RADIUS, Diameter, and TACACS+ are the three core AAA (Authentication, Authorization, and Accounting) protocols in operator networks, but they solve different problems. RADIUS authenticates subscribers at the access layer (broadband, WiFi, VPN). Diameter is the 3GPP signaling protocol of the 4G mobile core (HSS, PCRF, OCS interfaces). TACACS+ authenticates the engineers administering network devices, with per-command authorization and audit. Modern Communications Service Provider (CSP) networks run all three, each where it was designed to operate.
At a glance:
| Features | RADIUS | Diameter | TACACS+ |
|---|---|---|---|
| Specification | RFC 2865 (2000) | RFC 6733 (2012) | RFC 8907 (2020); TLS 1.3 via RFC 9887 (2025) |
| Who it authenticates | Subscribers | Subscribers / network elements | Network administrators |
| Transport | UDP (TCP/TLS via RadSec, RFC 6614) | TCP / SCTP, TLS- or IPsec-secured | TCP; TLS 1.3 per RFC 9887 |
| AAA model | Authentication + authorization combined | Fully separated | Fully separated (enables per-command authorization) |
| Packet protection | Password field only (legacy); full via RadSec | Secured transport (TLS/DTLS/IPsec) | MD5 obfuscation (legacy, now obsoleted); TLS 1.3 per RFC 9887 |
| Default port | UDP 1812/1813 | TCP/SCTP 3868 | TCP 49 (legacy); TCP 300 for TLS |
| Primary CSP domain | Broadband, WiFi, MVNO access | 4G/LTE core, policy, charging, IMS | Device administration, privileged access |
What Are AAA Protocols and Why Do CSPs Depend on Them?
Every time a subscriber connects to a mobile network, logs into a broadband service, or joins a WiFi hotspot, something invisible happens in the background: a series of authentication, authorization, and accounting checks that determine whether they get access, what they’re allowed to do, and how the session is recorded for billing and compliance. These checks are governed by AAA protocols, and for CSPs, choosing where each protocol belongs is a foundational architectural decision that affects scalability, security posture, and operational control.
The three AAA functions form the backbone of access control in any network:
- Authentication answers: Who are you? — verifying identity through credentials, SIM cards, certificates, or tokens.
- Authorization answers: What are you allowed to do? — applying subscriber policies, data caps, service entitlements, and Quality of Service (QoS) parameters.
- Accounting answers: What did you do, and for how long? — generating the session records needed for billing, regulatory compliance, and network analytics.
For a consumer streaming video over 4G, this entire cycle completes in milliseconds. For a CSP managing millions of concurrent subscribers, AAA infrastructure must handle it at scale, reliably and without adding latency that degrades the experience. RADIUS, Diameter, and TACACS+ are the protocols through which network elements talk to that infrastructure and they are often mentioned together, occasionally confused with each other, and sometimes deployed in environments they were never designed for.
What Is RADIUS? The Access-Layer Standard
RADIUS (Remote Authentication Dial-In User Service, RFC 2865) was developed in the 1990s and remains one of the most widely deployed authentication protocols in the world. Its longevity comes from simplicity and ubiquity: virtually every network device, access point, and broadband platform supports it out of the box.
RADIUS uses UDP as its transport, which keeps overhead low but sacrifices delivery guarantees. It combines authentication and authorization into a single exchange, which simplifies deployment but limits flexibility for complex policy scenarios. Its legacy security model protects only the password field — the rest of the packet travels in cleartext, a weakness made concrete by the BlastRADIUS attack (CVE-2024-3596, 2024). The IETF remedy is RadSec — RADIUS over TLS (RFC 6614) — which wraps the entire exchange in encrypted transport and is moving from roaming federations into mainstream deployment guidance.
Where RADIUS fits in CSP networks:
- Broadband subscriber authentication — PPPoE and IPoE session setup for DSL, fiber, and fixed wireless customers
- WiFi and hotspot authentication — 802.1X-based access control for enterprise and public WiFi, including SIM-based EAP methods
- MVNO access management — the glue between an MVNO’s subscriber database and the host operator’s access network
- VPN and remote access — authenticating users connecting through VPN gateways
RADIUS remains the practical choice in access-layer scenarios where broad compatibility outweighs its architectural limits, especially when paired with a modern AAA platform that enforces sophisticated policy on top of the protocol and supports RadSec where transport security is required.
What Is Diameter? The Mobile Core Standard
Diameter (RFC 6733) was designed to address RADIUS’s shortcomings as network architectures grew more complex — the name is a deliberate joke: a diameter is twice the radius. Practically, Diameter is a peer-to-peer protocol using TCP and SCTP for reliable, ordered transport, secured with TLS, DTLS, or IPsec, with a fully extensible attribute framework built on AVPs (Attribute-Value Pairs).
Where RADIUS collapses authentication and authorization into one exchange, Diameter fully separates all three AAA functions — enabling granular control, rich session state, and the failover and redundancy mobile networks demand.
The defining moment came when 3GPP adopted Diameter as the signaling protocol of the 4G/LTE core. Today it is the language LTE network elements speak to each other:
- S6a — authentication and subscription data between the MME (Mobility Management Entity) and HSS (Home Subscriber Server)
- Gx — policy communication between the P-GW and PCRF (Policy and Charging Rules Function)
- Gy — online charging between the P-GW and OCS (Online Charging System)
- Cx/Dx — IMS registration and subscriber data for VoLTE and rich communication services
In 5G standalone architectures, the HTTP/2-based Service-Based Interface (SBI) takes over many functions Diameter served in 4G. But Diameter remains critical in non-standalone (NSA) 5G and in the interworking gateways that connect 4G and 5G cores which means it stays a core CSP competency for years to come.
Where Diameter fits in CSP networks:
- 4G/LTE mobile core signaling across HSS, MME, PCRF, and P-GW
- Subscriber policy enforcement and real-time charging
- IMS and VoLTE authentication and session control
- Roaming and inter-operator signaling via Diameter Edge/Routing Agents (DEA/DRA)
- 5G interworking in hybrid network architectures
What Is TACACS+? Device Administration Security
TACACS+ (Terminal Access Controller Access-Control System Plus) is frequently grouped with RADIUS and Diameter, but it operates in a fundamentally different domain. While RADIUS and Diameter authenticate subscribers accessing network services, TACACS+ authenticates the engineers and administrators accessing the network devices themselves.
Originally a Cisco protocol, TACACS+ was formally documented by the IETF in RFC 8907 (2020). It uses TCP for reliable transport and protects the full packet body — though, importantly, the legacy mechanism is an MD5-based scheme that RFC 8907 itself categorizes as obfuscation, not encryption. That gap was closed in December 2025: RFC 9887 runs TACACS+ over TLS 1.3, obsoletes the obfuscation mechanism, and assigns a new well-known port (TCP 300).
The defining capability of TACACS+ is its fully separated AAA model. Authentication and authorization are independent exchanges, so an operator can authenticate an engineer against Active Directory while applying a completely separate set of authorization rules controlling exactly which CLI commands that engineer may execute on a given device and log every command for compliance.
Where TACACS+ fits in CSP networks:
- CLI access control for routers, switches, firewalls, and core network appliances
- Privileged access management for NOC (Network Operations Center) and engineering teams
- Command-level authorization — permitting or blocking specific commands by role
- Compliance and audit logging for device access events
- Multi-vendor environments requiring centralized device access control
Which Protocol Should CSPs Use? A Practical Decision Framework
The most important thing to understand: this is not an either/or decision. Modern CSP networks are multi-protocol environments, and the right answer is deploying each protocol where it was designed to operate.
