300-715 Question #205: Real Exam Question with Answer & Explanation

Question

An engineer is configuring ISE for network device administration and has devices that support both protocols. What are two benefits of choosing TACACS+ over RADUs for these devices? (Choose two.)

Options

• ATACACS+ is FIPS compliant while RADIUS is not.
• BTACACS+ is designed for network access control while RADIUS is designed for role-based
• CTACACS+ uses secure EAP-TLS while RADIUS does not.
• DTACACS+ provides the ability to authorize specific commands while RADIUS does not.
• ETACACS+ encrypts the entire payload being sent while RADIUS only encrypts the password.

Explanation

TACACS+ is preferred over RADIUS for network device administration because it supports granular command authorization and encrypts the entire packet payload for enhanced security.

Common mistakes.

• A. FIPS compliance is related to cryptographic modules, and both protocols can be used in FIPS-compliant contexts with appropriate implementation, so this is not a differentiator.
• B. RADIUS is primarily designed for Network Access Control (NAC), while TACACS+ is specifically designed for network device administration (AAA), so this statement is reversed and incorrect.
• C. EAP-TLS is an EAP method typically used with RADIUS for strong authentication; TACACS+ does not generally use EAP.

Concept tested. TACACS+ vs RADIUS for device administration

Reference. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/15-mt/sec-usr-aaa-15-mt-book/sec-tac-plus.html

No community discussion yet for this question.