Configuring HWTACACS schemes
NOTE: You cannot remove the HWTACACS schemes in use or change the IP addresses of the HWTACACS servers in use. | ||
HWTACACS configuration task list
Task | Remarks |
---|---|
Required | |
Required | |
Optional | |
Specifying the HWTACACS accounting servers and the relevant parameters | Optional |
Specifying the shared keys for secure HWTACACS communication | Required |
Optional | |
Specifying a source IP address for outgoing HWTACACS packets | Optional |
Setting timers for controlling communication with HWTACACS servers | Optional |
Optional |
Creating an HWTACACS scheme
The HWTACACS protocol is configured on a per scheme basis. Before performing other HWTACACS configurations, follow these steps to create an HWTACACS scheme and enter HWTACACS scheme view:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Create an HWTACACS scheme and enter HWTACACS scheme view. | hwtacacs scheme hwtacacs-scheme-name | Not defined by default. |
NOTE: Up to 16 HWTACACS schemes can be configured. A scheme can be deleted only when it is not referenced. | ||
Specifying the HWTACACS authentication servers
You can specify one primary authentication server and up to 16 secondary authentication servers for an HWTACACS scheme. When the primary server is not available, the switch searches for the secondary servers in the order they are configured. The first secondary server in active state is used for communication.
If redundancy is not required, specify only the primary server.
Follow these guidelines when you specify HWTACACS authentication servers:
An HWTACACS server can function as the primary authentication server of one scheme and as a secondary authentication server of another scheme at the same time.
The IP addresses of the primary and secondary authentication servers cannot be the same. Otherwise, the configuration fails.
You can remove an authentication server only when no active TCP connection for sending authentication packets is using it.
To specify HWTACACS authentication servers for an HWTACACS scheme:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter HWTACACS scheme view. | hwtacacs scheme hwtacacs-scheme-name | N/A |
3. Specify HWTACACS authentication servers. |
| Configure at least one command. No authentication server is specified by default. |
Specifying the HWTACACS authorization servers
You can specify one primary authorization server and up to 16 secondary authorization servers for an HWTACACS scheme. When the primary server is not available, the switch searches for the secondary servers in the order they are configured. The first secondary server in active state is used for communication.
If redundancy is not required, specify only the primary server.
Follow these guidelines when you specify HWTACACS authorization servers:
An HWTACACS server can function as the primary authorization server of one scheme and as a secondary authorization server of another scheme at the same time.
The IP addresses of the primary and secondary authorization servers cannot be the same. Otherwise, the configuration fails.
You can remove an authorization server only when no active TCP connection for sending authorization packets is using it.
To specify HWTACACS authorization servers for an HWTACACS scheme:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter HWTACACS scheme view. | hwtacacs scheme hwtacacs-scheme-name | N/A |
3. Specify HWTACACS authorization servers. |
| Configure at least one command. No authorization server is specified by default. |
Specifying the HWTACACS accounting servers and the relevant parameters
You can specify one primary accounting server and up to 16 secondary accounting servers for an HWTACACS scheme. When the primary server is not available, the switch searches for the secondary servers in the order they are configured. The first secondary server in active state is used for communication.
If redundancy is not required, specify only the primary server.
When the switch receives a connection teardown request from a host or a connection teardown command from an administrator, it sends a stop-accounting request to the accounting server. You can enable buffering of non-responded stop-accounting requests to allow the switch to buffer and resend a stop-accounting request until it receives a response or the number of stop-accounting attempts reaches the configured limit. In the latter case, the switch discards the packet.
Follow these guidelines when you specify HWTACACS accounting servers:
An HWTACACS server can function as the primary accounting server of one scheme and as a secondary accounting server of another scheme at the same time.
The IP addresses of the primary and secondary accounting servers cannot be the same. Otherwise, the configuration fails.
You can remove an accounting server only when no active TCP connection for sending accounting packets is using it.
HWTACACS does not support accounting for FTP users.
To specify HWTACACS accounting servers and set relevant parameters for an HWTACACS scheme:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter HWTACACS scheme view. | hwtacacs scheme hwtacacs-scheme-name | N/A |
3. Specify HWTACACS accounting servers. |
| Configure at least one command. No accounting server is specified by default. |
4. Enable buffering of stop-accounting requests to which no responses are received. | stop-accounting-buffer enable | Optional. Enabled by default. |
5. Set the maximum number of stop-accounting attempts. | retry stop-accounting retry-times | Optional. The default setting is 100. |
Specifying the shared keys for secure HWTACACS communication
The HWTACACS client and HWTACACS server use the MD5 algorithm to authenticate packets exchanged between them and use shared keys for packet authentication and user passwords encryption. They must use the same key for the same type of communication.
