3Com Switch 7750 Configuration Guide Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

491

492

493

494

495

496

497

498

499

500

Overview 491

Figure 127 depicts the structure of attribute 26. The Vendor-ID field representing

the code of the vendor occupies four bytes. The first byte is 0, and the other three

bytes are defined in RFC1700. Here, the vendor can encapsulate multiple

customized sub-attributes (containing Type, Length and Value) to obtain extended

RADIUS implementation.

Figure 127 Part of the RADIUS packet containing extended attribute

Introduction to

HWTACACS

What is HWTACACS

HWTACACS is an enhanced security protocol based on TACACS (RFC1492).

Similar to the RADIUS protocol, it implements AAA for different types of users

(such as PPP/VPDN login users and terminal users) through communications with

TACACS servers in the Client-Server mode.

Compared with RADIUS, HWTACACS provides more reliable transmission and

encryption, and therefore is more suitable for security control.

Table 372 lists the

primary differences between HWTACACS and RADIUS protocols.

In a typical HWTACACS application, a dial-up or terminal user needs to log in to

the device for operations. As the client of HWTACACS in this case, the switch

sends the username and password to the TACACS server for authentication. After

passing authentication and being authorized, the user can log in to the switch to

perform operations, as shown in

Figure 128.

Vendor-IDType Length

Vendor-ID

Length

(s pecified)

Type

(specified)

Specified attribute value……

Vendor-IDType Length

Vendor-ID

Length

(s pecified)

Type

(specified)

Specified attribute value……

Table 372 Comparison between HWTACACS and RADIUS

HWTACACS RADIUS

Adopts TCP, providing more reliable network

transmission.

Adopts UDP.

Encrypts the entire packet except the

HWTACACS header.

Encrypts only the password field in

authentication packets.

Separates authentication from authorization.

For example, you can provide authentication

and authorization on different TACACS

servers.

Brings together authentication and

authorization.

Suitable for security control. Suitable for accounting.

Supports to authorize the use of configuration

commands.

Not support.