3Com Switch 8800 Family Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

231

232

233

234

235

236

237

238

239

240

236 CHAPTER 26: AAA AND RADIUS/HWTACACS PROTOCOL CONFIGURATION

request to the RADIUS server. RADIUS server has a user database recording all the

information of user authentication and network service access. When receiving

user’s request from NAS, RADIUS server performs AAA through user database

query and update and returns the configuration information and accounting data

to NAS. Here, NAS controls supplicant and corresponding connections, while

RADIUS protocol regulates how to transmit configuration and accounting

information between NAS and RADIUS.

NAS and RADIUS exchange the information with UDP packets. During the

interaction, both sides encrypt the packets with keys before uploading user

configuration information (like password etc.) to avoid being intercepted or stolen.

The authentication and authorization of a RADIUS scheme cannot be performed

separately.

RADIUS operation

RADIUS server generally uses proxy function of the devices like access server to

perform user authentication. The operation process is as follows: First, the user

send request message (the client username and encrypted password is included in

the message) to RADIUS server. Second, the user will receive from RADIUS server

various kinds of response messages in which the ACCEPT message indicates that

the user has passed the authentication, and the REJECT message indicates that the

user has not passed the authentication and needs to input username and

password again, otherwise access will be rejected.

HWTACACS Protocol

Overview

HWTACACS SPECIALITY

HWTACACS is an enhanced security protocol based on TACACS (RFC1492).

Similar to the RADIUS protocol, it implements AAA for different types of users

through communications with TACACS servers in the Server/Client model.

HWTACACS can be used for the authentication, authorization and accounting of

PPP and VPDN access users and Login users.

Compared with RADIUS, HWTACACS provides more reliable transmission and

encryption, and therefore is more suitable for security control. The following table

lists the primary differences between HWTACACS and RADIUS protocols:

Working as a client of HWTACACS, the switch sends the username and password

to the TACACS server for authentication, as shown in the following figure:

Tabl e 197 HWTACACS vs. RADIUS

HWTACACS RADIUS

Adopts TCP, providing more reliable network

transmission.

Adopts UDP.

Encrypts the entire packet except for the

standard HWTACACS header.

Encrypts only the password field in

authentication packets.

Separates authentication from authorization.

For example, you can use RADIUS to

authenticate but HWTACACS to authorize.

Binds authentication with authorization.

Suitable for security control. Suitable for accounting.

Supports the authorization of different users

to use the configuration commands of the

routing module of the switch.

Not support.