Huawei Quidway S5600 Series Operation Manual page 538

Operation Manual – AAA & RADIUS & HWTACACS & EAD
Quidway S5600 Series Ethernet Switches-Release 1510
1.1.4 Introduction to HWTACACS
I. What is HWTACACS
HUAWEI Terminal Access Controller Access Control System (HWTACACS) is an
enhanced security protocol based on TACACS (RFC1492). Similar to the RADIUS
protocol, it implements AAA for different types of users (such as PPP/VPDN login users
and terminal users) through communications with TACACS servers in the Client-Server
mode.
Compared with RADIUS, HWTACACS provides more reliable transmission and
encryption, and therefore is more suitable for security control. Table 1-3 lists the
primary differences between HWTACACS and RADIUS protocols.
Table 1-3 Comparison between HWTACACS and RADIUS
Adopts TCP, providing more reliable
network transmission.
Encrypts the entire packet except the
HWTACACS header.
Separates
authorization. For example, you can
provide authentication and authorization
on different TACACS servers.
Suitable for security control.
Supports to authorize the use of
configuration commands.
In a typical HWTACACS application, a dial-up or terminal user needs to log in to the
device for operations. As the client of HWTACACS in this case, the switch sends the
username and password to the TACACS server for authentication. After passing
authentication and being authorized, the user can log in to the switch to perform
operations, as shown in Figure 1-5.
HWTACACS
authentication
Huawei Technologies Proprietary
1-8
Chapter 1 AAA & RADIUS & HWTACACS
Adopts UDP.
Encrypts only the password field in
authentication packets.
from
Brings together
authorization.
Suitable for accounting.
Not support.
Configuration
RADIUS
authentication and