Configuring HWTACACS schemes

You cannot remove the HWTACACS schemes in use or change the IP addresses of the HWTACACS servers in use.

HWTACACS configuration task list

Creating an HWTACACS scheme

The HWTACACS protocol is configured on a per-scheme basis. Before performing other HWTACACS configurations, you must create an HWTACACS scheme and enter HWTACACS scheme view.

You can configure up to 16 HWTACACS schemes, and cannot delete the schemes that are referenced.

To create an HWTACACS scheme and enter HWTACACS scheme view:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Create an HWTACACS scheme and enter HWTACACS scheme view.

hwtacacs scheme hwtacacs-scheme-name

Not defined by default.

Specifying the HWTACACS authentication servers

You can specify one primary authentication server and one secondary authentication server for an HWTACACS scheme. When the primary server is not available, the secondary server is used. If redundancy is not required, specify only the primary server.

Follow these guidelines when you specify HWTACACS authentication servers:

To specify HWTACACS authentication servers for an HWTACACS scheme:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enter HWTACACS scheme view.

hwtacacs scheme hwtacacs-scheme-name

N/A

3. Specify HWTACACS authentication servers.

  • Specify the primary HWTACACS authentication server:primary authentication ip-address [ port-number | key [ cipher | simple ] key | vpn-instance vpn-instance-name ] *

  • Specify the secondary HWTACACS authentication server:secondary authentication ip-address [ port-number | key [ cipher | simple ] key | vpn-instance vpn-instance-name ] *

Configure at least one command.

No authentication server is specified by default.

Specifying the HWTACACS authorization servers

You can specify one primary authorization server and one secondary authorization server for an HWTACACS scheme. When the primary server is not available, the secondary server is used. In a scenario where redundancy is not required, specify only the primary server.

Follow these guidelines when you specify HWTACACS accounting servers:

To specify HWTACACS authorization servers for an HWTACACS scheme:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enter HWTACACS scheme view.

hwtacacs scheme hwtacacs-scheme-name

N/A

3. Specify HWTACACS authorization servers.

  • Specify the primary HWTACACS authorization server:primary authorization ip-address [ port-number | key [ cipher | simple ] key | vpn-instance vpn-instance-name ] *

  • Specify the secondary HWTACACS authorization server:secondary authorization ip-address [ port-number | key [ cipher | simple ] key | vpn-instance vpn-instance-name ] *

Configure at least one command.

No authorization server is specified by default.

Specifying the HWTACACS accounting servers and the relevant parameters

You can specify one primary accounting server and one secondary accounting server for an HWTACACS scheme. When the primary server is not available, the secondary server is used. In a scenario where redundancy is not required, specify only the primary server.

When the device receives a connection teardown request from a host or a connection teardown command from an administrator, it sends a stop-accounting request to the accounting server. You can enable buffering of non-responded stop-accounting requests to allow the device to buffer and resend a stop-accounting request until it receives a response or the number of stop-accounting attempts reaches the configured limit. In the latter case, the device discards the packet.

Follow these guidelines when you specify HWTACACS accounting servers:

To specify HWTACACS accounting servers and set relevant parameters for an HWTACACS scheme:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enter HWTACACS scheme view.

hwtacacs scheme hwtacacs-scheme-name

N/A

3. Specify HWTACACS accounting servers.

  • Specify the primary HWTACACS accounting server:primary accounting ip-address [ port-number | key [ cipher | simple ] key | vpn-instance vpn-instance-name ] *

  • Specify the secondary HWTACACS accounting server:secondary accounting ip-address [ port-number | key [ cipher | simple ] key | vpn-instance vpn-instance-name ] *

Configure at least one command.

No accounting server is specified by default.

4. Enable buffering of stop-accounting requests to which no responses are received.

stop-accounting-buffer enable

Optional.

Enabled by default.

5. Set the maximum number of stop-accounting attempts.

retry stop-accounting retry-times

Optional.

The default setting is 100.

Specifying the shared keys for secure HWTACACS communication

The HWTACACS client and HWTACACS server use the MD5 algorithm to authenticate packets and use shared keys for packet authentication and user password encryption. They must use the same key for the same type of communication.

A shared key configured on the device must be the same as that configured on the HWTACACS server.

Perform this task to configure shared keys for servers in an HWTACACS scheme. The keys take effect on all servers for which a shared key is not individually configured.

To specify a shared key for secure HWTACACS communication:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enter HWTACACS scheme view.

hwtacacs scheme hwtacacs-scheme-name

N/A

3. Specify a shared key for secure HWTACACS authentication, authorization, or accounting communication.

key { accounting | authentication | authorization } [ cipher | simple ] key

No key by default.

