3Com Switch 8800 Family IPsec Module Configuration and Command reference Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

28 CHAPTER 4: AAA AND RADIUS/HWTACACS PROTOCOL CONFIGURATION

The RADIUS protocol is extensible. The Attribute 26 (Vender-Specific) defined in it

allows a user to define an extended attribute. The following figure illustrates the

structure of a RADIUS packet:

Figure 6 A RADIUS packet segment containing the extended attribute

Features of RADIUS

RADIUS uses UDP as transfer protocol and has good capability for real-time

applications. It also supports retransmission mechanism and backup server

mechanism so that it boasts better reliability. RADIUS is easy to implement, and

applicable to the multithreading structure of the server in the time of mass users.

For all the advantages above, RADIUS protocol is used wildly.

Introduction to the

HWTACACS Protocol

What is HWTACACS

HWTACACS is an enhanced security protocol based on TACACS (RFC1492).

Similar to the RADIUS protocol, it implements AAA for different types of users

(such as PPP/VPDN/login users) through communications with TACACS servers in

the Server/Client model.

Compared with RADIUS, HWTACACS provides more reliable transmission and

encryption, and therefore is more suitable for security control. The following table

lists the primary differences between HWTACACS and RADIUS protocols.

In a typical HWTACACS application, a dial-up or terminal user needs to log onto

the security gateway for operations. Working as the client of HWTACACS in this

case, the security gateway sends the username and password to the TACACS

server for authentication. After passing authentication and being authorized, the

user can log onto the security gateway to perform operations, as shown in the

following figure.

Vendor-IDType Length

Vendor-ID

length

(specified)

type

(specified)

specified attribute value¡−¡−

Tabl e 12 Comparison between HWTACACS and RADIUS

HWTACACS RADIUS

Adopts TCP, providing more reliable network

transmission.

Adopts UDP.

Encrypts the entire packet except for the

standard HWTACACS header.

Encrypts only the password field in

authentication packets.

Separates authentication from authorization.

For example, you can provide authentication

and authorization on different TACACS

servers.

Brings together authentication and

authorization.

Suitable for security control. Suitable for accounting.

Supports to authorize the use of configuration

commands.

Not supports.