3Com 8800 Configuration Manual page 590

3Com Switch 8800 Configuration Guide
Table 40-1 TACACS+ vs. RADIUS
Adopts TCP, providing more reliable network
transmission.
Encrypts the entire packet except for the
standard TACACS+ header.
Separates authentication from authorization. For
example, you can use RADIUS to authenticate
but TACACS+ to authorize.
Suitable for security control.
Supports the authorization of different users to
use the configuration commands of the routing
module of the switch.
Working as a client of TACACS+, the switch sends the username and password to the
TACACS server for authentication, as shown in the following figure:
User User
Figure 40-1 Network diagram for TACACS+
II. Basic message exchange procedures in TACACS+
For example, use TACACS+ to implement authentication, authorization, and
accounting for a telnet user. The basic message exchange procedures are as follows:
A user requests access to the switch; the TACACS client sends a
start-authentication packet to TACACS server upon receiving the request.
The TACACS server sends back an authentication response requesting for the
username; the TACACS client asks the user for the username upon receiving the
response.
The TACACS client sends an authentication continuance packet carrying the
username after receiving the username from the user.
TACACS+
Terminal User Terminal User
TACACS Client TACACS Client
Chapter 40 AAA and RADIUS/TACACS+ Protocol Con
Adopts UDP.
Encrypts only the password
field in authentication packets.
Binds
authorization.
Suitable for accounting.
Not support.
TACACS Server TACACS Server
129.7.66.66 129.7.66.66
TACACS Server TACACS Server
129.7.66.67 129.7.66.67
40-3
figuration
RADIUS
authentication with