<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">Hello, <div><br></div><div>Not, all the routers and switchs from Huawei uses HWTacacs. In Huawei documentation says this:</div><div><br></div><div><div class="gmail-idp-ltr-html-body" style="margin:40px 30px;padding:0px;box-sizing:content-box;font-size:14px;color:rgb(73,73,73);font-family:LT_regular,Arial"><div class="gmail-idp-ltr-html-nested2" id="gmail-adc_faq_aaa_0008" style="margin:0px;padding:0px;box-sizing:content-box"><div class="gmail-idp-ltr-html-topicbody" style="margin:0px;padding:0px;box-sizing:content-box"><p style="margin:0.1em 0px 0.5em;padding:0px;box-sizing:border-box;word-wrap:break-word">HWTACACS and the TACACS+ protocols of other vendors support authentication, authorization, and accounting. HWTACACS and TACACS+ are identical in authentication process and implementation mechanism. That is, they are compatible with each other at the protocol layer. For example, a device running HWTACACS can communicate with a Cisco server (such as ACS). However, HWTACACS may not be compatible with Cisco extended attributes because different vendors define different fields and meanings for extended attributes.</p></div><div style="margin:0px;padding:0px;box-sizing:content-box"></div></div></div>In some other link the protocols do looks like about the same.</div><div><a href="http://support.huawei.com/enterprise/en/doc/EDOC1000177218?section=j005">http://support.huawei.com/enterprise/en/doc/EDOC1000177218?section=j005</a></div><div><br></div><div>For exemple, tacacs+ header:</div><div><br></div><div><p id="gmail-rfc.section.3.4.p.1" style="color:rgb(0,0,0);margin-left:2em;margin-right:2em;font-family:verdana,helvetica,arial,sans-serif;font-size:13.333333015441895px">All TACACS+ packets begin with the following 12 byte header. The header describes the remainder of the packet: </p><pre style="color:rgb(0,0,0);margin-left:3em;background-color:lightyellow;padding:0.25em;font-size:13.333333015441895px"> 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
+----------------+----------------+----------------+----------------+
|major | minor | | | |
|version| version| type | seq_no | flags |
+----------------+----------------+----------------+----------------+
| |
| session_id |
+----------------+----------------+----------------+----------------+
| |
| length |
+----------------+----------------+----------------+----------------+</pre><div><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div style="font-size:12.8px">HWTacacs Header:</div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px"><span class="gmail-tablecap" style="color:rgb(0,0,0);font-family:-webkit-standard;font-size:11pt">Fields in HWTACACS packet header</span><table cellpadding="4" cellspacing="0" summary="" id="gmail-dc_fd_aaa_0020__tabled0e4217" frame="border" border="1" rules="all" style="color:rgb(0,0,0);font-family:-webkit-standard;font-size:16px;margin-top:8pt;margin-bottom:10pt"><thead align="left" style="font-size:10pt;font-family:"Book Antiqua";font-weight:bold"><tr><th class="gmail-cellrowborder" valign="top" width="50%" id="gmail-mcps1.6.6.7.4.2.4.2.3.1.1" style="background-color:rgb(207,207,207)">Field</th><th class="gmail-cellrowborder" valign="top" width="50%" id="gmail-mcps1.6.6.7.4.2.4.2.3.1.2" style="background-color:rgb(207,207,207)">Description</th></tr></thead><tbody style="font-size:11pt"><tr><td class="gmail-cellrowborder" valign="top" width="50%" headers="mcps1.6.6.7.4.2.4.2.3.1.1">major version</td><td class="gmail-cellrowborder" valign="top" width="50%" headers="mcps1.6.6.7.4.2.4.2.3.1.2">Major version of the HWTACACS protocol. The current version is 0xc.