To specify a shared key for secure HWTACACS communication:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter HWTACACS scheme view. | hwtacacs scheme hwtacacs-scheme-name | N/A |
3. Specify a shared key for secure HWTACACS authentication, authorization, or accounting communication. | key { accounting | authentication | authorization } [ cipher | simple ] key | No shared key is specified by default. |
NOTE: A shared key configured on the switch must be the same as that configured on the HWTACACS server. | ||
Setting the username format and traffic statistics units
A username is usually in the format of userid@isp-name, where isp-name represents the name of the ISP domain the user belongs to and is used by the switch to determine which users belong to which ISP domains. However, some HWTACACS servers cannot recognize usernames that contain an ISP domain name. In this case, the switch must remove the domain name of each username before sending the username. You can set the username format on the switch for this purpose.
The switch periodically sends accounting updates to HWTACACS accounting servers to report the traffic statistics of online users. For normal and accurate traffic statistics, make sure the unit for data flows and that for packets on the switch are consistent with those configured on the HWTACACS servers.
Follow these guidelines when you set the username format and the traffic statistics units for an HWTACACS scheme:
If an HWTACACS server does not support a username that carries the domain name, configure the switch to remove the domain name before sending the username to the server.
For level switching authentication, the user-name-format keep-original and user-name-format without-domain commands produce the same results. They make sure usernames sent to the HWTACACS server carry no ISP domain name.
To set the username format and the traffic statistics units for an HWTACACS scheme:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter HWTACACS scheme view. | hwtacacs scheme hwtacacs-scheme-name | N/A |
3. Set the format for usernames sent to the HWTACACS servers. | user-name-format { keep-original | with-domain | without-domain } | Optional. By default, the ISP domain name is included in a username. |
4. Specify the unit for data flows or packets sent to the HWTACACS servers. | data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } }* | Optional. The default unit is byte for data flows and is one-packet for data packets. |
Specifying a source IP address for outgoing HWTACACS packets
The source IP address of HWTACACS packets that a NAS sends must match the IP address of the NAS configured on the HWTACACS server. An HWTACACS server identifies a NAS by IP address. Upon receiving an HWTACACS packet, an HWTACACS server checks whether the source IP address of the packet is the IP address of any managed NAS. If yes, the server processes the packet. If not, the server drops the packet.
You can specify the source IP address for outgoing HWTACACS packets in HWTACACS scheme view for a specific HWTACACS scheme, or in system view for all HWTACACS schemes.
Before sending an HWTACACS packet, a NAS selects a source IP address in the following order:
Source IP address specified for the HWTACACS scheme.
Source IP address specified in system view.
IP address of the outbound interface specified by the route.
To specify a source IP address for all HWTACACS schemes:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Specify a source IP address for outgoing HWTACACS packets. | hwtacacs nas-ip ip-address | By default, the IP address of the outbound interface is used as the source IP address. |
To specify a source IP address for a specific HWTACACS scheme:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter HWTACACS scheme view. | hwtacacs scheme hwtacacs-scheme-name | N/A |
3. Specify a source IP address for outgoing HWTACACS packets. | nas-ip ip-address | By default, the IP address of the outbound interface is used as the source IP address. |
Setting timers for controlling communication with HWTACACS servers
The switch uses the following timers to control the communication with an HWTACACS server:
Server response timeout timer (response-timeout)—Defines the HWTACACS request retransmission interval. After sending an HWTACACS request (authentication, authorization, or accounting request), the switch starts this timer. If the switch receives no response from the server before this timer expires, it resends the request.
Server quiet timer (quiet)—Defines the duration to keep an unreachable server in blocked state. If a server is not reachable, the switch changes the server's status to blocked, starts this timer for the server, and tries to communicate with another server in active state. After this timer expires, the switch changes the status of the server back to active.
Real-time accounting timer (realtime-accounting)—Defines the interval at which the switch sends real-time accounting updates to the HWTACACS accounting server for online users. To implement real-time accounting, the switch must send real-time accounting packets to the accounting server for online users periodically.
To set timers for controlling communication with HWTACACS servers:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter HWTACACS scheme view. | hwtacacs scheme hwtacacs-scheme-name | N/A |
3. Set the HWTACACS server response timeout timer. | timer response-timeout seconds | Optional. The default HWTACACS server response timeout timer is 5 seconds. |
4. Set the quiet timer for the primary server. | timer quiet minutes | Optional. The default quiet timer for the primary server is 5 minutes. |
5. Set the real-time accounting interval. | timer realtime-accounting minutes | Optional. The default real-time accounting interval is 12 minutes. |
NOTE: Consider the performance of the NAS and the HWTACACS server when you set the real-time accounting interval. A shorter interval requires higher performance. A shorter interval requires higher performance. | ||
Displaying and maintaining HWTACACS
Task | Command | Remarks |
---|---|---|
Display the configuration information or statistics of HWTACACS schemes. | display hwtacacs [ hwtacacs-server-name [ statistics ] ] [ slot slot-number ] [ | { begin | exclude | include } regular-expression ] | Available in any view |
Display information about buffered stop-accounting requests for which no responses have been received. | display stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name [ slot slot-number ] [ | { begin | exclude | include } regular-expression ] | Available in any view |
Clear HWTACACS statistics. | reset hwtacacs statistics { accounting | all | authentication | authorization } [ slot slot-number ] | Available in user view |
Clear buffered stop-accounting requests that get no responses. | reset stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name [ slot slot-number ] | Available in user view |