Specifying the VPN to which the servers belong

After you specify a VPN for an HWTACACS scheme, all AAA servers specified for the scheme belong to the VPN. However, if you also specify a VPN when specifying a server for the scheme, the server belongs to the specific VPN.

To specify a VPN for an HWTACACS scheme:

Step

Command

1. Enter system view.

system-view

2. Enter HWTACACS scheme view.

hwtacacs scheme hwtacacs-scheme-name

3. Specify a VPN for the HWTACACS scheme.

vpn-instance vpn-instance-name

Setting the username format and traffic statistics units

A username is usually in the format userid@isp-name, where isp-name represents the ISP domain name of the user and is used by the device to determine which users belong to which ISP domains. However, some HWTACACS servers do not recognize usernames that contain the user ISP domain name. You can configure the device to remove the domain name of each username before sending the username.

The device periodically sends accounting updates to HWTACACS accounting servers to report the traffic statistics of online users. For normal and accurate traffic statistics, make sure that the unit for data flows and that for packets on the device are consistent with those configured on the HWTACACS servers.

Follow these guidelines when you set the username format and the traffic statistics units for an HWTACACS scheme:

To set the username format and traffic statistics units for an HWTACACS scheme:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enter HWTACACS scheme view.

hwtacacs scheme hwtacacs-scheme-name

N/A

3. Set the format of usernames sent to the HWTACACS servers.

user-name-format { keep-original | with-domain | without-domain }

Optional.

By default, the ISP domain name is included in a username.

4. Specify the unit for data flows or packets sent to the HWTACACS servers.

data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } }*

Optional.

The default unit is byte for data flows and one-packet for data packets.

Specifying the source IP address for outgoing HWTACACS packets

The source IP address of HWTACACS packets that a NAS sends must match the IP address of the NAS configured on the HWTACACS server. An HWTACACS server identifies a NAS by IP address. Upon receiving an HWTACACS packet, an HWTACACS server checks whether the source IP address of the packet is the IP address of any managed NAS. If yes, the server processes the packet. If not, the server drops the packet.

Usually, the source address of outgoing HWTACACS packets can be the IP address of any NAS interface that can communicate with the HWTACACS server. In some special cases, however, you must change the source IP address. For example, if the NAS is configured with VRRP for stateful failover, the source IP address of HWTACACS packets can be the virtual IP address of the uplink VRRP group.

You can specify the source IP address for outgoing HWTACACS packets in HWTACACS scheme view for a specific HWTACACS scheme, or in system view for all HWTACACS schemes whose servers are in the same VPN. Before sending an HWTACACS packet, the NAS selects a source IP address in the following order:

To specify a source IP address for all HWTACACS schemes:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Specify a source IP address for outgoing HWTACACS packets.

hwtacacs nas-ip ip-address [ vpn-instance vpn-instance-name ]

By default, the IP address of the outbound interface is used as the source IP address.

To specify a source IP address for a specific HWTACACS scheme:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enter HWTACACS scheme view.

hwtacacs scheme hwtacacs-scheme-name

N/A

3. Specify a source IP address for outgoing HWTACACS packets.

nas-ip ip-address

By default, the IP address of the outbound interface is used as the source IP address.

Setting timers for controlling communication with HWTACACS servers

The device uses the following timers to control the communication with an HWTACACS server:

Consider the performance of the NAS and the HWTACACS server when you set the real-time accounting interval. A shorter interval requires higher performance.

To set timers for controlling communication with HWTACACS servers:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enter HWTACACS scheme view.

hwtacacs scheme hwtacacs-scheme-name

N/A

3. Set the HWTACACS server response timeout timer.

timer response-timeout seconds

Optional.

The default HWTACACS server response timeout timer is 5 seconds.

4. Set the quiet timer for the primary server.

timer quiet minutes

Optional.

The default quiet timer for the primary server is 5 minutes.

5. Set the real-time accounting interval.

timer realtime-accounting minutes

Optional.

The default real-time accounting interval is 12 minutes.

Displaying and maintaining HWTACACS

Task

Command

Remarks

Display the configuration information or statistics of HWTACACS schemes .

display hwtacacs [ hwtacacs-server-name [ statistics ] ] [ slot slot-number ] [ | { begin | exclude | include } regular-expression ]

Available in any view.

Display information about buffered stop-accounting requests for which no responses have been received .

display stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name [ slot slot-number ] [ | { begin | exclude | include } regular-expression ]

Available in any view.

Clear HWTACACS statistics .

reset hwtacacs statistics { accounting | all | authentication | authorization } [ slot slot-number ]

Available in user view.

Clear buffered stop-accounting requests that get no responses .

reset stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name [ slot slot-number ]

Available in user view.