HWTACACS is an information exchange protocol that uses the client/server model to provide centralized validation of users who attempt to access your switch. It uses Transmission Control Protocol (TCP) and TCP port number 49 to transmit data. HWTACACS provides independent authentication, authorization, and accounting for users accessing the Internet through Point-to-Point Protocol (PPP) or Virtual Private Dial-up Network (VPDN) and for administrators. As an enhancement to TACACS (RFC 1492), it can be implemented on different servers. HWTACACS is compatible with Cisco's TACACS+. Huawei switches can function as HWTACACS clients to interwork with TACACS+ servers to implement AAA. For example, a switch running HWTACACS can communicate with a Cisco server (such as ACS). However, HWTACACS may not be compatible with Cisco proprietary attributes because different vendors define different fields and meanings for proprietary attributes.
However, HWTACACS takes advantages over RADIUS in transmission and encryption reliability, and better suitability for security control. Table 1 lists the differences between HWTACACS and RADIUS.
Item |
HWTACACS |
RADIUS |
|---|---|---|
Data transmission |
Uses TCP, which is more reliable. |
Uses UDP, which is more efficient. |
Encryption |
Encrypts the entire body of the packet except the standard HWTACACS header. |
Encrypts only the password in the packet. |
Authentication and authorization |
Separates authentication from authorization so that they can be implemented on different security servers. |
Combines authentication and authorization. |
Command line authorization |
Supported. The commands that a user can use are restricted by both the command level and AAA. When a user enters a command, the command is executed only after being authorized by the HWTACACS server. |
Not supported. The commands that a user can use depend on their user level. A user can only use the commands of the same level as or lower level than the user level. |
Application |
Security control. |
Accounting. |