Alepo Whitepaper
The CSP Guide to AAA Protocol Strategy: Understanding RADIUS, Diameter, and TACACS+ in Converged Networks
Contents
Executive Summary
What Are AAA Protocols and Why Do CSPs Depend on Them?
RADIUS: The Access-Layer Standard
Diameter: The Mobile Core Standard
TACACS+: Device Administration Security
Protocol Comparison: Head-to-Head
Which Protocol Should CSPs Use? A Decision Framework
The Role of Centralized AAA Platforms
Conclusion: One Coherent Strategy
Executive Summary
Every subscriber session on a modern CSP network begins the same way: an invisible sequence of authentication, authorization, and accounting decisions that determines who gets access, what they can do, and how that session is recorded for billing and compliance. For communication service providers, the protocols governing this sequence, RADIUS, Diameter, and TACACS+ are not interchangeable alternatives. They are complementary tools, each designed for a distinct domain, and deploying them correctly is a foundational architectural decision.
This white paper provides CSP architects, network engineers, and technology evaluators with a clear technical framework for understanding each protocol, comparing them against each other, and deploying them where they were designed to operate.
Three key findings frame the analysis that follows:
RADIUS remains the dominant standard at the access layer, broadband subscriber authentication, WiFi and hotspot access, and MVNO interfacing, where its simplicity and universal device support outweigh its architectural constraints.
Diameter is the protocol of the mobile core, adopted by 3GPP as the signaling language for 4G/LTE networks and critical in hybrid 5G deployments. Its reliability, extensibility, and 3GPP alignment make it the only viable choice for HSS, PCRF, and OCS integration.
TACACS+ operates in a fundamentally different domain: not subscriber authentication, but administrative access control for the network devices themselves. Its full-packet encryption and command-level authorization make it the right choice for NOC and engineering team access management.
A well-architected CSP network uses all three. The goal is not to choose one protocol but to build a multi-protocol AAA strategy managed through a centralized platform capable of handling CSP-scale subscriber volumes.
What Are AAA Protocols and Why Do CSPs Depend on Them?
AAA stands for Authentication, Authorization, and Accounting. These three functions form the backbone of access control in every network:
Authentication answers: Who are you? –verifying subscriber identity through credentials, SIM cards, certificates, or tokens.
Authorization answers: What are you allowed to do? –applying subscriber policies, data caps, service entitlements, and QoS parameters.
Accounting answers: What did you do, and for how long? — generating the session records needed for billing, regulatory compliance, and network analytics.
For a consumer streaming video over 4G, this entire cycle completes in milliseconds. For a CSP managing millions of concurrent subscribers, AAA systems must handle this at massive scale, reliably, securely, and without introducing latency that degrades user experience.
Centralized AAA infrastructure makes this possible. RADIUS, Diameter, and TACACS+ are the protocols through which network elements communicate with that infrastructure. Each was designed to solve a different problem in a different network context, and understanding those origins is essential to deploying them correctly.
Why Protocol Choice Matters
The wrong protocol in the wrong context doesn’t just create technical debt, it creates operational risk. A mobile core built on RADIUS instead of Diameter lacks the reliability guarantees that HSS-MME signaling demands. A device administration framework built on RADIUS instead of TACACS+ loses command-level authorization and full audit trail capability. Protocol decisions set the architecture for years.
RADIUS: The Access-Layer Standard
What Is RADIUS?
RADIUS (Remote Authentication Dial-In User Service) was developed in the 1990s to handle dial-up subscriber authentication. Four decades later, it remains one of the most widely deployed authentication protocols in the world, a testament to the power of simplicity and ubiquity. Virtually every network device, access point, and broadband platform supports RADIUS out of the box.
Understanding RADIUS means understanding its design choices and their trade-offs:
UDP transport. RADIUS uses UDP as its transport protocol, which keeps overhead low and deployment simple. The trade-off is reliability: UDP doesn’t guarantee packet delivery, and RADIUS provides no native failover mechanism beyond retry logic.
