Hwtacacs – H3C Technologies H3C S12500-X Series Switches User Manual

Page 19

Figure 5 Format of attribute 26

156B

HWTACACS

HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol
based on TACACS (RFC 1492). HWTACACS is similar to RADIUS, and uses a client/server model for

information exchange between the NAS and the HWTACACS server.
HWTACACS typically provides AAA services for PPP, VPDN, and terminal users. In a typical

HWTACACS scenario, terminal users need to log in to the NAS. Working as the HWTACACS client, the
NAS sends users' usernames and passwords to the HWTACACS sever for authentication. After passing

authentication and obtaining authorized rights, a user logs in to the device and performs operations. The

HWTACACS server records the operations that each user performs.

342B

Differences between HWTACACS and RADIUS

HWTACACS and RADIUS have many features in common, such as using a client/server model, using
shared keys for data encryption, and providing flexibility and scalability.

682H

Table 3

lists their primary

differences.

Table 3 Primary differences between HWTACACS and RADIUS

HWTACACS RADIUS

Uses TCP, which provides reliable network
transmission.

Uses UDP, which provides high transport efficiency.

Encrypts the entire packet except for the HWTACACS
header.

Encrypts only the user password field in an
authentication packet.

Protocol packets are complicated and authorization is
independent of authentication. Authentication and
authorization can be deployed on different

HWTACACS servers.

Protocol packets are simple and the authorization
process is combined with the authentication process.

Supports authorization of configuration commands.
Access to commands depends on both the user's roles

and authorization. A user can use only commands that
are permitted by the user roles and authorized by the

HWTACACS server.

Does not support authorization of configuration
commands. Access to commands solely depends on

the user's roles. For more information about user roles,

see Fundamentals Configuration Guide.

343B

Basic HWTACACS packet exchange process

683H

Figure 6

describes how HWTACACS performs user authentication, authorization, and accounting for a

Telnet user.

This manual is related to the following products:

H3C S5560 Series Switches H3C WX6000 Series Access Controllers H3C WX5000 Series Access Controllers H3C WX3000 Series Unified Switches H3C LSWM1WCM10 Access Controller Module H3C LSWM1WCM20 Access Controller Module H3C LSQM1WCMB0 Access Controller Module H3C LSRM1WCM2A1 Access Controller Module H3C LSBM1WCM2A0 Access Controller Module H3C S9800 Series Switches H3C S5130 Series Switches H3C S5120 Series Switches