1-7
Table 1-3 Differences between HWTACACS and RADIUS
HWTACACS RADIUS
Adopts TCP, providing more reliable network
transmission.
Adopts UDP.
Encrypts the entire message except the HWTACACS
header.
Encrypts only the password field in
authentication message.
Separates authentication from authorization. For
example, you can use one TACACS server for
authentication and another TACACS server for
authorization.
Combines authentication and
authorization.
Is more suitable for security control. Is more suitable for accounting.
Supports configuration command authorization. Does not support.
In a typical HWTACACS application (as shown in
0), a terminal user needs to log into the switch to
perform some operations. As a HWTACACS client, the switch sends the username and password to the
TACACS server for authentication. After passing authentication and being authorized, the user
successfully logs into the switch to perform operations.
Figure 1-5 Network diagram for a typical HWTACACS application
Host
HWTACACS client
HWTACACS server
HWTACACS server
Basic message exchange procedure in HWTACACS
The following text takes telnet user as an example to describe how HWTACACS implements
authentication, authorization, and accounting for a user.
Figure 1-6 illustrates the basic message
exchange procedure:
To Next Page
Loading...