Combined authentication and authorization. RADIUS merges these two AAA functions into a single exchange. This streamlines deployment but limits flexibility for complex policy scenarios where authentication and authorization need to be managed independently.
Partial encryption. RADIUS encrypts only the password field in its packets; the rest of the packet is transmitted in cleartext. This is a meaningful limitation in security-sensitive environments and requires compensating controls such as IPsec tunneling between NAS and AAA server.
Broad compatibility. RADIUS attributes are supported across virtually every vendor’s access equipment, making it the practical choice for heterogeneous environments where interoperability matters more than protocol sophistication.
Where RADIUS Fits in CSP Networks
RADIUS belongs at the access layer, the point where subscribers connect to the network. Its deployment profile in CSP environments typically covers:
Broadband ISP subscriber authentication: PPPoE and IPoE session setup for DSL, fiber, and fixed wireless customers, where RADIUS handles the credential exchange between the access node and the subscriber database.
WiFi and hotspot authentication: 802.1X-based access control for enterprise and public WiFi networks. The 802.1X framework was built around RADIUS, and this alignment makes RADIUS the natural choice for any 802.1X deployment.
MVNO access management: RADIUS acts as the integration layer between an MVNO‘s subscriber database and the host MNO‘s access network, translating MVNO subscriber policies into the format the host network understands.
VPN and remote access: Enterprise VPN gateways and remote access servers use RADIUS to authenticate users connecting from outside the corporate network.
RADIUS is not a legacy protocol to be retired. It is the right protocol for access-layer authentication scenarios, and its longevity reflects the fact that simplicity and universal compatibility have genuine operational value. The key is pairing RADIUS with a modern AAA platform that enforces sophisticated policies on top of the protocol, compensating for its architectural limitations while preserving its compatibility advantages.
RADIUS Deployment Consideration
In broadband deployments, RADIUS session accounting can generate substantial traffic volume at scale. Sizing the AAA infrastructure to handle peak subscriber concurrency—not average load—is critical. A modern centralized AAA platform handles this through horizontal scaling and load distribution across multiple RADIUS server instances.
Diameter: The Mobile Core Standard
What Is Diameter?
Diameter was designed explicitly to address the shortcomings of RADIUS as network architectures grew more complex. The name is intentional: Diameter is literally twice the RADIUS—a mathematical joke embedded in a protocol specification. More practically, Diameter represents a ground-up redesign of AAA signaling for modern network demands.
The architectural differences from RADIUS are fundamental:
TCP and SCTP transport. Diameter uses reliable, ordered transport protocols, eliminating the delivery uncertainty of UDP. This is not a minor improvement, in mobile core signaling, where a lost authentication message means a failed subscriber attach, reliability at the transport layer is a requirement, not a preference.
End-to-end TLS encryption. Diameter supports full TLS encryption across the entire message, not just the password field. This makes it suitable for sensitive signaling exchanges without requiring additional compensating controls.
Fully separated AAA functions. Unlike RADIUS, which combines authentication and authorization, Diameter treats all three AAA functions as independent operations. This enables more granular control, richer session state management, and the kind of multi-step policy enforcement that mobile networks demand.
Extensible attribute framework. Diameter’s Attribute-Value Pairs (AVPs) provide a fully extensible schema for carrying protocol-specific data. New AVPs can be defined for new use cases without breaking backward compatibility, essential in a protocol that must evolve alongside 3GPP specifications.
Peer-to-peer architecture. Diameter supports direct peer-to-peer communication between network elements, with built-in failover and redundancy mechanisms. This contrasts with RADIUS’s fundamentally client-server model.
Diameter in 4G/LTE and 5G Networks
The defining moment for Diameter came when 3GPP adopted it as the signaling protocol for 4G/LTE core networks. Today, Diameter is the language that LTE network elements speak to each other across the interfaces that matter most:
S6a interface: Authentication and subscription data exchange between the MME (Mobility Management Entity) and HSS (Home Subscriber Server).
