HWTACACS User Management

HWTACACS is an enhancement of TACACS+, an access control protocol. Similar to RADIUS, HWTACACS communicates with a TACACS server using the server/client model to implement AAA functions for various users, such as PPP users and login users.

Security Policy

HWTACACS transmits traffic over TCP connections. A shared key, which is not transmitted over a network, is used for authentication between clients and the HWTACACS server. In addition, the packet body is encrypted based on the shared key so that packets can be securely transmitted.

A shared key configured on a device is stored using an enhanced encrypted algorithm by default.

Attack Modes

There are few attacks on TACACSA:

  • An attacker changes the contents in packets in transit. There is no method to protect packet integrity.
  • An attacker can sniff the TACACS packets transmitted in simple text. It is recommended to encrypt packets.

Configuration and Maintenance Methods

Run the hwtacacs-server shared-key cipher key-string command to configure a shared key for each HWTACACS group. The shared key is used to encrypt passwords transmitted over HWTACACS using MD5, increasing transmission security. The cipher keyword is used when the shared key is configured. When the shared key is queried, the encrypted key is displayed, increasing key security.

The encryption algorithm used for MD5 authentication poses security risks.

Configuration and Maintenance Suggestions

Run the hwtacacs-server shared-key cipher key-string command to configure a shared key used to encrypt passwords in HWTACACS packets.

Parent Topic: Management Plane
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >