Remote Authentication Dial In User Service (RADIUS) is another popular authentication mechanism used in network environments, and is standardized in RFC 2138. RADIUS does not explicitly follow the AAA model – instead, it combines both authentication and authorization functions. However, a RADIUS implementation is also made up of clients and servers. When a RADIUS client (such as a switch, router, or VPN server) receives an authentication request, it passes that request to its configured RADIUS server for validation. While similar in function to TACACS+, the two authentication mechanisms are completely separate and are not compatible. One major difference between the two is that TACACS+ use TCP as its transport, while RADIUS uses UDP.
The Cisco Secure ACS product can also function as a RADIUS server. A variety of third-party RADIUS server solutions also exist. It has become increasingly common for vendors to build RADIUS client functionaility into their network equipment, making it a great choice for authentication, authorization, and accounting functions in heterogeneous network environments.