RADIUS, LDAP, HWTACACS, TACACS+ which one do I choose?

As one of the most important parts of the authentication network, the authentication server is responsible for the users' login information, usually the combination of username and password, verification. It can be said the authentication server is the most important barrier to keep illegal users from accessing. In this article, the most widely used authentication server, including RADIUS, LDAP, HWTACACS, and TACACS+, will be discussed.

Figure 1: Authentication protocol selection

RADIUS

The RADIUS is a standard protocol that uses UDP 1812 for authentication and authorization, and UDP 1813 for accounting. As the most used authentication protocol, the most advantage of RADIUS is its standardization. RADIUS is normalization in RFC 2865, as the OSPF does, the RFC document restricts the vendors to use the unified communication mechanism for the protocol programming so that the RADIUS can be used between various vendors' devices. In other words, users are able to make a choice between different vendors, rather than binding with the specific vendor.

RADIUS uses the TLV packet structure to carry the information. For example, RADIUS uses the attribute User-Name, which length ranges from 1 byte to 253 bytes, to deliver the login user's account. Due to this TLV packet structure, RADIUS provides a flexible packet encapsulation, that allows the vendors to extend the protocol themselves. For example, Huawei extends the standard RADIUS attributes Vendor-Specific to deliver more private information, such as HW-Policy-Route, it specifies the next-hop address in the policy-based routing.

Figure 2 The RADIUS attributes

As we introduced, RADIUS uses the UDP 1812 for the authentication and authorization, in other words, RADIUS is not able to implement the authorization and authentication in different servers, this is totally different from the HWTACACS or TACACS+.

Despite the RADIUS advantages, the most disadvantage of RADIUS is the password field encryption only in the packets, which would lead to the user's information leakage.

LDAP

Before discussing the LDAP authentication, we'll introduce the LDAP firstly.

LDAP, short for Lightweight Directory Access Protocol, is an open, standard, and platform-crossing application protocol that is used for the distributed directory information service maintenance. It is transmitted through the HTTPS. The LDAP server which stores the data is quite different from the traditional database, unlike a table, the LDAP server stores the data in a tree structure, which is similar to the MIB and OID. Simply, the DN, distinguished name, marks the entrance of the query operation. When the DN is specified, the LDAP server will search the LDAP database according to the OU, organization unit, to get the wanted data.

Figure 3: LDAP directory tree structure

In this kind of store, the data querying could be much faster than the other database. On the contrary, the data insertion is not the advantage of the LDAP server, actually, the data insertion is not a key index that the authentication service requires.

The same as the RADIUS, LDAP is also a standard protocol. On the other hand, since the LDAP is based on HTTPS, that means the transferring data could be encrypted and this makes the LDAP much safer than the RADIUS does.

When using the LDAP server for the authentication, the network device delivers the username and password to the LDAP server, and the server will search the LDAP directory tree for verification.

HWTACACS

HWTACACS is a private authentication protocol released by Huawei, Unlike the RADIUS, HWTACACS separates the authentication and authorization, which means authentication, authorization, and accounting can be implemented on different servers. But the private protocol limits the other vendors and manufacturers from using this protocol. On the other hand, HWTACACS supports the command recording to record the executed commands on the HWTACACS server for the accounting.

TACACS+

As one of the most important vendors, Cisco optimizes its TACACS and published the TACACS+. The TACACS+ is a private authentication protocol, which uses TCP 49 for transmission. And the most important disadvantage of this protocol is the protocol privateness, which means it can not be used by other vendors and manufacturers. The same as the HWTACACS, TACACS+ also provides independent authentication, authorization, and accounting.

If you have other questions about Huawei or Cisco switch, you can contact our supports@thunder-link.com.

More related:

LST7X48SX6S0

S12700E-4

S5721-28X-SI-24S-AC

S5720-28P-SI-DC

What are the BGP VPNv4 and Labeled BGP routes?

During the studying of MPLS VPN, we usually encounter the VPNv4 and Labeled BGP routes of Huawei switch and Router. A lot of people can't distinguish between them. Actually, they are so different from each other.

 

Before talking about the VPNv4 and the Labeled BFP routes, let's check the normal BGP route:

The VPNv4 route

The VPNv4 route is comprised of two parts: the IPv4 route and the route-distinguisher. The route-distinguisher is used to distinguish the different VPN-instances. The router can forward the VPNv4 route to the appropriate VPN-instance. When the BGP updates the VPNv4 route, the RD (route-distinguisher) will be contained in the MP_REACH_NLRI field, just as the picture below shows. 

We noticed that a route-target value was attached in the EXTENDED_COMMUNITIES field. The route-target is used by the VPN-instance to decide whether the VPNv4 route will be accepted.

Labeled BGP route

Unlike the VPNv4 route, the Labeled BGP route is more similar to the normal BGP route. But the Labeled BGP route and the normal BGP route are also quite different.

In the Labeled BGP route, a MP_REACH_NLRI is attached as a VPNv4 BGP route does, but unlike the VPNv4 route, there is no RD or RT (route-target). It only carries a label stack, and the normal BGP route doesn't, just showing as the picture below:

The Labeled BGP route is used in MPLS VPN option C. Between the two ASBR, the labeled BGP route is transferred so that the label distributed by the different VPN-instances could pass through the different AS.