</td></tr><tr><td class="gmail-cellrowborder" valign="top" width="50%" headers="mcps1.6.6.7.4.2.4.2.3.1.1">minor version</td><td class="gmail-cellrowborder" valign="top" width="50%" headers="mcps1.6.6.7.4.2.4.2.3.1.2">Minor version of the HWTACACS protocol. The current version is 0x0.</td></tr><tr><td class="gmail-cellrowborder" valign="top" width="50%" headers="mcps1.6.6.7.4.2.4.2.3.1.1">type</td><td class="gmail-cellrowborder" valign="top" width="50%" headers="mcps1.6.6.7.4.2.4.2.3.1.2">HWTACACS protocol packet type, including authentication (0x01), authorization (0x02), and accounting (0x03).</td></tr><tr><td class="gmail-cellrowborder" valign="top" width="50%" headers="mcps1.6.6.7.4.2.4.2.3.1.1">seq_no</td><td class="gmail-cellrowborder" valign="top" width="50%" headers="mcps1.6.6.7.4.2.4.2.3.1.2">Packet sequence number in a session, ranging from 1 to 254.</td></tr><tr><td class="gmail-cellrowborder" valign="top" width="50%" headers="mcps1.6.6.7.4.2.4.2.3.1.1">flags</td><td class="gmail-cellrowborder" valign="top" width="50%" headers="mcps1.6.6.7.4.2.4.2.3.1.2">Encryption flag on the packet body. Only the first bit among the 8 bits is supported. The value 0 indicates to encrypt the packet body, and the value 1 indicates not to encrypt the packet body.</td></tr><tr><td class="gmail-cellrowborder" valign="top" width="50%" headers="mcps1.6.6.7.4.2.4.2.3.1.1">session_id</td><td class="gmail-cellrowborder" valign="top" width="50%" headers="mcps1.6.6.7.4.2.4.2.3.1.2">Session ID, which is the unique identifier of a session.</td></tr><tr><td class="gmail-cellrowborder" valign="top" width="50%" headers="mcps1.6.6.7.4.2.4.2.3.1.1">length</td><td class="gmail-cellrowborder" valign="top" width="50%" headers="mcps1.6.6.7.4.2.4.2.3.1.2">Length of the HWTACACS packet body, excluding the packet header.<br></td></tr></tbody></table></div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">Atenciosamente,</div><div style="font-size:12.8px"><img src="https://docs.google.com/uc?export=download&id=1kRQo_cpHqTkueDqBcbIME_FjP0k7WW6U&revid=0B7RaXlcogKWGeHBES3pBRHNEREZGMXo4bXg1Nlp0Rm5lWGE0PQ"><br></div><div dir="ltr" style="font-size:12.8px"></div></div></div></div></div></div><br></div></div></div></div></div></div><br><div class="gmail_quote"><div dir="ltr">Em ter, 13 de nov de 2018 às 20:31, heasley <<a href="mailto:heas@shrubbery.net">heas@shrubbery.net</a>> escreveu:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Tue, Nov 13, 2018 at 04:53:55PM -0300, Saymon Araújo:<br>
> Hello,<br>
> <br>
> On the Huawei documentation they said that its compatible, but some headers<br>
> maybe be different.<br>
> On my switches I can log in using tacacs+ users, but the permissions of the<br>
> users are wrong.<br>
> <br>
> Regards,<br>
<br>
I have no experience with it, but glancing through the RFC, I concluded<br>
that there seemed to be non-trivial differences that I do not expect to<br>
work with daemon. I could be wrong. Does the device not support<br>
tacacs+?<br>
<br>
> <br>
> <br>
> Em ter, 13 de nov de 2018 às 16:49, heasley <<a href="mailto:heas@shrubbery.net" target="_blank">heas@shrubbery.net</a>> escreveu:<br>
> <br>
> > Tue, Nov 13, 2018 at 02:42:09PM -0300, Saymon Araújo:<br>
> > > Hello,<br>
> > ><br>
> > > Can we make your implementation of tacacs+ compatible with HWTacacs ?<br>
> ><br>
> > no, sorry. only tacacs+<br>
> ><br>
</blockquote></div>