Configuring HWTACACS schemes


[NOTE: ]

NOTE:

You cannot remove the HWTACACS schemes in use or change the IP addresses of the HWTACACS servers in use.


HWTACACS configuration task list

Creating an HWTACACS scheme

The HWTACACS protocol is configured on a per scheme basis. Before performing other HWTACACS configurations, follow these steps to create an HWTACACS scheme and enter HWTACACS scheme view:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Create an HWTACACS scheme and enter HWTACACS scheme view.

hwtacacs scheme hwtacacs-scheme-name

Not defined by default.


[NOTE: ]

NOTE:

  • Up to 16 HWTACACS schemes can be configured.

  • A scheme can be deleted only when it is not referenced.


  • Specifying the HWTACACS authentication servers

    You can specify one primary authentication server and up to 16 secondary authentication servers for an HWTACACS scheme. When the primary server is not available, the switch searches for the secondary servers in the order they are configured. The first secondary server in active state is used for communication.

    If redundancy is not required, specify only the primary server.

    Follow these guidelines when you specify HWTACACS authentication servers:

    To specify HWTACACS authentication servers for an HWTACACS scheme:

    Step

    Command

    Remarks

    1. Enter system view.

    system-view

    N/A

    2. Enter HWTACACS scheme view.

    hwtacacs scheme hwtacacs-scheme-name

    N/A

    3. Specify HWTACACS authentication servers.

    • Specify the primary HWTACACS authentication server:primary authentication ip-address [ port-number | key [ cipher | simple ] key ] *

    • Specify a secondary HWTACACS authentication server:secondary authentication ip-address [ port-number | key [ cipher | simple ] key ] *

    Configure at least one command.

    No authentication server is specified by default.

    Specifying the HWTACACS authorization servers

    You can specify one primary authorization server and up to 16 secondary authorization servers for an HWTACACS scheme. When the primary server is not available, the switch searches for the secondary servers in the order they are configured. The first secondary server in active state is used for communication.

    If redundancy is not required, specify only the primary server.

    Follow these guidelines when you specify HWTACACS authorization servers:

    To specify HWTACACS authorization servers for an HWTACACS scheme:

    Step

    Command

    Remarks

    1. Enter system view.

    system-view

    N/A

    2. Enter HWTACACS scheme view.

    hwtacacs scheme hwtacacs-scheme-name

    N/A

    3. Specify HWTACACS authorization servers.

    • Specify the primary HWTACACS authorization server:primary authorization ip-address [ port-number | key [ cipher | simple ] key ] *

    • Specify a secondary HWTACACS authorization server:secondary authorization ip-address [ port-number | key [ cipher | simple ] key ] *

    Configure at least one command.

    No authorization server is specified by default.

    Specifying the HWTACACS accounting servers and the relevant parameters

    You can specify one primary accounting server and up to 16 secondary accounting servers for an HWTACACS scheme. When the primary server is not available, the switch searches for the secondary servers in the order they are configured. The first secondary server in active state is used for communication.

    If redundancy is not required, specify only the primary server.

    When the switch receives a connection teardown request from a host or a connection teardown command from an administrator, it sends a stop-accounting request to the accounting server. You can enable buffering of non-responded stop-accounting requests to allow the switch to buffer and resend a stop-accounting request until it receives a response or the number of stop-accounting attempts reaches the configured limit. In the latter case, the switch discards the packet.

    Follow these guidelines when you specify HWTACACS accounting servers:

    To specify HWTACACS accounting servers and set relevant parameters for an HWTACACS scheme:

    Step

    Command

    Remarks

    1. Enter system view.

    system-view

    N/A

    2. Enter HWTACACS scheme view.

    hwtacacs scheme hwtacacs-scheme-name

    N/A

    3. Specify HWTACACS accounting servers.

    • Specify the primary HWTACACS accounting server:primary accounting ip-address [ port-number | key [ cipher | simple ] key ] *

    • Specify a secondary HWTACACS accounting server:secondary accounting ip-address [ port-number | key [ cipher | simple ] key ] *

    Configure at least one command.

    No accounting server is specified by default.

    4. Enable buffering of stop-accounting requests to which no responses are received.

    stop-accounting-buffer enable

    Optional.

    Enabled by default.

    5. Set the maximum number of stop-accounting attempts.

    retry stop-accounting retry-times

    Optional.

    The default setting is 100.

    Specifying the shared keys for secure HWTACACS communication

    The HWTACACS client and HWTACACS server use the MD5 algorithm to authenticate packets exchanged between them and use shared keys for packet authentication and user passwords encryption. They must use the same key for the same type of communication.

    To specify a shared key for secure HWTACACS communication:

    Step

    Command

    Remarks

    1. Enter system view.

    system-view

    N/A

    2. Enter HWTACACS scheme view.

    hwtacacs scheme hwtacacs-scheme-name

    N/A

    3. Specify a shared key for secure HWTACACS authentication, authorization, or accounting communication.

    key { accounting | authentication | authorization } [ cipher | simple ] key

    No shared key is specified by default.


    [NOTE: ]

    NOTE:

    A shared key configured on the switch must be the same as that configured on the HWTACACS server.


    Setting the username format and traffic statistics units

    A username is usually in the format of userid@isp-name, where isp-name represents the name of the ISP domain the user belongs to and is used by the switch to determine which users belong to which ISP domains. However, some HWTACACS servers cannot recognize usernames that contain an ISP domain name. In this case, the switch must remove the domain name of each username before sending the username. You can set the username format on the switch for this purpose.

    The switch periodically sends accounting updates to HWTACACS accounting servers to report the traffic statistics of online users. For normal and accurate traffic statistics, make sure the unit for data flows and that for packets on the switch are consistent with those configured on the HWTACACS servers.

    Follow these guidelines when you set the username format and the traffic statistics units for an HWTACACS scheme:

    To set the username format and the traffic statistics units for an HWTACACS scheme:

    Step

    Command

    Remarks

    1. Enter system view.

    system-view

    N/A

    2. Enter HWTACACS scheme view.

    hwtacacs scheme hwtacacs-scheme-name

    N/A

    3. Set the format for usernames sent to the HWTACACS servers.

    user-name-format { keep-original | with-domain | without-domain }

    Optional.

    By default, the ISP domain name is included in a username.

    4. Specify the unit for data flows or packets sent to the HWTACACS servers.

    data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } }*

    Optional.

    The default unit is byte for data flows and is one-packet for data packets.

    Specifying a source IP address for outgoing HWTACACS packets

    The source IP address of HWTACACS packets that a NAS sends must match the IP address of the NAS configured on the HWTACACS server. An HWTACACS server identifies a NAS by IP address. Upon receiving an HWTACACS packet, an HWTACACS server checks whether the source IP address of the packet is the IP address of any managed NAS. If yes, the server processes the packet. If not, the server drops the packet.

    You can specify the source IP address for outgoing HWTACACS packets in HWTACACS scheme view for a specific HWTACACS scheme, or in system view for all HWTACACS schemes.

    Before sending an HWTACACS packet, a NAS selects a source IP address in the following order:

    To specify a source IP address for all HWTACACS schemes:

    Step

    Command

    Remarks

    1. Enter system view.

    system-view

    N/A

    2. Specify a source IP address for outgoing HWTACACS packets.

    hwtacacs nas-ip ip-address

    By default, the IP address of the outbound interface is used as the source IP address.

    To specify a source IP address for a specific HWTACACS scheme:

    Step

    Command

    Remarks

    1. Enter system view.

    system-view

    N/A

    2. Enter HWTACACS scheme view.

    hwtacacs scheme hwtacacs-scheme-name

    N/A

    3. Specify a source IP address for outgoing HWTACACS packets.

    nas-ip ip-address

    By default, the IP address of the outbound interface is used as the source IP address.

    Setting timers for controlling communication with HWTACACS servers

    The switch uses the following timers to control the communication with an HWTACACS server:

    To set timers for controlling communication with HWTACACS servers:

    Step

    Command

    Remarks

    1. Enter system view.

    system-view

    N/A

    2. Enter HWTACACS scheme view.

    hwtacacs scheme hwtacacs-scheme-name

    N/A

    3. Set the HWTACACS server response timeout timer.

    timer response-timeout seconds

    Optional.

    The default HWTACACS server response timeout timer is 5 seconds.

    4. Set the quiet timer for the primary server.

    timer quiet minutes

    Optional.

    The default quiet timer for the primary server is 5 minutes.

    5. Set the real-time accounting interval.

    timer realtime-accounting minutes

    Optional.

    The default real-time accounting interval is 12 minutes.


    [NOTE: ]

    NOTE:

    Consider the performance of the NAS and the HWTACACS server when you set the real-time accounting interval. A shorter interval requires higher performance. A shorter interval requires higher performance.


    Displaying and maintaining HWTACACS

    Task

    Command

    Remarks

    Display the configuration information or statistics of HWTACACS schemes.

    display hwtacacs [ hwtacacs-server-name [ statistics ] ] [ slot slot-number ] [ | { begin | exclude | include } regular-expression ]

    Available in any view

    Display information about buffered stop-accounting requests for which no responses have been received.

    display stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name [ slot slot-number ] [ | { begin | exclude | include } regular-expression ]

    Available in any view

    Clear HWTACACS statistics.

    reset hwtacacs statistics { accounting | all | authentication | authorization } [ slot slot-number ]

    Available in user view

    Clear buffered stop-accounting requests that get no responses.

    reset stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name [ slot slot-number ]

    Available in user view