H3C S7500 Series Ethernet Switches Operation Manual
Operation Manual – AAA & RADIUS & HWTACACS & EAD
H3C S7500 Series Ethernet Switches
Chapter 1 AAA & RADIUS & HWTACACS
Configuration
1-8
In the packet structure shown in Figure 1-4, the Vendor-ID field representing the code
of the vendor occupies four bytes. The most significant byte is 0, and the other three
bytes are defined in RFC1700. Here, the vendor can encapsulate multiple customized
sub-attributes (Type, Length and Value) for extended RADIUS implementation.
VType endor-IDLength
Vendor-ID
Type
(s pecifi
Length
(s pecified)
ed)
Specified attribute value……
VType endor-IDLength
Vendor-ID
Type
(s pecifi
Length
(s pecified)
ed)
Specified attribute value……
Figure 1-4 Part of the RADIUS packet containing extended attribute
1.1.4 Introduction to HWTACACS
I. What is HWTACACS
HUAWEI Terminal Access Controller Access Control System (HWTACACS) is an
enhanced security protocol based on TACACS (RFC1492). Similar to the RADIUS
protocol, it implements AAA for different types of users (such as PPP/VPDN login users
and terminal users) through communications with TACACS servers based on a
client/server model.
Compared with RADIUS, HWTACACS provides more reliable transmission and
encryption, and therefore is more suitable for security control.
Table 1-3 lists the
primary differences between HWTACACS and RADIUS protocols.
Table 1-3 Comparison between HWTACACS and RADIUS
HWTACACS RADIUS
Adopts TCP, providing more reliable network
transmission.
Adopts UDP.
Encrypts the entire packet except the HWTACACS
header.
Encrypts only the password
field in authentication
packets.
Separates authentication from authorization. For
example, you can provide authentication and
authorization through different TACACS servers.
Combines authentication
and authorization.
Suitable for security control. Suitable for accounting.
Supports to authorize the use of configuration
commands.
Provides no such support