Gx interface: Policy communication between the P-GW and PCRF (Policy and Charging Rules Function), enabling dynamic policy enforcement for QoS and traffic management.
Gy interface: Online charging between the P-GW and OCS (Online Charging System), supporting real-time credit control for prepaid and postpaid subscribers.
Cx/Dx interfaces: IMS registration and subscriber data management for VoLTE and rich communication services.
In 5G standalone architectures, the HTTP/2-based Service-Based Interface (SBI) handles many functions that Diameter served in 4G. However, Diameter remains critical in two important 5G contexts: non-standalone (NSA) 5G deployments that anchor to the 4G core, and the interworking gateways that connect 4G and 5G networks for roaming and handover scenarios. For most CSPs, Diameter will remain a core operational competency for the remainder of this decade.
Diameter Routing Agents
At scale, Diameter traffic management requires Diameter Routing Agents (DRAs) and Diameter Edge Agents (DEAs). DRAs distribute signaling load across multiple server instances and handle failover. DEAs secure roaming interfaces between operators. Planning the DRA/DEA topology is as important as planning the Diameter servers themselves and a centralized AAA platform typically includes DRA functionality as an integrated capability.
TACACS+: Device Administration Security
What Is TACACS+?
TACACS+ (Terminal Access Controller Access-Control System Plus) is frequently grouped with RADIUS and Diameter in AAA discussions, but its domain is fundamentally different. Where RADIUS and Diameter authenticate subscribers accessing network services, TACACS+ authenticates the engineers and administrators accessing the network devices themselves.
This distinction matters architecturally. TACACS+ was purpose-built for device administration scenarios, and its design reflects that focus:
TCP transport with full packet encryption. TACACS+ encrypts the entire packet body, not just the password field. This provides complete confidentiality for administrative sessions, including the commands executed, the responses returned, and all session metadata.
Fully separated AAA model. TACACS+ separates authentication, authorization, and accounting into independent operations. A network operator can authenticate an engineer through Active Directory while applying a completely separate authorization policy that controls exactly which CLI commands that engineer can execute on each device.
Command-level authorization. This is TACACS+’s defining capability. Authorization decisions in TACACS+ are made at the individual command level not just at the session level. An engineer can be permitted to run ‘show’ commands but blocked from ‘configure terminal,’ or permitted to configure interfaces but blocked from modifying routing protocols.
Complete audit logging. Every command executed in a TACACS+ session is logged with timestamp, device, and user identity. This creates the audit trail that compliance frameworks require for privileged access to network infrastructure.
Cisco proprietary. TACACS+ was developed by Cisco and has never been formally standardized as an open protocol. Despite broad support across vendors, the lack of an open standard creates long-term dependency considerations that CSPs should factor into their architecture decisions.
Where TACACS+ Fits in CSP Networks
TACACS+ belongs wherever engineers and administrators need controlled, audited access to network devices:
CLI access control for routers, switches, firewalls, and core network appliances any device where command-line access is how configuration happens.
Privileged access management for NOC and engineering teams, where different roles require different levels of access to different device types.
Command-level authorization, permitting or blocking specific commands based on user role, time of day, device type, or other policy criteria.
Compliance and audit logging for network device access events, meeting requirements from frameworks such as PCI-DSS, SOC 2, and telecommunications regulatory mandates.
Multi-vendor infrastructure environments where centralized device access control must span equipment from multiple manufacturers.
TACACS+ and Zero Trust
TACACS+ aligns naturally with Zero Trust principles for network device access: every administrative session is authenticated, every action is authorized against a policy, and every command is logged. CSPs implementing Zero Trust Network Access (ZTNA) for their infrastructure management layer typically find TACACS+ already provides the core capability they need for the device administration domain.
Protocol Comparison: Head-to-Head
The following comparison covers the dimensions that matter most for CSP deployment decisions. No single protocol wins across all dimensions each leads in its intended domain.
