beautypg.com

Hwtacacs, Differences between hwtacacs and radius, Basic hwtacacs message exchange process – H3C Technologies H3C SecBlade LB Cards User Manual

Page 54

background image

43

HWTACACS

HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol

based on TACACS (RFC 1492). Similar to RADIUS, it uses a client/server model for information

exchange between the NAS and the HWTACACS server.
HWTACACS typically provides AAA services for terminal users. In a typical HWTACACS scenario, some

terminal users need to log in to the NAS for operations. Working as the HWTACACS client, the NAS

sends users' usernames and passwords to the HWTACACS sever for authentication. After passing

authentication and getting authorized rights, a user logs in to the device and performs operations. The

HWTACACS server records the operations that each user performs.

Differences between HWTACACS and RADIUS

HWTACACS and RADIUS have many features in common, such as using a client/server model, using

shared keys for user information security, and providing flexibility and extensibility.

Table 11

lists the

primary differences.

Table 11 Primary differences between HWTACACS and RADIUS

HWTACACS RADIUS

Uses TCP, providing more reliable network
transmission.

Uses UDP, providing higher transport efficiency.

Encrypts the entire packet except for the HWTACACS
header.

Encrypts only the user password field in an
authentication packet.

Protocol packets are complicated and authorization is
independent of authentication. Authentication and

authorization can be deployed on different

HWTACACS servers.

Protocol packets are simple and the authorization
process is combined with the authentication process.

Supports authorization of configuration commands.
Commands a user can access depend on both the
user level and AAA authorization. A user can use only

commands that are at, or lower than, the user level

and authorized by the HWTACACS server.

Does not support authorization of configuration
commands. Commands a user can access solely

depend on the level of the user. A user can use all the
commands at, or lower than, the user level.

Basic HWTACACS message exchange process

The following example describes how HWTACACS performs user authentication, authorization, and
accounting for a Telnet user.

This manual is related to the following products:
See also other documents in the category H3C Technologies Safety: