Figure 1-5 Segment of a RADIUS packet containing an extended attribute
Introduction to HWTACACS
HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol
based on TACACS (RFC 1492). Similar to RADIUS, it uses a client/server model for information
exchange between NAS and HWTACACS server.
HWTACACS is mainly used to provide AAA services for terminal users. In a typical HWTACACS
application, a terminal user needs to log into the device for operations, and HWTACACS authenticates,
authorizes and keeps accounting for the user. Working as the HWTACACS client, the device sends the
username and password to the HWTACACS sever for authentication. After passing authentication and
being authorized, the user can log into the device to perform operations.
Differences Between HWTACACS and RADIUS
HWTACACS and RADIUS have many common features, like implementing AAA, using a client/server
model, using shared keys for user information security and having good flexibility and extensibility.
Meanwhile, they also have differences, as listed in
Table 1-3 Primary differences between HWTACACS and RADIUS
Uses TCP, providing more reliable network
Encrypts the entire packet except for the
Protocol packets are complicated and
authorization is independent of authentication.
Authentication and authorization can be
deployed on different HWTACACS servers.
Supports authorized use of configuration
commands. For example, an authenticated login
user can be authorized to configure the device.
Basic Message Exchange Process of HWTACACS
The following takes a Telnet user as an example to describe how HWTACACS performs user
authentication, authorization, and accounting.
process of HWTACACS.
Uses UDP, providing higher transport efficiency.
Encrypts only the user password field in an
Protocol packets are simple and authorization is
combined with authentication.
Does not support authorized use of configuration
illustrates the basic message exchange