Attribute | RADIUS | Diameter | TACACS+ |
Transport Protocol | UDP | TCP / SCTP | TCP |
Encryption | Password only | Full TLS end-to-end | Full packet body |
AAA Separation | Auth + Authz combined | Fully separated | Fully separated |
Reliability | No guarantee (UDP) | Reliable, ordered | Reliable, ordered |
Extensibility | Limited attributes | Flexible AVPs | Limited |
Standardization | Open standard (IETF) | Open standard (3GPP / IETF) | Cisco proprietary |
Scalability | Moderate | High (mobile-grade) | Moderate |
Primary Use Case | Access-layer auth | Mobile core signaling | Device admin control |
3GPP Alignment | No | Yes (4G / 5G) | No |
Typical Deployment | Broadband, WiFi, MVNO | LTE core, IMS, VoLTE | NOC, engineering CLI |
The comparison makes clear that these protocols are not ranked alternatives. They address different problems in different network layers. A protocol that leads in one domain, RADIUS’s simplicity at the access layer, Diameter’s reliability in mobile core signaling, TACACS+’s granular control in device administration is not the right choice in another domain. Protocol selection is not optimization; it is alignment.
Which Protocol Should CSPs Use? A Decision Framework
The most important principle for CSP protocol selection is that this is not an either/or decision. Modern CSP networks are multi-protocol environments, and the right answer is deploying each protocol in the domain it was designed for. The framework below maps network scenarios to protocol recommendations with the rationale behind each.
Scenario-Based Recommendation Matrix
Scenario | Recommended Protocol | Rationale |
Broadband / fixed-line subscriber auth | RADIUS | Access-layer simplicity and compatibility |
WiFi / hotspot 802.1X authentication | RADIUS | Protocol alignment with 802.1X framework |
MVNO interface with host MNO | RADIUS | Interoperability with MNO access systems |
4G / LTE mobile core signaling | Diameter | 3GPP-mandated S6a, Gx, Gy interfaces |
Subscriber policy and real-time charging | Diameter | PCRF and OCS integration requirements |
IMS, VoLTE, rich communication | Diameter | Cx/Dx interface alignment |
5G hybrid / NSA deployment | Diameter | 4G-5G interworking gateway signaling |
CLI access to routers and switches | TACACS+ | Full packet encryption and command-level auth |
Role-based NOC access management | TACACS+ | Granular authorization per user role |
Compliance audit of device access | TACACS+ | Command-level logging for regulatory trails |
Use RADIUS When
RADIUS is the right choice at the access layer, in environments where broad device compatibility is required, and in scenarios where the AAA platform, not the protocol, handles policy sophistication:
Authenticating broadband or fixed-line subscribers at the access layer using PPPoE or IPoE.
Managing WiFi or hotspot access where 802.1X is the authentication framework.
Operating in environments where legacy device compatibility constrains protocol choice.
Running MVNO services that interface with host MNO access systems.
Supporting enterprise VPN or remote access authentication.
Use Diameter When
Diameter is required wherever 3GPP compliance, mobile core reliability, or real-time policy enforcement is needed:
Operating a 4G/LTE or hybrid 5G mobile core with HSS, MME, PCRF, or OCS integration.
Managing subscriber policy and real-time charging through PCRF and OCS systems.
Handling IMS registration, VoLTE session control, and rich communication services.
Building or upgrading toward 5G-ready AAA infrastructure with proper interworking support.
Managing inter-operator roaming signaling through DEA/DRA infrastructure.
Use TACACS+ When
TACACS+ is the right choice for any scenario involving administrative access to network infrastructure:
Controlling CLI access to routers, switches, firewalls, and core network appliances.
Implementing role-based authorization for NOC and engineering teams with different privilege levels.
Meeting compliance requirements that mandate command-level audit logging.
Securing privileged access in multi-vendor network environments.
“In practice, a CSP might use RADIUS for subscriber authentication on its broadband platform, Diameter for policy control in its LTE core, and TACACS+ to manage administrative access to the routers and switches that carry that traffic. These protocols complement each other—they are not competing alternatives.”
