiring detailed command authorization and auditing.

 

Related document:

Configuring a RADIUS server

  1. https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-TACACS-authentication-and...

 
858
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.