HWTACACS

HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol based on TACACS (RFC 1492). HWTACACS is similar to RADIUS, and uses a client/server model for information exchange between the NAS and the HWTACACS server.

HWTACACS typically provides AAA services for PPP, VPDN, and terminal users. In a typical HWTACACS scenario, terminal users need to log in to the NAS. Working as the HWTACACS client, the NAS sends users' usernames and passwords to the HWTACACS server for authentication. After passing authentication and obtaining authorized rights, a user logs in to the device and performs operations. The HWTACACS server records the operations that each user performs.

Differences between HWTACACS and RADIUS

HWTACACS and RADIUS have many features in common, such as using a client/server model, using shared keys for data encryption, and providing flexibility and scalability. Table 3 lists the primary differences between HWTACACS and RADIUS.

Table 3: Primary differences between HWTACACS and RADIUS

HWTACACS

RADIUS

Uses TCP, which provides reliable network transmission.

Uses UDP, which provides high transport efficiency.

Encrypts the entire packet except for the HWTACACS header.

Encrypts only the user password field in an authentication packet.

Protocol packets are complicated and authorization is independent of authentication. Authentication and authorization can be deployed on different HWTACACS servers.

Protocol packets are simple and the authorization process is combined with the authentication process.

Supports authorization of configuration commands. Access to commands depends on both the user's roles and authorization. A user can use only commands that are permitted by the user roles and authorized by the HWTACACS server.

Does not support authorization of configuration commands. Access to commands solely depends on the user's roles. For more information about user roles, see Fundamentals Configuration Guide.

Basic HWTACACS packet exchange process

Figure 6 describes how HWTACACS performs user authentication, authorization, and accounting for a Telnet user.

Figure 6: Basic HWTACACS packet exchange process for a Telnet user

HWTACACS operates using in the following workflow:

  1. A Telnet user sends an access request to the HWTACACS client.

  2. The HWTACACS client sends a start-authentication packet to the HWTACACS server when it receives the request.

  3. The HWTACACS server sends back an authentication response to request the username.

  4. Upon receiving the response, the HWTACACS client asks the user for the username.

  5. The user enters the username.

  6. After receiving the username from the user, the HWTACACS client sends the server a continue-authentication packet that includes the username.

  7. The HWTACACS server sends back an authentication response to request the login password.

  8. Upon receipt of the response, the HWTACACS client prompts the user for the login password.

  9. The user enters the password.

  10. After receiving the login password, the HWTACACS client sends the HWTACACS server a continue-authentication packet that includes the login password.

  11. If the authentication succeeds, the HWTACACS server sends back an authentication response to indicate that the user has passed authentication.

  12. The HWTACACS client sends a user authorization request packet to the HWTACACS server.

  13. If the authorization succeeds, the HWTACACS server sends back an authorization response, indicating that the user is now authorized.

  14. Knowing that the user is now authorized, the HWTACACS client pushes its CLI to the user and permits the user to log in.

  15. The HWTACACS client sends a start-accounting request to the HWTACACS server.

  16. The HWTACACS server sends back an accounting response, indicating that it has received the start-accounting request.

  17. The user logs off.

  18. The HWTACACS client sends a stop-accounting request to the HWTACACS server.

  19. The HWTACACS server sends back a stop-accounting response, indicating that the stop-accounting request has been received.