- TACACS+ is an entirely new protocol and not compatible with TACACS or XTACACS (Cisco proprietary extension to TACACS)
- TACACS+ uses only TCP (49)
- TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header. Within the header is a field that indicates whether the body is encrypted or not. All exchanges between the network access server and the TACACS+ daemon are encrypted.
- RADIUS encrypts only the password in the access-request packet, from the client to the server. The remainder of the packet is unencrypted. Other information, such as username, authorized services, and accounting, can be captured by a third party.