Configuring HWTACACS schemes
You cannot remove the HWTACACS schemes in use or change the IP addresses of the HWTACACS servers in use.
HWTACACS configuration task list
Task | Remarks |
---|---|
Required. | |
Required. | |
Optional. | |
Specifying the HWTACACS accounting servers and the relevant parameters | Optional. |
Specifying the shared keys for secure HWTACACS communication | Required. |
Optional. | |
Optional. | |
Specifying the source IP address for outgoing HWTACACS packets | Optional. |
Setting timers for controlling communication with HWTACACS servers | Optional. |
Optional. |
Creating an HWTACACS scheme
The HWTACACS protocol is configured on a per-scheme basis. Before performing other HWTACACS configurations, you must create an HWTACACS scheme and enter HWTACACS scheme view.
You can configure up to 16 HWTACACS schemes, and cannot delete the schemes that are referenced.
To create an HWTACACS scheme and enter HWTACACS scheme view:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Create an HWTACACS scheme and enter HWTACACS scheme view. | hwtacacs scheme hwtacacs-scheme-name | Not defined by default. |
Specifying the HWTACACS authentication servers
You can specify one primary authentication server and one secondary authentication server for an HWTACACS scheme. When the primary server is not available, the secondary server is used. If redundancy is not required, specify only the primary server.
Follow these guidelines when you specify HWTACACS authentication servers:
An HWTACACS server can function as the primary authentication server of one scheme and as the secondary authentication server of another scheme at the same time.
The IP addresses of the primary and secondary authentication servers cannot be the same. Otherwise, the configuration fails.
You can remove an authentication server only when no active TCP connection for sending authentication packets is using it.
To specify HWTACACS authentication servers for an HWTACACS scheme:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter HWTACACS scheme view. | hwtacacs scheme hwtacacs-scheme-name | N/A |
3. Specify HWTACACS authentication servers. |
| Configure at least one command. No authentication server is specified by default. |
Specifying the HWTACACS authorization servers
You can specify one primary authorization server and one secondary authorization server for an HWTACACS scheme. When the primary server is not available, the secondary server is used. In a scenario where redundancy is not required, specify only the primary server.
Follow these guidelines when you specify HWTACACS accounting servers:
An HWTACACS server can function as the primary authorization server of one scheme and as the secondary authorization server of another scheme at the same time.
The IP addresses of the primary and secondary authorization servers cannot be the same. Otherwise, the configuration fails.
You can remove an authorization server only when no active TCP connection for sending authorization packets is using it.
To specify HWTACACS authorization servers for an HWTACACS scheme:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter HWTACACS scheme view. | hwtacacs scheme hwtacacs-scheme-name | N/A |
3. Specify HWTACACS authorization servers. |
| Configure at least one command. No authorization server is specified by default. |
Specifying the HWTACACS accounting servers and the relevant parameters
You can specify one primary accounting server and one secondary accounting server for an HWTACACS scheme. When the primary server is not available, the secondary server is used. In a scenario where redundancy is not required, specify only the primary server.
When the device receives a connection teardown request from a host or a connection teardown command from an administrator, it sends a stop-accounting request to the accounting server. You can enable buffering of non-responded stop-accounting requests to allow the device to buffer and resend a stop-accounting request until it receives a response or the number of stop-accounting attempts reaches the configured limit. In the latter case, the device discards the packet.
Follow these guidelines when you specify HWTACACS accounting servers:
An HWTACACS server can function as the primary accounting server of one scheme and as the secondary accounting server of another scheme at the same time.
The IP addresses of the primary and secondary accounting servers cannot be the same. Otherwise, the configuration fails.
You can remove an accounting server only when no active TCP connection for sending accounting packets is using it.
HWTACACS does not support accounting for FTP users.
To specify HWTACACS accounting servers and set relevant parameters for an HWTACACS scheme:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter HWTACACS scheme view. | hwtacacs scheme hwtacacs-scheme-name | N/A |
3. Specify HWTACACS accounting servers. |
| Configure at least one command. No accounting server is specified by default. |
4. Enable buffering of stop-accounting requests to which no responses are received. | stop-accounting-buffer enable | Optional. Enabled by default. |
5. Set the maximum number of stop-accounting attempts. | retry stop-accounting retry-times | Optional. The default setting is 100. |
Specifying the shared keys for secure HWTACACS communication
The HWTACACS client and HWTACACS server use the MD5 algorithm to authenticate packets and use shared keys for packet authentication and user password encryption. They must use the same key for the same type of communication.
A shared key configured on the device must be the same as that configured on the HWTACACS server.
Perform this task to configure shared keys for servers in an HWTACACS scheme. The keys take effect on all servers for which a shared key is not individually configured.
To specify a shared key for secure HWTACACS communication:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter HWTACACS scheme view. | hwtacacs scheme hwtacacs-scheme-name | N/A |
3. Specify a shared key for secure HWTACACS authentication, authorization, or accounting communication. | key { accounting | authentication | authorization } [ cipher | simple ] key | No key by default. |
Specifying the VPN to which the servers belong
After you specify a VPN for an HWTACACS scheme, all AAA servers specified for the scheme belong to the VPN. However, if you also specify a VPN when specifying a server for the scheme, the server belongs to the specific VPN.
