Configuring HWTACACS schemes
Configuration task list
Tasks at a glance |
---|
(Required.) Creating an HWTACACS scheme |
(Required.) Specifying the HWTACACS authentication servers |
(Optional.) Specifying the HWTACACS authorization servers |
(Optional.) Specifying the HWTACACS accounting servers |
(Required.) Specifying the shared keys for secure HWTACACS communication |
(Optional.) Specifying an MPLS L3VPN instance for the scheme |
(Optional.) Setting the username format and traffic statistics units |
(Optional.) Specifying the source IP address for outgoing HWTACACS packets |
(Optional.) Setting HWTACACS timers |
Creating an HWTACACS scheme
Create an HWTACACS scheme before performing any other HWTACACS configurations. You can configure a maximum of 16 HWTACACS schemes. An HWTACACS scheme can be used by multiple ISP domains.
To create an HWTACACS scheme:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Create an HWTACACS scheme and enter HWTACACS scheme view. | hwtacacs scheme hwtacacs-scheme-name | By default, no HWTACACS schemes exist. |
Specifying the HWTACACS authentication servers
You can specify one primary authentication server and a maximum of 16 secondary authentication servers for an HWTACACS scheme. When the primary server is not available, the device searches for the secondary servers in the order they are configured. The first secondary server in active state is used for communication.
If redundancy is not required, specify only the primary server. An HWTACACS server can function as the primary authentication server in one scheme and as the secondary authentication server in another scheme at the same time.
To specify HWTACACS authentication servers for an HWTACACS scheme:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter HWTACACS scheme view. | hwtacacs scheme hwtacacs-scheme-name | N/A |
3. Specify HWTACACS authentication servers. |
| By default, no authentication servers are specified. Two HWTACACS authentication servers in a scheme, primary or secondary, cannot have the same combination of IP address, port number, and VPN instance. |
Specifying the HWTACACS authorization servers
You can specify one primary authorization server and a maximum of 16 secondary authorization servers for an HWTACACS scheme. When the primary server is not available, the device searches for the secondary servers in the order they are configured. The first secondary server in active state is used for communication.
If redundancy is not required, specify only the primary server. An HWTACACS server can function as the primary authorization server of one scheme and as the secondary authorization server of another scheme at the same time.
To specify HWTACACS authorization servers for an HWTACACS scheme:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter HWTACACS scheme view. | hwtacacs scheme hwtacacs-scheme-name | N/A |
3. Specify HWTACACS authorization servers. |
| By default, no authorization servers are specified. Two HWTACACS authorization servers in a scheme, primary or secondary, cannot have the same combination of IP address, port number, and VPN instance. |
Specifying the HWTACACS accounting servers
You can specify one primary accounting server and a maximum of 16 secondary accounting servers for an HWTACACS scheme. When the primary server is not available, the device searches for the secondary servers in the order they are configured. The first secondary server in active state is used for communication.
If redundancy is not required, specify only the primary server. An HWTACACS server can function as the primary accounting server of one scheme and as the secondary accounting server of another scheme at the same time.
The device sends HWTACACS stop-accounting requests when it receives connection teardown requests from hosts or connection teardown commands from an administrator. However, the device might fail to receive a response for a stop-accounting request in a single transmission. Enable the device to buffer HWTACACS stop-accounting requests that have not received responses from the accounting server. The device will resend the requests until responses are received.
To limit the transmission times, set a maximum number of attempts that can be made for transmitting individual HWTACACS stop-accounting requests. When the maximum attempts are made for a request, the device discards the buffered request.
HWTACACS does not support accounting for FTP, SFTP, and SCP users.
To specify HWTACACS accounting servers for an HWTACACS scheme:
Step | Command | Remarks | ||
---|---|---|---|---|
1. Enter system view. | system-view | N/A | ||
2. Enter HWTACACS scheme view. | hwtacacs scheme hwtacacs-scheme-name | N/A | ||
3. Specify HWTACACS accounting servers. |
| By default, no accounting servers are specified. Two HWTACACS accounting servers in a scheme, primary or secondary, cannot have the same combination of IP address, port number, and VPN instance. | ||
4. (Optional.) Enable buffering of HWTACACS stop-accounting requests to which no responses have been received. | stop-accounting-buffer enable | By default, the buffering feature is enabled. | ||
5. (Optional.) Set the maximum number of transmission attempts for individual HWTACACS stop-accounting requests. | retry stop-accounting retries | The default setting is 100. |
Specifying the shared keys for secure HWTACACS communication
The HWTACACS client and server use the MD5 algorithm and shared keys to generate the Authenticator value for packet authentication and user password encryption. The client and server must use the same key for each type of communication.
Perform this task to configure shared keys for servers in an HWTACACS scheme. The keys take effect on all servers for which a shared key is not individually configured.
To specify a shared key for secure HWTACACS communication:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter HWTACACS scheme view. | hwtacacs scheme hwtacacs-scheme-name | N/A |
3. Specify a shared key for secure HWTACACS authentication, authorization, or accounting communication. | key { accounting | authentication | authorization } { cipher | simple } string | By default, no shared key is specified for secure HWTACACS communication. The shared key configured on the device must be the same as the shared key configured on the HWTACACS server. |
Specifying an MPLS L3VPN instance for the scheme
The VPN instance specified for an HWTACACS scheme applies to all servers in that scheme. If a VPN instance is also configured for an individual HWTACACS server, the VPN instance specified for the HWTACACS scheme does not take effect on that server.
To specify a VPN instance for an HWTACACS scheme:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter HWTACACS scheme view. | hwtacacs scheme hwtacacs-scheme-name | N/A |
3. Specify a VPN instance for the HWTACACS scheme. | vpn-instance vpn-instance-name | By default, an HWTACACS scheme belongs to the public network. |
Setting the username format and traffic statistics units
A username is typically in the userid@isp-name format, where the isp-name argument represents the user's ISP domain name. By default, the ISP domain name is included in a username. If HWTACACS servers do not recognize usernames that contain ISP domain names, you can configure the device to send usernames without domain names to the servers.
If two or more ISP domains use the same HWTACACS scheme, configure the HWTACACS scheme to keep the ISP domain name in usernames for domain identification.
The device reports online user traffic statistics in accounting packets. The traffic measurement units are configurable, but they must be the same as the traffic measurement units configured on the HWTACACS accounting servers.
To set the username format and traffic statistics units for an HWTACACS scheme:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter HWTACACS scheme view. | hwtacacs scheme hwtacacs-scheme-name | N/A |
3. Set the format of usernames sent to the HWTACACS servers. | user-name-format { keep-original | with-domain | without-domain } | By default, the ISP domain name is included in a username. |
4. (Optional.) Set the data flow and packet measurement units for traffic statistics. | data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } }* | By default, traffic is counted in bytes and packets. |
Specifying the source IP address for outgoing HWTACACS packets
The source IP address of HWTACACS packets that a NAS sends must match the IP address of the NAS configured on the HWTACACS server. An HWTACACS server identifies a NAS by IP address. When the HWTACACS server receives a packet, it checks whether the source IP address of the packet is the IP address of a managed NAS.
If it is the IP address of a managed NAS, the server processes the packet.
If it is not the IP address of a managed NAS, the server drops the packet.
To communicate with the HWTACACS server, the source address of outgoing HWTACACS packets is typically the IP address of an egress interface on the NAS. However, in some situations, you must change the source IP address. For example, when VRRP is configured for stateful failover, configure the virtual IP of the uplink VRRP group as the source address.
You can specify the source IP address for outgoing HWTACACS packets in HWTACACS scheme view or in system view.
The IP address specified in HWTACACS scheme view applies to one HWTACACS scheme.
The IP address specified in system view applies to all HWTACACS schemes whose servers are in a VPN or the public network.
Before sending an HWTACACS packet, the NAS selects a source IP address in the following order:
The source IP address specified for the HWTACACS scheme.
The source IP address specified in system view for the VPN or public network, depending on where the HWTACACS server resides.
