[tac_plus] HWTACACS Compatible - Question

Saymon Araújo saymon at online.net.br
Wed Nov 14 00:59:53 UTC 2018 

Hello,

Not, all the routers and switchs from Huawei uses HWTacacs. In Huawei
documentation says this:

HWTACACS and the TACACS+ protocols of other vendors support authentication,
authorization, and accounting. HWTACACS and TACACS+ are identical in
authentication process and implementation mechanism. That is, they are
compatible with each other at the protocol layer. For example, a device
running HWTACACS can communicate with a Cisco server (such as ACS).
However, HWTACACS may not be compatible with Cisco extended attributes
because different vendors define different fields and meanings for extended
attributes.
In some other link the protocols do looks like about the same.
http://support.huawei.com/enterprise/en/doc/EDOC1000177218?section=j005

For exemple, tacacs+ header:

All TACACS+ packets begin with the following 12 byte header. The header
describes the remainder of the packet:

 1 2 3 4 5 6 7 8  1 2 3 4 5 6 7 8  1 2 3 4 5 6 7 8  1 2 3 4 5 6 7 8
+----------------+----------------+----------------+----------------+
|major  | minor  |                |                |                |
|version| version|      type      |     seq_no     |   flags        |
+----------------+----------------+----------------+----------------+
|                                                                   |
|                            session_id                             |
+----------------+----------------+----------------+----------------+
|                                                                   |
|                              length                               |
+----------------+----------------+----------------+----------------+

HWTacacs Header:

Fields in HWTACACS packet header
FieldDescription
major version Major version of the HWTACACS protocol. The current version
is 0xc.
minor version Minor version of the HWTACACS protocol. The current version
is 0x0.
type HWTACACS protocol packet type, including authentication (0x01),
authorization (0x02), and accounting (0x03).
seq_no Packet sequence number in a session, ranging from 1 to 254.
flags Encryption flag on the packet body. Only the first bit among the 8
bits is supported. The value 0 indicates to encrypt the packet body, and
the value 1 indicates not to encrypt the packet body.
session_id Session ID, which is the unique identifier of a session.
length Length of the HWTACACS packet body, excluding the packet header.

Atenciosamente,



Em ter, 13 de nov de 2018 às 20:31, heasley <heas at shrubbery.net> escreveu:

> Tue, Nov 13, 2018 at 04:53:55PM -0300, Saymon Araújo:
> > Hello,
> >
> > On the Huawei documentation they said that its compatible, but some
> headers
> > maybe be different.
> > On my switches I can log in using tacacs+ users, but the permissions of
> the
> > users are wrong.
> >
> > Regards,
>
> I have no experience with it, but glancing through the RFC, I concluded
> that there seemed to be non-trivial differences that I do not expect to
> work with daemon.  I could be wrong.  Does the device not support
> tacacs+?
>
> >
> >
> > Em ter, 13 de nov de 2018 às 16:49, heasley <heas at shrubbery.net>
> escreveu:
> >
> > > Tue, Nov 13, 2018 at 02:42:09PM -0300, Saymon Araújo:
> > > > Hello,
> > > >
> > > > Can we make your implementation of tacacs+ compatible with HWTacacs ?
> > >
> > > no, sorry.  only tacacs+
> > >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20181113/919ce911/attachment.html>

More information about the tac_plus mailing list