12
HWTACACS typically provides AAA services for PPP, VPDN, and terminal users. In a typical
HWTACACS scenario, some terminal users need to log in to the NAS for operations. Working as the
HWTACACS client, the NAS sends users' usernames and passwords to the HWTACACS sever for
authentication. After passing authentication and getting authorized rights, a user logs in to the device
and performs operations. The HWTACACS server records the operations that each user performs.
Differences between HWTACACS and RADIUS
HWTACACS and RADIUS have many features in common, such as using a client/server model,
using shared keys for user information security, and providing flexibility and extensibility. Table 3 lists
the prima
ry differences.
Table 3 Primary differences between HWTACACS and RADIUS
HWTACACS RADIUS
Uses TCP, providing more reliable network
transmission.
Uses UDP, providing higher transport efficiency.
Encrypts the entire packet except for the
HWTACACS header.
Encrypts only the user password field in an
authentication packet.
Protocol packets are complicated and authorization
is independent of authentication. Authentication and
authorization can be deployed on different
HWTACACS servers.
Protocol packets are simple and the authorization
process is combined with the authentication
process.
Supports authorization of configuration commands.
Commands a user can access depend on both the
user level and AAA authorization. A user can use
only commands that are at, or lower than, the user
level and authorized by the HWTACACS server.
Does not support authorization of configuration
commands. Commands a user can access solely
depend on the level of the user. A user can use all
the commands at, or lower than, the user level.
Basic HWTACACS message exchange process
The following example describes how HWTACACS performs user authentication, authorization, and
accounting for a Telnet user.
To Next Page
Loading...
Need help?
General
