TACACS+ uses TCP for connection-oriented transport between
clients and servers. TCP port 49 is reserved for TACACS+. RADIUS uses UDP for
best-effort delivery, requiring additional variables to be defined, such as
retransmit attempts and time-outs to compensate.
The acknowledgements (TCP ACK) provide indications that a request
has been received within (approximately) a network round-trip time (RTT). This
same TCP process uses RST (reset) packets to provide immediate indication of a
failed (or offline) authentication server. UDP can’t tell the difference between
a failed server, a slow server, and a nonexistent server.
TCP keepalive packets can be used to watch for failed servers and
to facilitate rapid failover between multiple connected authentication
TCP scales better and adapts better to growing and/or