Table 32-3 Differences between HWTACACS and RADIUS
HWTACACS
Adopts TCP, providing more reliable network
transmission.
Encrypts the entire message except the HWTACACS
header.
Separates authentication from authorization. For
example, you can use one TACACS server for
authentication and another TACACS server for
authorization.
Is more suitable for security control.
Supports configuration command authorization.
In a typical HWTACACS application (as shown in
switch to perform some operations. As a HWTACACS client, the switch sends the username and
password to the TACACS server for authentication. After passing authentication and being authorized,
the user successfully logs into the switch to perform operations.
Figure 32-5 Network diagram for a typical HWTACACS application
Basic message exchange procedure in HWTACACS
The following text takes telnet user as an example to describe how HWTACACS implements
authentication, authorization, and accounting for a user.
exchange procedure:
Adopts UDP.
Encrypts only the password field in
authentication message.
Combines authentication and
authorization.
Is more suitable for accounting.
Does not support.
Figure
32-5), a terminal user needs to log into the
Figure 32-6
32-7
RADIUS
illustrates the basic message