The IP address of the outbound interface specified by the route.
To specify a source IP address for all HWTACACS schemes of a VPN or the public network:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Specify a source IP address for outgoing HWTACACS packets. | hwtacacs nas-ip { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] | By default, the primary IP address of the HWTACACS packet outbound interface is used as the source IP address. |
To specify a source IP address for an HWTACACS scheme:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter HWTACACS scheme view. | hwtacacs scheme hwtacacs-scheme-name | N/A |
3. Specify the source IP address of outgoing HWTACACS packets. | nas-ip { ipv4-address | ipv6 ipv6-address } | By default, the source IP address specified by the hwtacacs nas-ip command in system view is used. If the source IP address is not specified, the primary IP address of the outbound interface is used. |
Setting HWTACACS timers
The device uses the following timers to control communication with an HWTACACS server:
Server response timeout timer (response-timeout)—Defines the HWTACACS server response timeout timer. The device starts this timer immediately after an HWTACACS authentication, authorization, or accounting request is sent. If the device does not receive a response from the server within the timer, it sets the server to blocked. Then, the device sends the request to another HWTACACS server.
Real-time accounting timer (realtime-accounting)—Defines the interval at which the device sends real-time accounting packets to the HWTACACS accounting server for online users.
Server quiet timer (quiet)—Defines the duration to keep an unreachable server in blocked state. If a server is not reachable, the device changes the server status to blocked, starts this timer for the server, and tries to communicate with another server in active state. After the server quiet timer expires, the device changes the status of the server back to active.
The server quiet timer setting affects the status of HWTACACS servers. If the scheme includes one primary HWTACACS server and multiple secondary HWTACACS servers, the device communicates with the HWTACACS servers based on the following rules:
When the primary server is in active state, the device communicates with the primary server.
If the primary server fails, the device performs the following operations:
Changes the server status to blocked.
Starts a quiet timer for the server.
Tries to communicate with a secondary server in active state that has the highest priority.
If the secondary server is unreachable, the device performs the following operations:
Changes the server status to blocked.
Starts a quiet timer for the server.
Tries to communicate with the next secondary server in active state that has the highest priority.
The search process continues until the device finds an available secondary server or has checked all secondary servers in active state. If no server is available, the device considers the authentication, authorization, or accounting attempt a failure.
When the quiet timer of a server expires, the status of the server changes back to active. The device does not check the server again during the authentication, authorization, or accounting process.
When you remove a server in use, communication with the server times out. The device looks for a server in active state by first checking the primary server, and then checking secondary servers in the order they are configured.
When all servers are in blocked state, the device only tries to communicate with the primary server.
When one or more servers are in active state, the device tries to communicate with these servers only, even if they are unavailable.
When an HWTACACS server's status changes automatically, the device changes this server's status accordingly in all HWTACACS schemes in which this server is specified.
To set HWTACACS timers:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter HWTACACS scheme view. | hwtacacs scheme hwtacacs-scheme-name | N/A |
3. Set the HWTACACS server response timeout timer. | timer response-timeout seconds | By default, the HWTACACS server response timeout timer is 5 seconds. |
4. Set the real-time accounting interval. | timer realtime-accounting minutes | By default, the real-time accounting interval is 12 minutes. A short interval helps improve accounting precision but requires many system resources. When there are 1000 or more users, set a longer interval. |
5. Set the server quiet timer. | timer quiet minutes | By default, the server quiet timer is 5 minutes. |
Displaying and maintaining HWTACACS
Execute display commands in any view and reset commands in user view.
Task | Command |
---|---|
Display the configuration or server statistics of HWTACACS schemes. | display hwtacacs scheme [ hwtacacs-scheme-name [ statistics ] ] |
Display information about buffered HWTACACS stop-accounting requests to which no responses have been received. | display stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name |
Clear HWTACACS statistics. | reset hwtacacs statistics { accounting | all | authentication | authorization } |
Clear the buffered HWTACACS stop-accounting requests to which no responses have been received. | reset stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name |