Use RADIUS when:
- Authenticating broadband or fixed-line subscribers at the access layer
- Managing WiFi or hotspot access where 802.1X is the framework
- Legacy device compatibility is a constraint
- Running MVNO services that interface with host operator access systems
Use Diameter when:
- Operating a 4G/LTE or hybrid 5G mobile core
- Managing subscriber policy and real-time charging through PCRF and OCS
- Handling IMS registration, VoLTE, and rich communication services
- Building or upgrading toward 5G-ready AAA infrastructure
Use TACACS+ when:
- Controlling administrative access to network devices across the infrastructure
- Implementing role-based CLI authorization for NOC and engineering teams
- Meeting compliance requirements that mandate command-level audit logging
- Securing privileged access in multi-vendor environments — and planning the move to TACACS+ over TLS (RFC 9887) as device support arrives
In practice, a CSP might use RADIUS for subscriber authentication on its broadband platform, Diameter for policy control in its LTE core, and TACACS+ to govern administrative access to the routers and switches carrying that traffic. The protocols complement each other; they are not competing alternatives.
The Role of Centralized AAA Platforms in CSP Networks
Running three protocols across a large-scale network creates real operational complexity, and this is where the architecture of the AAA platform matters as much as the protocols themselves. A modern, cloud-native AAA platform does more than terminate RADIUS, Diameter, and TACACS+ on one stack: it centralizes subscriber data, enforces policy consistently across protocols, scales horizontally through peak traffic, and gives operations teams the observability to troubleshoot sessions in real time.
For CSPs building toward 5G, the platform must also bridge between Diameter-based 4G interfaces and the HTTP/2-based service architecture of the 5G standalone core — a requirement that makes protocol flexibility an essential quality in any AAA investment. The same applies to the security transition now underway across the protocol family: RadSec for RADIUS and TLS 1.3 for TACACS+ both demand a platform that can run legacy and secured transports side by side during multi-year migrations.
Centralized AAA is ultimately about control: every authentication event, every policy decision, and every accounting record flowing through a system that is consistent, auditable, and scalable. The protocols are the means. The platform is the strategy.
Conclusion: No Single Protocol, One Coherent Strategy
RADIUS, Diameter, and TACACS+ each solve a specific problem in a specific context. RADIUS handles access-layer subscriber authentication with simplicity and universal compatibility. Diameter delivers the reliability, scale, and 3GPP alignment the mobile core demands. TACACS+ provides the granular administrative control and audit depth that infrastructure device management requires — now with standards-track transport security.
For CSPs — tier-1 mobile operator, regional ISP, or MVNO, the goal isn’t to pick one. It’s to build a multi-protocol AAA strategy that deploys each protocol where it performs best, managed through a centralized platform capable of CSP-scale subscriber volumes.
The protocols have been proven. The question is whether your AAA infrastructure is ready to orchestrate them at the scale your network requires.
FAQs
What is the difference between RADIUS and Diameter?
RADIUS is a 1990s-era UDP protocol that combines authentication and authorization in one exchange and is dominant at the access layer (broadband, WiFi, VPN). Diameter is its successor — TCP/SCTP transport, secured connections, extensible AVPs, fully separated AAA functions — and is the 3GPP signaling protocol of the 4G mobile core.
Is TACACS+ a replacement for RADIUS?
No. They serve different populations: RADIUS authenticates subscribers accessing network services; TACACS+ authenticates administrators accessing the network devices themselves, with per-command authorization and audit logging.
Does TACACS+ encrypt its traffic?
Legacy TACACS+ uses an MD5-based scheme that RFC 8907 explicitly categorizes as obfuscation, not encryption. RFC 9887 (December 2025) adds real encryption by running TACACS+ over TLS 1.3 on TCP port 300, and formally obsoletes the obfuscation mechanism.
Is Diameter still used in 5G?
The 5G standalone core replaces most Diameter signaling with HTTP/2-based Service-Based Interfaces. But Diameter remains essential in non-standalone 5G, in 4G/5G interworking gateways, and in every network still operating an LTE core — which is most of them.
What is RadSec?
RadSec (RFC 6614) is RADIUS over TLS: it wraps RADIUS in encrypted, reliable TCP transport, addressing the cleartext and UDP weaknesses of classic RADIUS — weaknesses demonstrated exploitable by the BlastRADIUS attack (CVE-2024-3596).
Can one AAA server handle RADIUS, Diameter, and TACACS+?
Yes — carrier-grade AAA platforms terminate all three on a single stack, which is how operators avoid running three separate authentication silos for subscribers, the mobile core, and device administration.
