HWTACACS
HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol based on TACACS (RFC 1492). Similar to RADIUS, it uses a client/server model for information exchange between the NAS and the HWTACACS server.
HWTACACS typically provides AAA services for PPP users, VPDN users, and terminal users. In a typical HWTACACS scenario, some terminal users need to log in to the NAS for operations. Working as the HWTACACS client, the NAS sends the username and password of the user to the HWTACACS server for authentication. After passing authentication and getting authorized rights, the user logs in to the device and performs operations. The HWTACACS server records the operations that the user performs.
Differences between HWTACACS and RADIUS
HWTACACS and RADIUS have many features in common, such as using a client/server model, using shared keys for user information security, and providing flexibility and extensibility. Table 3 lists the primary differences.
Table 3: Primary differences between HWTACACS and RADIUS
HWTACACS | RADIUS |
|---|---|
Uses TCP, providing more reliable network transmission. | Uses UDP, providing higher transport efficiency. |
Encrypts the entire packet except for the HWTACACS header. | Encrypts only the user password field in an authentication packet. |
Protocol packets are complicated, and authorization is independent of authentication. Authentication and authorization can be deployed on different HWTACACS servers. | Protocol packets are simple, and the authorization process is combined with the authentication process. |
Supports authorization of configuration commands. The commands that a user can access depend on both the user level and AAA authorization. A user can use only commands that are at, or lower than, the user level and authorized by the HWTACACS server. | Does not support authorization of configuration commands. The commands that a user can access solely depend on the level of the user. A user can use all commands at, or lower than, the user level. |
Basic HWTACACS message exchange process
The following takes a Telnet user as an example to describe how HWTACACS performs user authentication, authorization, and accounting.
Figure 6: Basic HWTACACS message exchange process for a Telnet user
HWTACACS operates in the following manner:
A Telnet user sends an access request to the HWTACACS client.
Upon receiving the request, the HWTACACS client sends a start-authentication packet to the HWTACACS server.
The HWTACACS server sends back an authentication response to request the username.
Upon receiving the response, the HWTACACS client asks the user for the username.
The user enters the username.
After receiving the username from the user, the HWTACACS client sends the server a continue-authentication packet that carries the username.
The HWTACACS server sends back an authentication response, requesting the login password.
Upon receipt of the response, the HWTACACS client asks the user for the login password.
The user enters the password.
After receiving the login password, the HWTACACS client sends the HWTACACS server a continue-authentication packet that carries the login password.
The HWTACACS server sends back an authentication response to indicate that the user has passed authentication.
The HWTACACS client sends the user authorization request packet to the HWTACACS server.
The HWTACACS server sends back the authorization response, indicating that the user is now authorized.
Detecting that the user is now authorized, the HWTACACS client pushes its CLI to the user.
The HWTACACS client sends a start-accounting request to the HWTACACS server.
The HWTACACS server sends back an accounting response, indicating that it has received the start-accounting request.
The user logs off.
The HWTACACS client sends a stop-accounting request to the HWTACACS server.
The HWTACACS server sends back a stop-accounting response, indicating that the stop-accounting request has been received.