Introduction to hwtacacs, Differences between hwtacacs and radius, Basic message exchange process of hwtacacs – H3C Technologies H3C S7500E Series Switches User Manual
Page 22
1-9
Introduction to HWTACACS
HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security
protocol based on TACACS (RFC 1492). Similar to RADIUS, it uses the client/server model for
information exchange between NAS and HWTACACS server.
HWTACACS is mainly used to provide AAA services for Point-to-Point Protocol (PPP) users, Virtual
Private Dial-up Network (VPDN) users, and terminal users. In a typical HWTACACS application, some
terminal users need to log in to the device for operations. Working as the HWTACACS client, the
device sends the username and password of a user to the HWTACACS sever for authentication. After
passing authentication and being authorized, the user can log in to the device to perform operations.
Differences Between HWTACACS and RADIUS
HWTACACS and RADIUS both provide authentication, authorization, and accounting services. They
have many common features in implementing AAA, like using the client/server model, using shared
keys for user information security and having good flexibility and extensibility. Meanwhile, they have
differences, as listed in
.
Table 1-3 Primary differences between HWTACACS and RADIUS
HWTACACS
RADIUS
Uses TCP, providing more reliable network
transmission.
Uses UDP, providing higher transport efficiency.
Encrypts the entire packet except for the HWTACACS
header.
Encrypts only the user password field in an
authentication packet.
Protocol packets are complicated and authorization is
independent of authentication. Authentication and
authorization can be deployed on different
HWTACACS servers.
Protocol packets are simple and authorization is
combined with authentication.
Supports authorization of configuration commands.
Which commands a user can use depends on both
the user level and AAA authorization. A user can use
only commands that are not only of, or lower than, the
user level but also authorized by the HWTACACS
server.
Does not support authorization of configuration
commands. Which commands a user can use
depends on the level of the user and a user can use
all the commands of, or lower than, the user level.
Basic Message Exchange Process of HWTACACS
The following takes a Telnet user as an example to describe how HWTACACS performs user
authentication, authorization, and accounting.
illustrates the basic message exchange
process of HWTACACS.