beautypg.com

Ii. basic message exchange procedure in hwtacacs – H3C Technologies H3C S3100 Series Switches User Manual

Page 307

background image

Operation Manual – AAA – RADIUS – HWTACACS

H3C S3100-52P Ethernet Switch

Chapter 1 AAA & RADIUS & HWTACACS

Configuration

1-8

Compared with RADIUS, HWTACACS provides more reliable transmission and
encryption, and therefore is more suitable for security control. Table 1-3 lists the
primary differences between HWTACACS and RADIUS.

Table 1-3

Differences between HWTACACS and RADIUS

HWTACACS

RADIUS

Adopts TCP, providing more reliable network

transmission.

Adopts UDP.

Encrypts the entire message except the

HWTACACS header.

Encrypts only the password field in

authentication message.

Separates authentication from authorization.

For example, you can use one TACACS

server for authentication and another

TACACS server for authorization.

Combines authentication and

authorization.

Is more suitable for security control.

Is more suitable for accounting.

Supports configuration command

authorization.

Does not support.


In a typical HWTACACS application (as shown in Figure 1-5), a dial-up or terminal user
needs to log into the switch to perform some operations. As a HWTACACS client, the
switch sends the username and password to the TACACS server for authentication.
After passing authentication and being authorized, the user successfully logs into the
switch to perform operations.

TACACS server

129.7.66.66

ISDN /PSTN

Dial -up user

HWTACACS client

Terminal user

TACACS server

129.7.66.67

TACACS server

ISDN/PSTN

Dial -up user

HWTACACS client

Terminal user

TACACS server

129. .66.67

TACACS server

ISDN /PSTN

Dial -up user

HWTACACS client

Terminal user

TACACS server

129.7.66.67

TACACS server

ISDN/PSTN

Dial -up user

HWTACACS client

Terminal user

TACACS server

TACACS server

129.7.66.66

ISDN /PSTN

Dial -up user

HWTACACS client

Terminal user

TACACS server

129.7.66.67

TACACS server

ISDN/PSTN

Dial -up user

HWTACACS client

Terminal user

TACACS server

129. .66.67

TACACS server

ISDN /PSTN

Dial -up user

HWTACACS client

Terminal user

TACACS server

TACACS server

129.7.66.67

TACACS server

ISDN/PSTN

Dial -up user

HWTACACS client

Terminal user

Figure 1-5

Network diagram for a typical HWTACACS application

II. Basic message exchange procedure in HWTACACS

The following text takes telnet user as an example to describe how HWTACACS
implements authentication, authorization, and accounting for a user. Figure 1-6
illustrates the basic message exchange procedure:

See also other documents in the category H3C Technologies Routers: