TACACS+

• TACACS is defined in RFC 1492, and uses (either TCP or UDP) port 49 by default

• TACACS+ is an entirely new protocol and not compatible with TACACS or XTACACS (Cisco proprietary extension to TACACS) 
• TACACS+ uses only TCP (49)
• TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header. Within the header is a field that indicates whether the body is encrypted or not. All exchanges between the network access server and the TACACS+ daemon are encrypted.
• RADIUS encrypts only the password in the access-request packet, from the client to the server. The remainder of the packet is unencrypted. Other information, such as username, authorized services, and accounting, can be captured by a third party.