Basic message exchange procedure in hwtacacs – H3C Technologies H3C S3600 Series Switches User Manual
Page 514
1-7
Table 1-3 Differences between HWTACACS and RADIUS
HWTACACS
RADIUS
Adopts TCP, providing more reliable network
transmission.
Adopts UDP.
Encrypts the entire message except the HWTACACS
header.
Encrypts only the password field in
authentication message.
Separates authentication from authorization. For
example, you can use one TACACS server for
authentication and another TACACS server for
authorization.
Combines authentication and
authorization.
Is more suitable for security control.
Is more suitable for accounting.
Supports configuration command authorization.
Does not support.
In a typical HWTACACS application (as shown in
), a terminal user needs to log into the
switch to perform some operations. As a HWTACACS client, the switch sends the username and
password to the TACACS server for authentication. After passing authentication and being authorized,
the user successfully logs into the switch to perform operations.
Figure 1-5 Network diagram for a typical HWTACACS application
Basic message exchange procedure in HWTACACS
The following text takes telnet user as an example to describe how HWTACACS implements
authentication, authorization, and accounting for a user.
illustrates the basic message
exchange procedure: