754 CHAPTER 53: AAA/RADIUS/HWTACACS CONFIGURATION
■ Vendor-Type: Indicates the type of the sub-attribute.
■ Vendor-Length: Indicates the length of the sub-attribute.
■ Vendor-Data: Indicates the contents of the sub-attribute.
Figure 231 Segment of a RADIUS packet containing an extended attribute
Introduction to
HWTACACS
3Com Terminal Access Controller Access Control System (HWTACACS) is an
enhanced security protocol based on TACACS (RFC 1492). Similar to RADIUS, it
uses the server/client model for information exchange between NAS and
HWTACACS server.
HWTACACS implements AAA mainly for such users as Point-to-Point Protocol
(PPP) users, Virtual Private Dial-up Network (VPDN) users, and terminal users. In a
typical HWTACACS application, a terminal user needs to log onto the device for
operations. Working as the HWTACACS client, the device sends the username and
password to the HWTACACS sever for authentication. After passing
authentication and being authorized, the user can log into the device to perform
operations.
Differences between HWTACACS and RADIUS
HWTACACS and RADIUS have many common features, like implementing AAA,
using a client/server model, using shared keys for user information security and
having good flexibility and extensibility. Meanwhile, they also have differences, as
listed in Table 60.
Type Length
0
Vendor-ID
715 31
Vendor-ID (continued) Vendor-Type Vendor-Length
Vendor-Data
(Specified attribute valueĂĂ)
23
ĂĂ
Table 60 Primary differences between HWTACACS and RADIUS
HWTACACS RADIUS
Uses TCP, providing more reliable network
transmission
Uses UDP, providing higher transport
efficiency
Encrypts the entire packet except for the
HWTACACS header
Encrypts only the password field in an
authentication packet
Protocol packets are complicated and
authorization is independent of
authentication. Authentication and
authorization can be deployed on different
HWTACACS servers.
Protocol packets are simple and authorization
is combined with authentication.
Supports authorized use of configuration
commands. For example, an authenticated
login user can be authorized to configure the
device.
Does not support authorized use of
configuration commands.
To Next Page
Loading...
