AAA and RADIUS vs TACACS+

In the context of AAA (Authentication, Authorization, and Accounting) frameworks such as RADIUS (Remote Authentication Dial-In User Service) and TACACS+ (Terminal Access Controller Access-Control System Plus), EAP, PAP, and CHAP are protocols used for the authentication process. Here’s a breakdown of each:

1. EAP (Extensible Authentication Protocol)

• Overview: EAP is a flexible authentication framework that supports multiple authentication methods. It is widely used in wireless networks and point-to-point connections.

• Use Cases: Commonly used in scenarios requiring secure authentication methods, such as WPA and WPA2 for wireless networks.

• Features:

  • Extensibility: Supports various methods like EAP-TLS (Transport Layer Security), EAP-TTLS (Tunneled TLS), EAP-PEAP (Protected EAP), and more.

  • Security: Can provide strong security depending on the method used (e.g., EAP-TLS uses digital certificates).

2. PAP (Password Authentication Protocol)

• Overview: PAP is a simple authentication protocol that uses a two-way handshake to validate a user. It transmits the username and password in clear text.

• Use Cases: Used in less secure environments or where encryption is not a primary concern.

• Features:

  • Simplicity: Easy to implement but lacks security.

  • Clear Text Transmission: Username and password are sent in plain text, making it vulnerable to eavesdropping and attacks.

3. CHAP (Challenge-Handshake Authentication Protocol)

• Overview: CHAP provides more security than PAP by using a three-way handshake and encrypting the password before transmission.

• Use Cases: Used in environments where a higher level of security is needed compared to PAP.

• Features:

  • Challenge-Response Mechanism: The server sends a challenge to the client, which then responds with a value calculated using a hash function. The server then verifies the response.

  • Periodic Re-authentication: Can re-authenticate the client periodically to prevent session hijacking.

  • Encryption: Password is not sent in clear text.

Comparison and Use in AAA Frameworks

• EAP: Offers the highest level of flexibility and security among the three, making it suitable for modern, secure networks.

• PAP: The least secure method, suitable only for environments where security is not a concern or where other security measures (like encryption at another layer) are in place.

• CHAP: More secure than PAP but less flexible and sometimes less secure than EAP, suitable for situations where moderate security is sufficient.

In AAA frameworks like RADIUS and TACACS+, these protocols can be used depending on the specific security requirements and the nature of the network environment. RADIUS typically supports all three (EAP, PAP, and CHAP), while TACACS+ is more focused on command-line authentication and authorization, often integrating with other protocols for more advanced authentication needs.

Encrypted connection in tacacs+ than radius usernaem is clear text