H3C S7500E Series Ethernet Switches Operation Manual
Operation Manual – AAA RADIUS HWTACACS
H3C S7500E Series Ethernet Switches
Chapter 1 AAA/RADIUS/HWTACACS
Configuration
1-9
Figure 1-5 Segment of a RADIUS packet containing an extended attribute
1.1.3 Introduction to HWTACACS
Huawei Terminal Access Controller Access Control System (HWTACACS) is an
enhanced security protocol based on TACACS (RFC 1492). Similar to RADIUS, it uses
the server/client model for information exchange between NAS and HWTACACS
server.
HWTACACS implements AAA mainly for such users as Point-to-Point Protocol (PPP)
users, Virtual Private Dial-up Network (VPDN) users, and terminal users. In a typical
HWTACACS application, a terminal user needs to log onto the device for operations.
Working as the HWTACACS client, the device sends the username and password to
the HWTACACS sever for authentication. After passing authentication and being
authorized, the user can log into the device to perform operations.
I. Differences between HWTACACS and RADIUS
HWTACACS and RADIUS have many common features, like implementing AAA, using
a client/server model, using shared keys for user information security and having good
flexibility and extensibility. Meanwhile, they also have differences, as listed in
Table 1-3.
Table 1-3 Primary differences between HWTACACS and RADIUS
HWTACACS RADIUS
Uses TCP, providing more reliable network
transmission
Uses UDP, providing higher
transport efficiency
Encrypts the entire packet except for the
HWTACACS header
Encrypts only the password field in
an authentication packet
Protocol packets are complicated and
authorization is independent of
authentication. Authentication and
authorization can be deployed on different
HWTACACS servers.
Protocol packets are simple and
authorization is combined with
authentication.
Supports authorized use of configuration
commands. For example, an authenticated
login user can be authorized to configure the
device.
Does not support authorized use of
configuration commands.