1-7Figure 1-5 depicts the format of attribute 26. The Vendor-ID field used to identify a vendor occupies fourbytes, where the first byte is 0, and the other three bytes are defined in RFC 1700. Here, the vendor canencapsulate multiple customized sub-attributes (containing vendor-specific Type, Length and Value) toimplement a RADIUS extension.Figure 1-5 Vendor-specific attribute formatType……Length07Vendor-ID7 15 31Vendor-ID Type (specified) Length (specified)Specified attribute value……Introduction to HWTACACSWhat is HWTACACSHuawei Terminal Access Controller Access Control System (HWTACACS) is an enhanced securityprotocol based on TACACS (RFC 1492). Similar to the RADIUS protocol, it implements AAA fordifferent types of users (such as PPP, VPDN, and terminal users) through communicating with TACACSserver in client-server mode.Compared with RADIUS, HWTACACS provides more reliable transmission and encryption, andtherefore is more suitable for security control. Table 1-3 lists the primary differences betweenHWTACACS and RADIUS.Table 1-3 Differences between HWTACACS and RADIUSHWTACACS RADIUSAdopts TCP, providing more reliable network transmission. Adopts UDP.Encrypts the entire message except the HWTACACSheader.Encrypts only the password field inauthentication message.Separates authentication from authorization. For example,you can use one TACACS server for authentication andanother TACACS server for authorization.Combines authentication andauthorization.Is more suitable for security control. Is more suitable for accounting.Supports configuration command authorization. Does not support.In a typical HWTACACS application (as shown in Figure 1-6), a terminal user needs to log into theswitch to perform some operations. As a HWTACACS client, the switch sends the username andpassword to the TACACS server for authentication. After passing authentication and being authorized,the user successfully logs into the switch to perform operations.
