HWTACACS
HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol based on TACACS (RFC 1492). Similar to RADIUS, it uses a client/server model for information exchange between the NAS and the HWTACACS server.
HWTACACS typically provides AAA services for Point-to-Point Protocol (PPP) users, Virtual Private Dial-up Network (VPDN) users, and terminal users. In a typical HWTACACS scenario, some terminal users log in to the NAS for operations. Working as the HWTACACS client, the NAS sends the usernames and passwords of the users to the HWTACACS sever for authentication. After passing authentication and being authorized, the users log in to the switch and performs operations, and the HWTACACS server records the operations that each user performs.
Differences between HWTACACS and RADIUS
HWTACACS and RADIUS both provide authentication, authorization, and accounting services. They have many features in common, such as using a client/server model, using shared keys for user information security, and providing flexibility and extensibility.
Table 3: Primary differences between HWTACACS and RADIUS
HWTACACS | RADIUS |
|---|---|
Uses TCP, providing more reliable network transmission. | Uses UDP, providing higher transport efficiency. |
Encrypts the entire packet except for the HWTACACS header. | Encrypts only the user password field in an authentication packet. |
Protocol packets are complicated and authorization is independent of authentication. Authentication and authorization can be deployed on different HWTACACS servers. | Protocol packets are simple and the authorization process is combined with the authentication process. |
Supports authorization of configuration commands. Which commands a user can use depends on both the user level and the AAA authorization. A user can use only commands that are at, or lower than, the user level and authorized by the HWTACACS server. | Does not support authorization of configuration commands. Which commands a user can use solely depends on the level of the user. A user can use all the commands at, or lower than, the user level. |
Basic HWTACACS message exchange process
The following example describes how HWTACACS performs user authentication, authorization, and accounting for a Telnet user.
Figure 6: Basic HWTACACS message exchange process for a Telnet user
HWTACACS operates in the following manner:
A Telnet user sends an access request to the HWTACACS client.
Upon receiving the request, the HWTACACS client sends a start-authentication packet to the HWTACACS server.
The HWTACACS server sends back an authentication response to request the username.
Upon receiving the response, the HWTACACS client asks the user for the username.
The user enters the username.
After receiving the username from the user, the HWTACACS client sends the server a continue-authentication packet that carries the username.
The HWTACACS server sends back an authentication response, requesting the login password.
Upon receipt of the response, the HWTACACS client asks the user for the login password.
The user enters the password.
After receiving the login password, the HWTACACS client sends the HWTACACS server a continue-authentication packet that carries the login password.
The HWTACACS server sends back an authentication response to indicate that the user has passed authentication.
The HWTACACS client sends the user an authorization request packet to the HWTACACS server.
The HWTACACS server sends back the authorization response, indicating that the user is now authorized.
Knowing that the user is now authorized, the HWTACACS client pushes its configuration interface to the user.
The HWTACACS client sends a start-accounting request to the HWTACACS server.
The HWTACACS server sends back an accounting response, indicating that it has received the start-accounting request.
The user logs off.
The HWTACACS client sends a stop-accounting request to the HWTACACS server.
The HWTACACS server sends back a stop-accounting response, indicating that the stop-accounting request has been received.