3com WX3000 Manuel D’Utilisation
1-7
Compared with RADIUS, HWTACACS provides more reliable transmission and encryption, and
therefore is more suitable for security control.
lists the primary differences between
HWTACACS and RADIUS.
Table 1-3 Differences between HWTACACS and RADIUS
HWTACACS
RADIUS
Adopts TCP, providing more reliable network
transmission.
transmission.
Adopts UDP.
Encrypts the entire message except the
HWTACACS header.
HWTACACS header.
Encrypts only the password field in
authentication message.
authentication message.
Separates authentication from authorization. For
example, you can use one TACACS server for
authentication and another TACACS server for
authorization.
example, you can use one TACACS server for
authentication and another TACACS server for
authorization.
Combines authentication and authorization.
Is more suitable for security control.
Is more suitable for accounting.
Supports configuration command authorization.
Does not support.
In a typical HWTACACS application (as shown in
), a terminal user needs to log into the
device to perform some operations. As a HWTACACS client, the device sends the username and
password to the TACACS server for authentication. After passing authentication and being authorized,
the user successfully logs into the switching engine to perform operations.
Figure 1-5 Network diagram for a typical HWTACACS application
Host
HWTACACS client
HWTACACS server
HWTACACS server
Basic message exchange procedure in HWTACACS
The following text takes telnet user as an example to describe how HWTACACS implements
authentication, authorization, and accounting for a user.
illustrates the basic message
exchange procedure: