Technology Introduction

Security

AAA/RADIUS/HWTACACS

AAA/RADIUS/HWTACACS
AAA Overview
Authentication, Authorization, and Accounting (AAA) provides a uniform framework for
configuring these three security functions to implement the network security
management.
The network security mentioned here refers to access control and includes these
problems:
z

Which users can access the network servers?

Which services can the authorized users enjoy?

How to keep accounts for users using the network resources?

Accordingly, AAA provides the following services:

I. Authentication
AAA supports the following authentication methods:
z

None authentication: All users are trusted and no authentication is performed.

Generally, this method is not recommended.

Local authentication: User information (including username, password, and

attributes) is configured on the device. Local authentication features high speed
and low cost, but the amount of information that can be stored is limited by the
hardware.

Remote authentication: Both RADIUS and HWTACACS protocols are supported.

In this approach, the device acts as the client to communicate with the RADIUS or
HWTACACS server. With respect to RADIUS, you can use the standard RADIUS
protocol or extended RADIUS protocol to complete authentication in collaboration
with systems like iTELLIN/CAMS.

II. Authorization
AAA supports the following authorization methods:
z

Direct authorization: All users are trusted and authorized. A user gets the default
rights of the system.

Local authorization: Users are authorized according to the attributes configured for
them on the device.

HWTACACS authorization: Users are authorized using a HWTACACS server.

RADIUS authorization: RADIUS authorization is a special process in that users

are authorized only after they pass authentication. In other words, authorization is
bound with authentication. When applying RADIUS scheme, you must specify the
same scheme as the authentication scheme and the authorization scheme. It is

Technology Introduction
Security

AAA/RADIUS/HWTACACS

only in this case that the RADIUS authorization process works. The authentication
information is carried in the RADIUS authentication response.

III. Accounting
AAA supports the following accounting methods:
z

None accounting: The system does not keep accounts on the users.

Local accounting: Local accounting is for controlling the number of local user
connections and collecting statistics on number of users; it does not provide
statistics on the charges of users. Note that the controlling of the local user
connections does not affect the local authentication and authorization.

Remote accounting: Accounting is implemented by a RADIUS server or

HWTACACS server remotely.

AAA usually uses a client/server model, where the client runs on the device that
controls user access and the server stores user information. The framework of AAA
thus allows for excellent scalability and centralized user information management.
Being a management framework, AAA can be implemented through multiple protocols.
Currently, AAA is implemented based on RADIUS or HWTACACS.

Concept of ISP Domain

An Internet service provider (ISP) domain is a group of users that belong to the same
ISP. For a username in the userid@isp-name format, the isp-name following the @ sign
is the ISP domain name. The access device considers the userid part the username for
authentication and the isp-name part the domain name.
In a networking scenario with multiple ISPs, an access device may connect users of
different ISPs. Since users of different ISPs may have different user attributes (such as
username and password structure, service type, and rights), it is required to configure
ISP domains for them and to configure different attribute sets including the AAA policies
(such as the RADIUS schemes) for the ISP domains.

RADIUS Overview
As described previously, AAA is a management framework and can be implemented
through multiple protocols. However, RADIUS is usually used in practice.

I. What is RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a distributed information
interaction protocol in the client/server model. RADIUS can prevent the network from
interruption of unauthorized access and is often used in network environments where
both high security and remote user access are required. For example, it is often used
for managing a large number of geographically dispersed dial-in users that use
Modems.

Technology Introduction
Security

AAA/RADIUS/HWTACACS

The RADIUS service involves three components:

z

Protocol: Based on the UDP, RFC 2865 and RFC 2866 define the RADIUS frame
format and the message transfer mechanism, and use 1812 as the authentication
port and 1813 as the accounting port.

Server: The RADIUS server runs on the computer or workstation at the center,
and maintains information for user authentication and network service access.

Client: The RADIUS client runs on the NASs located throughout the network.

In the client/server model of RADIUS, the client, a router or a switch, passes user
information to the designated RADIUS server and acts on the response of the server
(such as connecting/disconnecting users). The RADIUS server receives user
connection requests, authenticates users, and returns the required information to the
client.
In general, the RADIUS server maintains three databases, namely, Users, Clients, and
Dictionary, as shown in Figure 1:
z

Users: Stores user information such as the username, password, applied

protocols, and IP address.

z
z

Clients: Stores information about RADIUS clients such as the shared key.
Dictionary: Stores the information for interpreting RADIUS protocol attributes and
their values.

RADIUS servers

Users

Clients

Dictionary

Figure 1 Components of the RADIUS server

In addition, a RADIUS server can act as the client of another AAA server to provide the
proxy authentication or accounting service. A RADIUS server supports multiple user
authentication methods, such as PPP-based PAP, CHAP, and UNIX-based login.

II. Basic message exchange process of RADIUS

In most cases, the user authentication process of a RADIUS server involves a device
that can provide the proxy function, such as the NAS. Information exchanged between
the RADIUS client and the RADIUS server is authenticated through a shared key for
security. The RADIUS protocol combines the authentication and authorization
processes by sending authorization information in the authentication response
message. See Figure 2.

Technology Introduction
Security

AAA/RADIUS/HWTACACS

Host

RADIUS Client

RADIUS Server

Username and password

2) Access-Request
3) Access -Accept
4) Accounting-Request (start)
5) Accounting-Response

6) The subscriber access the resources

7) Accounting-Request (stop)
8) Accounting-Response
9) Notification of access termination

Figure 2 Basic message exchange process of RADIUS

The following is how RADIUS operates:
1)

The user enters the username and password.

2)

Having received the username and password, the RADIUS client sends an
authentication request (Access-Request) to the RADIUS server.

3)

The RADIUS server compares the received user information with that in the Users
database. If the authentication succeeds, it sends back an Access-Accept
message containing the information of users right. If the authentication fails, it
returns an Access-Reject message.

4)

The RADIUS client accepts or denies the user according to the returned
authentication result. If it accepts the user, it sends an accounting start request
(Accounting-Request) to the RADIUS server, with the value of Status-Type being
start.

5)

The

RADIUS

server

returns

start-accounting

response

(Accounting-Response).
6)

The subscriber accesses the network resources.

7)

The RADIUS client sends a stop-accounting request (Accounting-Request) to the

RADIUS server, with the value of Status-Type being stop.

8)

The RADIUS server returns a stop-accounting response (Accounting-Response).

9)

The subscriber stops network resource accessing.

Technology Introduction
Security

AAA/RADIUS/HWTACACS

III. RADIUS packet structure

RADIUS resides at the application layer in TCP/IP protocol suite. It defines the way to
exchange user information between the device and the ISP RADIUS server.
RADIUS uses UDP to transmit messages. It ensures the smooth message exchange
between the RADIUS server and the client through a series of mechanisms, including
the timer management mechanism, retransmission mechanism, and slave server
mechanism. Figure 3 shows the RADIUS packet structure.
0

7
Code

31

15
7
Length

Identifier

Authenticator

Attribute

Figure 3 RADIUS packet structure

Descriptions of fields are as follows:
1)

The Code field (1-byte long) is for indicating the type of the RADIUS packet. Table
1 gives the possible values and their meanings.

Table 1 Main values of the Code field

Code

Packet type

Description

Access-Request

From the client to the server. A packet of

this type carries user information for the
server to authenticate the user. It must
contain the User-Name attribute and can
optionally contain the attributes of
NAS-IP-Address, User-Password, and
NAS-Port.

Access-Accept

From the server to the client. If all the

attribute values carried in the
Access-Request are acceptable, that is,
the authentication succeeds, the server
sends an Access-Accept response.

Access-Reject

From the server to the client. If any

attribute value carried in the
Access-Request is unacceptable, the
server rejects the user and sends an
Access-Reject response.

Technology Introduction
Security

AAA/RADIUS/HWTACACS

Code

2)

Packet type

Description

Accounting-Request

From the client to the server. A packet of

this type carries user information for the
server to start accounting on the user. It
contains the Acct-Status-Type attribute,
which indicates whether the server is
requested to start the accounting or to end
the accounting.

Accounting-Response

From the server to the client. The server

sends to the client a packet of this type to
notify that it has received the
Accounting-Request and has correctly
recorded the accounting information.

The Identifier field (1-byte long) is for matching request packets and response
packets. It varies with the Attribute field and the received valid response packets,
but keeps unchanged during retransmission.

3)

The Length field (2-byte long) indicates the length of the entire packet, including
the Code, Identifier, Length, Authenticator, and Attribute fields. Bytes beyond the
length are considered the padding and are neglected at receipt. If the length of a
packet is less than that indicated by the Length field, the packet is dropped.

4)

The Authenticator field (16-byte long) is used to authenticate the reply from the
RADIUS server, and is also used in the password hiding algorithm. There are two
kinds of authenticators: Request and Response.

5)

The Attribute field carries information about the configuration details of a request
or response. This field is represented in triplets of Type, Length, and Value.
Type: One byte, in the range 1 to 255. It is for indicating the type of the attribute.

Commonly used attributes for RADIUS authentication and authorization are listed
in Table 2.
Length: One byte for indicating the length of the attribute in bytes, including the

Type, Length, and Value fields.

Value: Value of the attribute, up to 253 bytes. Its format and content depend on

the Type and Length fields.

Table 2 RADIUS attributes
Type

Attribute type

Type

Attribute type

User-Name

23

Framed-IPX-Network

User-Password

24

State

Technology Introduction
Security

Type

AAA/RADIUS/HWTACACS

Attribute type

Type

Attribute type

CHAP-Password

25

Class

NAS-IP-Address

26

Vendor-Specific

NAS-Port

27

Session-Timeout

Service-Type

28

Idle-Timeout

Framed-Protocol

29

Termination-Action

Framed-IP-Address

30

Called-Station-Id

Framed-IP-Netmask

31

Calling-Station-Id

10

Framed-Routing

32

NAS-Identifier

11

Filter-ID

33

Proxy-State

12

Framed-MTU

34

Login-LAT-Service

13

Framed-Compression

35

Login-LAT-Node

14

Login-IP-Host

36

Login-LAT-Group

15

Login-Service

37

Framed-AppleTalk-Link

16

Login-TCP-Port

38

Framed-AppleTalk-Netw
ork

17

(unassigned)

39

Framed-AppleTalk-Zone

18

Reply_Message

40-59

(reserved for accounting)

19

Callback-Number

60

CHAP-Challenge

20

Callback-ID

61

NAS-Port-Type

21

(unassigned)

62

Port-Limit

22

Framed-Route

63

Login-LAT-Port

The RADIUS protocol features excellent extensibility. Attribute 26 (Vender-Specific)

allows a vender to define extended attributes to implement functions that the standard
RADIUS protocol does not provide. Figure 4 illustrates a segment of a RADIUS packet
containing an extended attribute.

Technology Introduction
Security
0

AAA/RADIUS/HWTACACS
7

Type

15

31
7
Vendor-ID

Length
Vendor-ID

Type (specified)

Length (specified)

Specified attribute value

Figure 4 Segment of a RADIUS packet containing an extended attribute

HWTACACS Overview
I. What is HWTACACS
Huawei terminal access controller access control system (HWTACACS) is an
enhanced security protocol based on TACACS (RFC 1492). Similar to RADIUS, it uses
the server/client model to implement AAA for the accessing of different types of users,
such as Point-to-Point Protocol (PPP), Virtual Private Dial-up Network (VPDN), and
login users.
Compared with RADIUS, HWTACACS provides more reliable transmission and
encryption, and therefore is more suitable for security control. Table 3 lists the primary
differences between HWTACACS and RADIUS.
Table 3 Primary differences between HWTACACS and RADIUS
HWTACACS

RADIUS

Uses TCP, providing more reliable

network transmission

Uses UDP

Encrypts the entire packet except for the

HWTACACS header

Encrypts only the password field in an

authentication packet

Separates authentication from

authorization. Authentication and
authorization can be deployed on
different TACACS servers.

Performs authentication and

authorization in combination

Suitable for security control

Suitable for accounting

Supports authorized use of configuration

commands

Does not support authorized use of

configuration commands

In a typical HWTACACS application, a terminal user needs to log onto the device for
operations. Working as the HWTACACS client, the device sends the username and
password to the HWTACACS server for authentication. After passing authentication

Technology Introduction
Security

AAA/RADIUS/HWTACACS

and being authorized, the user can log onto the device to perform operations, as shown
in Figure 5.

HWTACACS server

Host

HWTACACS client

HWTACACS server

Figure 5 Network diagram for a typical HWTACACS application

II. Basic message exchange process of HWTACACS

The following takes Telnet user as an example to describe how HWTACACS performs
user authentication, authorization, and accounting. Figure 6 illustrates the basic
message exchange process of HWTACACS.

Technology Introduction
Security

AAA/RADIUS/HWTACACS
HWTACACS
server

HWTACACS
client

User
The user logs in

Start- authentication packet

Authentication response requesting

for the username

Request for username
Username

Authentication continuance packet with

the username
Authentication response requesting for the login
password

Request for password

Password

Authentication continuance packet with the login

password
Authentication response indicating successful
authentication
User authorization packet
Authorization response indicating successful

authorization

The user logs in successfully

Start -accounting request
Accounting response indicating the start of
accounting
The user exits
Stop-accounting request
Stop- accounting response

Figure 6 Basic message exchange process of HWTACACS for a Telnet user

z

A user requests to access the NAS. Upon receiving the request, the HWTACACS
client sends a start-authentication packet to the TACACS server.

The HWTACACS server sends back an authentication response requesting for

the username. Upon receiving the request, the HWTACACS client asks the user
for the username.

After receiving the username from the user, the HWTACACS client sends to the
server an authentication continuance packet carrying the username.

The HWTACACS server sends back an authentication response, requesting for

the login password. Upon receipt of the response, the HWTACACS client requests
the user for the login password.

After receiving the login password, the HWTACACS client sends to the
HWTACACS server an authentication continuance packet carrying the login
password.

10

Technology Introduction
Security
z

AAA/RADIUS/HWTACACS

The HWTACACS server sends back an authentication response indicating that

the user has passed authentication.

The HWTACACS client sends the user authorization packet to the HWTACACS
server.

The HWTACACS server sends back the authorization response, indicating that
the user is authorized now.

Knowing that the user is now authorized, the HWTACACS client pushes the
configuration interface of the router or switch to the user.

The HWTACACS client sends a start-accounting request to the HWTACACS

server.

The HWTACACS server sends back an accounting response, indicating that it has
received the start-accounting request.

When the user logs off, the HWTACACS client sends a stop-accounting request to
the HWTACACS server.

The HWTACACS server sends back a stop-accounting packet, indicating that the
stop-accounting request has been received.

11