The HWTACACS client component provides the following services:
HWTACACS authentication has the following types:
HWTACACS Authentication for Administrators
When an AAA message is received for administrator authentication, the HWTACACS client interacts with the HWTACACS server and exchanges a set of messages, including single START followed by REPLY and a pair of CONTINUE and REPLY messages. Authentication of an administrator is based on the status field of the REPLY message received from the server.
HWTACACS Authentication for PPP Users
When an AAA message is received for PPP user authentication, the HWTACACS client interacts with the HWTACACS server and exchanges a set of messages, including single START and REPLY messages. Authentication of a PPP user is based on the status field of a REPLY message received from the server.
HWTACACS authorization has the following types:
HWTACACS Authorization for Administrator and PPP Users
When an AAA message is received for authorization, the HWTACACS client interacts with the HWTACACS server and exchanges a set of messages, including single REQUEST and RESPONSE messages. The user action is authorized based on the status field of a RESPONSE message received from the server.
Command Authorization for Administrators
A set of commands to accept or reject from the administrator user are configured on the server. If an administrator enters one of the commands, the HWTACACS server verifies the command and accepts or rejects the command based on the configured list.
If authentication and authorization are successful, the AAA module forwards the accounting start request to the HWTACACS client module, which sends the accounting start request to the server. The HWTACACS client module processes the server response and forwards the accounting success/failure response to the AAA module. Similarly, if a user logs out, the AAA module sends the Accounting stop packet to HWTACACS.
The HWTACACS client and server record all commands that are executed by users, and the command records are saved on the HWTACACS server.
HWTACACS clients work with a group of HWTACACS servers. In this mode, one primary and several secondary servers are configured. Upon receiving a user request, the primary server responds to the user request. If the primary server does not respond to the request, then one of the secondary servers in the up state responds to the request. The secondary servers are selected based on the specified order. When the specified time elapses, the primary server retries to respond to the request.
Multiplexing of HWTACACS sessions allows multiple sessions on a server to run over a single TCP connection. If a user selects the option "multiplexing of HWTACACS sessions", one TCP connection is used for new sessions. The multiplexing mode is used only if the server accepts the request for a single connection or separate connections for new requests. By default, the TCP connection established with the HWTACACS server is closed after the server responds to each AAA request.
When the modes are switched between multiplexing and non-multiplexing, the ongoing session is not affected and continues running in the mode in which the session was started. For new sessions, the new mode applies. When all ongoing sessions in multiplexing mode are completed, the configured mode is verified to determine whether the multiplexed TCP connection needs to be sustained or terminated.
When configuring the HWTACACS accounting server, authorization server, and authentication server, you need to configure the server IP addresses and VPN instances separately. Even if the servers share the same IP address and VPN instance, the configurations have to be repeated for three times.
HWTACACS supports common HWTACACS server for all AAA operations. User can configure authentication, authorization and accounting server with same IP address and VPN by using HWTACACS common server command.