3Com 8807 Configuration Manual page 236

236 C 26: AAA
HAPTER AND
n
HWTACACS Protocol
Overview
RADIUS/HWTACACS P
ROTOCOL
request to the RADIUS server. RADIUS server has a user database recording all the
information of user authentication and network service access. When receiving
user's request from NAS, RADIUS server performs AAA through user database
query and update and returns the configuration information and accounting data
to NAS. Here, NAS controls supplicant and corresponding connections, while
RADIUS protocol regulates how to transmit configuration and accounting
information between NAS and RADIUS.
NAS and RADIUS exchange the information with UDP packets. During the
interaction, both sides encrypt the packets with keys before uploading user
configuration information (like password etc.) to avoid being intercepted or stolen.
The authentication and authorization of a RADIUS scheme cannot be performed
separately.
RADIUS operation
RADIUS server generally uses proxy function of the devices like access server to
perform user authentication. The operation process is as follows: First, the user
send request message (the client username and encrypted password is included in
the message) to RADIUS server. Second, the user will receive from RADIUS server
various kinds of response messages in which the ACCEPT message indicates that
the user has passed the authentication, and the REJECT message indicates that the
user has not passed the authentication and needs to input username and
password again, otherwise access will be rejected.
HWTACACS SPECIALITY
HWTACACS is an enhanced security protocol based on TACACS (RFC1492).
Similar to the RADIUS protocol, it implements AAA for different types of users
through communications with TACACS servers in the Server/Client model.
HWTACACS can be used for the authentication, authorization and accounting of
PPP and VPDN access users and Login users.
Compared with RADIUS, HWTACACS provides more reliable transmission and
encryption, and therefore is more suitable for security control. The following table
lists the primary differences between HWTACACS and RADIUS protocols:
Table 197 HWTACACS vs. RADIUS
HWTACACS
Adopts TCP, providing more reliable network
transmission.
Encrypts the entire packet except for the
standard HWTACACS header.
Separates authentication from authorization.
For example, you can use RADIUS to
authenticate but HWTACACS to authorize.
Suitable for security control.
Supports the authorization of different users
to use the configuration commands of the
routing module of the switch.
Working as a client of HWTACACS, the switch sends the username and password
to the TACACS server for authentication, as shown in the following figure:
C
ONFIGURATION
RADIUS
Adopts UDP.
Encrypts only the password field in
authentication packets.
Binds authentication with authorization.
Suitable for accounting.
Not support.