Terminal Access Controller Access Control System Plus (TACACS+) encrypts the entire body of a packet, whereas Remote Authentication Dial-In User Server (RADIUS) encrypts only the password; also, TACACS+ provides router command authorization capabilities, whereas RADIUS does not provide router command authorization capabilities. TACACS+ is a Cisco proprietary protocol used during Authentication, Authorization, and Accounting (AAA) operations. TACACS+ provides more security and flexibility than RADIUS; because TACACS+ can be used to encrypt the entire body of a packet, users who intercept the encrypted packet cannot view the user name or contents of the packet. TACACS+ provides more flexibility by separating the authentication, authorization, and accounting functions of AAA.

This enables more granular control of access to resources. TACACS+ gives administrators more control over access to configuration commands; users can be permitted or denied access to specific configuration commands. Because of this flexibility, TACACS+ is used with Cisco Secure Access Control Server (ACS), which is a software tool that is used to manage user authorization for router access.

RADIUS, not TACACS+, is an Internet Engineering Task Force (IETF) standard protocol. Like TACACS+, RADIUS is a protocol used with AAA operations.

However, RADIUS is less secure and less flexible than TACACS+. RADIUS encrypts only the password of a packet; the rest of the packet would be viewable if the packet was intercepted by a malicious user. With RADIUS, the authentication and authorization functions of AAA are combined into a single function, which limits the flexibility that administrators have when configuring these functions. Furthermore, RADIUS does not provide router command authorization capabilities.

TACACS+ uses Transmission Control Protocol (TCP) for transport. By contrast, RADIUS uses User Datagram Protocol (UDP) for packet delivery.