H3C S5600 Series Operation Manual page 547

Compared with RADIUS, HWTACACS provides more reliable transmission and encryption, and
therefore is more suitable for security control.
HWTACACS and RADIUS.
Table 1-3 Differences between HWTACACS and RADIUS
Adopts TCP, providing more reliable network transmission.
Encrypts the entire message except the HWTACACS header.
Separates authentication from authorization. For example, you
can use one TACACS server for authentication and another
TACACS server for authorization.
Is more suitable for security control.
Supports configuration command authorization.
In a typical HWTACACS application (as shown in
switch to perform some operations. As a HWTACACS client, the switch sends the username and
password to the TACACS server for authentication. After passing authentication and being authorized,
the user successfully logs into the switch to perform operations.
Figure 1-6 Network diagram for a typical HWTACACS application
HWTACACS client
Host
Basic message exchange procedure in HWTACACS
The following text takes telnet user as an example to describe how HWTACACS implements
authentication, authorization, and accounting for a user.
exchange procedure:
HWTACACS
HWTACACS server
HWTACACS server
1-8
Table 1-3 lists the primary differences between
Adopts UDP.
Encrypts only the password field in
authentication message.
Combines authentication and
authorization.
Is more suitable for accounting.
Does not support.
Figure 1-6), a terminal user needs to log into the
Figure 1-7 illustrates the basic message
RADIUS