To specify a VPN for an HWTACACS scheme:
Step | Command |
---|---|
1. Enter system view. | system-view |
2. Enter HWTACACS scheme view. | hwtacacs scheme hwtacacs-scheme-name |
3. Specify a VPN for the HWTACACS scheme. | vpn-instance vpn-instance-name |
Setting the username format and traffic statistics units
A username is usually in the format userid@isp-name, where isp-name represents the ISP domain name of the user and is used by the device to determine which users belong to which ISP domains. However, some HWTACACS servers do not recognize usernames that contain the user ISP domain name. You can configure the device to remove the domain name of each username before sending the username.
The device periodically sends accounting updates to HWTACACS accounting servers to report the traffic statistics of online users. For normal and accurate traffic statistics, make sure that the unit for data flows and that for packets on the device are consistent with those configured on the HWTACACS servers.
Follow these guidelines when you set the username format and the traffic statistics units for an HWTACACS scheme:
If an HWTACACS server does not support a username that carries the domain name, configure the device to remove the domain name before sending the username to the server.
For level switching authentication, the user-name-format keep-original and user-name-format without-domain commands produce the same results. They make sure that usernames sent to the HWTACACS server carry no ISP domain name.
To set the username format and traffic statistics units for an HWTACACS scheme:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter HWTACACS scheme view. | hwtacacs scheme hwtacacs-scheme-name | N/A |
3. Set the format of usernames sent to the HWTACACS servers. | user-name-format { keep-original | with-domain | without-domain } | Optional. By default, the ISP domain name is included in a username. |
4. Specify the unit for data flows or packets sent to the HWTACACS servers. | data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } }* | Optional. The default unit is byte for data flows and one-packet for data packets. |
Specifying the source IP address for outgoing HWTACACS packets
The source IP address of HWTACACS packets that a NAS sends must match the IP address of the NAS configured on the HWTACACS server. An HWTACACS server identifies a NAS by IP address. Upon receiving an HWTACACS packet, an HWTACACS server checks whether the source IP address of the packet is the IP address of any managed NAS. If yes, the server processes the packet. If not, the server drops the packet.
Usually, the source address of outgoing HWTACACS packets can be the IP address of any NAS interface that can communicate with the HWTACACS server. In some special cases, however, you must change the source IP address. For example, if the NAS is configured with VRRP for stateful failover, the source IP address of HWTACACS packets can be the virtual IP address of the uplink VRRP group.
You can specify the source IP address for outgoing HWTACACS packets in HWTACACS scheme view for a specific HWTACACS scheme, or in system view for all HWTACACS schemes whose servers are in the same VPN. Before sending an HWTACACS packet, the NAS selects a source IP address in the following order:
Source IP address specified for the HWTACACS scheme.
Source IP address specified in system view for the VPN.
IP address of the outbound interface specified by the route.
To specify a source IP address for all HWTACACS schemes:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Specify a source IP address for outgoing HWTACACS packets. | hwtacacs nas-ip ip-address [ vpn-instance vpn-instance-name ] | By default, the IP address of the outbound interface is used as the source IP address. |
To specify a source IP address for a specific HWTACACS scheme:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter HWTACACS scheme view. | hwtacacs scheme hwtacacs-scheme-name | N/A |
3. Specify a source IP address for outgoing HWTACACS packets. | nas-ip ip-address | By default, the IP address of the outbound interface is used as the source IP address. |
Setting timers for controlling communication with HWTACACS servers
The device uses the following timers to control the communication with an HWTACACS server:
Server response timeout timer (response-timeout)—Defines the HWTACACS request retransmission interval. After sending an HWTACACS request (authentication, authorization, or accounting request), the device starts the server response timeout timer. If the device receives no response from the server before the timer expires, it resends the request.
Primary server quiet timer (quiet)—Defines the duration to keep an unreachable primary server in blocked state. If a primary server is not reachable, the device changes the server's status to blocked, starts the primary server quiet timer for the server, and tries to communicate with the secondary server if the secondary server is configured and in active state. After this timer expires, the device changes the status of the primary server back to active.
Real-time accounting timer (realtime-accounting)—Defines the interval at which the device sends real-time accounting updates to the HWTACACS accounting server for online users. To implement real-time accounting, the device must periodically send real-time accounting packets to the accounting server for online users.
Consider the performance of the NAS and the HWTACACS server when you set the real-time accounting interval. A shorter interval requires higher performance.
To set timers for controlling communication with HWTACACS servers:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter HWTACACS scheme view. | hwtacacs scheme hwtacacs-scheme-name | N/A |
3. Set the HWTACACS server response timeout timer. | timer response-timeout seconds | Optional. The default HWTACACS server response timeout timer is 5 seconds. |
4. Set the quiet timer for the primary server. | timer quiet minutes | Optional. The default quiet timer for the primary server is 5 minutes. |
5. Set the real-time accounting interval. | timer realtime-accounting minutes | Optional. The default real-time accounting interval is 12 minutes. |
Displaying and maintaining HWTACACS
Task | Command | Remarks |
---|---|---|
Display the configuration information or statistics of HWTACACS schemes . | display hwtacacs [ hwtacacs-server-name [ statistics ] ] [ slot slot-number ] [ | { begin | exclude | include } regular-expression ] | Available in any view. |
Display information about buffered stop-accounting requests for which no responses have been received . | display stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name [ slot slot-number ] [ | { begin | exclude | include } regular-expression ] | Available in any view. |
Clear HWTACACS statistics . | reset hwtacacs statistics { accounting | all | authentication | authorization } [ slot slot-number ] | Available in user view. |
Clear buffered stop-accounting requests that get no responses . | reset stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name [ slot slot-number ] | Available in user view. |