11Figure 5 Segment of a RADIUS packet containing an extended attributeHWTACACSHW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocolbased on TACACS (RFC 1492). Similar to RADIUS, it uses a client/server model for informationexchange between the NAS and the HWTACACS server.HWTACACS typically provides AAA services for Point-to-Point Protocol (PPP) users, Virtual Private Dial-upNetwork (VPDN) users, and terminal users. In a typical HWTACACS scenario, some terminal users needto log in to the NAS for operations. Working as the HWTACACS client, the NAS sends the usernamesand passwords of the users to the HWTACACS sever for authentication. After passing authentication andbeing authorized, the users log in to the switch and performs operations, and the HWTACACS serverrecords the operations that each user performs.Differences between HWTACACS and RADIUSHWTACACS and RADIUS both provide authentication, authorization, and accounting services. Theyhave many features in common, such as using a client/server model, using shared keys for userinformation security, and providing flexibility and extensibility. Table 3 lists the differences.Table 3 Primary differences between HWTACACS and RADIUSHWTACACS RADIUSUses TCP, providing more reliable networktransmission. Uses UDP, providing higher transport efficiency.Encrypts the entire packet except for the HWTACACSheader.Encrypts only the user password field in anauthentication packet.Protocol packets are complicated and authorization isindependent of authentication. Authentication andauthorization can be deployed on differentHWTACACS servers.Protocol packets are simple and the authorizationprocess is combined with the authentication process.Supports authorization of configuration commands.Which commands a user can use depends on both theuser level and the AAA authorization. A user can useonly commands that are at, or lower than, the userlevel and authorized by the HWTACACS server.Does not support authorization of configurationcommands. Which commands a user can use solelydepends on the level of the user. A user can use all thecommands at, or lower than, the user level.Basic message exchange processThe following example describes how HWTACACS performs AAA for a Telnet user.