The Role of Centralized AAA Platforms
Deploying three protocols across a large-scale network creates real operational complexity—and this is where the architecture of the AAA platform matters as much as the protocols themselves.
A modern, cloud-native AAA platform addresses this complexity across four dimensions:
Multi-protocol support. The platform handles RADIUS, Diameter, and TACACS+ natively, eliminating the need for separate AAA infrastructure for each protocol domain. A single subscriber database can serve as the authoritative source across all three protocols.
Centralized policy management. Policy is defined once and enforced consistently, regardless of which protocol carries the AAA transaction. A subscriber’s service entitlements, data caps, and QoS parameters apply whether the session is authenticated via RADIUS on the broadband platform or via Diameter on the mobile core.
Horizontal scalability. CSP-scale AAA infrastructure must handle peak subscriber concurrency not average load without degradation. Modern platforms scale horizontally, distributing load across multiple instances and providing the redundancy that eliminates single points of failure in a system where downtime affects every active subscriber.
Real-time observability. Operations teams need visibility into AAA sessions in real time: active session counts, authentication failure rates, policy enforcement decisions, and accounting record generation. A centralized platform provides this visibility across all protocols in a single operational view.
5G Readiness and Protocol Bridge
For CSPs building toward 5G standalone, the AAA platform must bridge between legacy Diameter-based 4G interfaces and the HTTP/2-based SBI of 5G standalone core. This bridging requirement makes protocol flexibility and extensibility essential qualities in any AAA platform investment.
The platform must also handle the interworking scenarios that will characterize most CSP networks for years: subscribers roaming between 4G and 5G coverage, devices that don’t support 5G falling back to LTE, and the complex handover sequences that cross the architectural boundary between the two generations.
Platform vs. Protocol
Centralized AAA is ultimately about control: ensuring that every authentication event, every policy decision, and every accounting record flows through a system that is consistent, auditable, and scalable. The protocols are the means. The platform is the strategy. Investing in protocol capability without investing in platform capability leaves the protocols working in silos—which defeats the purpose of centralization.
Conclusion: One Coherent Strategy
RADIUS, Diameter, and TACACS+ each solve a specific problem in a specific network context. Misunderstanding them as competing alternatives leads to deployments that either over-engineer simple access-layer scenarios or under-serve the reliability and compliance requirements of mobile core and device administration domains.
The right framework is straightforward:
RADIUS handles access-layer authentication with simplicity and broad compatibility. It belongs at the broadband, WiFi, and MVNO interface layer.
Diameter delivers the reliability, scalability, and 3GPP alignment that mobile core networks demand. It belongs in the LTE core, IMS, and 5G interworking layers.
TACACS+ provides the granular administrative control and full-packet security that infrastructure device management requires. It belongs in the device administration and NOC access layer.
For CSPs, whether a tier-1 mobile operator, a regional ISP, or an MVNO building out authentication infrastructure, the goal is a multi-protocol AAA strategy that deploys each protocol where it performs best, managed through a centralized platform capable of handling CSP-scale subscriber volumes.
The protocols have been proven across decades of production deployments. The question for every CSP is whether the AAA platform orchestrating them is ready to meet the scale, complexity, and 5G-readiness demands of the network that those protocols serve.
“The right question is not which protocol to choose. It is whether your AAA infrastructure is architected to deploy each protocol where it was designed to operate and to manage all three from a single, centralized platform.”
About Alepo Technologies
Alepo Technologies is a leading provider of digital transformation solutions for communication service providers. Alepo’s AAA and subscriber management platform is deployed by CSPs across mobile, broadband, and MVNO networks worldwide, supporting RADIUS, Diameter, and TACACS+ across a unified, cloud-native architecture.
Alepo’s solutions help CSPs centralize subscriber data management, enforce consistent policy across protocol domains, and scale AAA infrastructure to meet the demands of 4G, 5G, and converged network architectures.
Learn more at Alepo – Smart Solutions for CSPs | AAA, BSS, AI, Wifi Monetization
