Configuring HWTACACS schemes

Configuration task list

Creating an HWTACACS scheme

Create an HWTACACS scheme before performing any other HWTACACS configurations. You can configure a maximum of 16 HWTACACS schemes. An HWTACACS scheme can be used by multiple ISP domains.

To create an HWTACACS scheme:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Create an HWTACACS scheme and enter HWTACACS scheme view.

hwtacacs scheme hwtacacs-scheme-name

By default, no HWTACACS schemes exist.

Specifying the HWTACACS authentication servers

You can specify one primary authentication server and a maximum of 16 secondary authentication servers for an HWTACACS scheme. When the primary server is not available, the device searches for the secondary servers in the order they are configured. The first secondary server in active state is used for communication.

If redundancy is not required, specify only the primary server. An HWTACACS server can function as the primary authentication server in one scheme and as the secondary authentication server in another scheme at the same time.

To specify HWTACACS authentication servers for an HWTACACS scheme:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enter HWTACACS scheme view.

hwtacacs scheme hwtacacs-scheme-name

N/A

3. Specify HWTACACS authentication servers.

  • Specify the primary HWTACACS authentication server:primary authentication { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *

  • Specify a secondary HWTACACS authentication server:
    secondary authentication
    { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *

By default, no authentication servers are specified.

Two HWTACACS authentication servers in a scheme, primary or secondary, cannot have the same combination of IP address, port number, and VPN instance.

Specifying the HWTACACS authorization servers

You can specify one primary authorization server and a maximum of 16 secondary authorization servers for an HWTACACS scheme. When the primary server is not available, the device searches for the secondary servers in the order they are configured. The first secondary server in active state is used for communication.

If redundancy is not required, specify only the primary server. An HWTACACS server can function as the primary authorization server of one scheme and as the secondary authorization server of another scheme at the same time.

To specify HWTACACS authorization servers for an HWTACACS scheme:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enter HWTACACS scheme view.

hwtacacs scheme hwtacacs-scheme-name

N/A

3. Specify HWTACACS authorization servers.

  • Specify the primary HWTACACS authorization server:primary authorization { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *

  • Specify a secondary HWTACACS authorization server:
    secondary authorization
    { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *

By default, no authorization servers are specified.

Two HWTACACS authorization servers in a scheme, primary or secondary, cannot have the same combination of IP address, port number, and VPN instance.

Specifying the HWTACACS accounting servers

You can specify one primary accounting server and a maximum of 16 secondary accounting servers for an HWTACACS scheme. When the primary server is not available, the device searches for the secondary servers in the order they are configured. The first secondary server in active state is used for communication.

If redundancy is not required, specify only the primary server. An HWTACACS server can function as the primary accounting server of one scheme and as the secondary accounting server of another scheme at the same time.

The device sends HWTACACS stop-accounting requests when it receives connection teardown requests from hosts or connection teardown commands from an administrator. However, the device might fail to receive a response for a stop-accounting request in a single transmission. Enable the device to buffer HWTACACS stop-accounting requests that have not received responses from the accounting server. The device will resend the requests until responses are received.

To limit the transmission times, set a maximum number of attempts that can be made for transmitting individual HWTACACS stop-accounting requests. When the maximum attempts are made for a request, the device discards the buffered request.

HWTACACS does not support accounting for FTP, SFTP, and SCP users.

To specify HWTACACS accounting servers for an HWTACACS scheme:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enter HWTACACS scheme view.

hwtacacs scheme hwtacacs-scheme-name

N/A

3. Specify HWTACACS accounting servers.

  • Specify the primary HWTACACS accounting server:
    primary accounting
    { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *

  • Specify a secondary HWTACACS accounting server:secondary accounting { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *

By default, no accounting servers are specified.

Two HWTACACS accounting servers in a scheme, primary or secondary, cannot have the same combination of IP address, port number, and VPN instance.

4. (Optional.) Enable buffering of HWTACACS stop-accounting requests to which no responses have been received.

stop-accounting-buffer enable

By default, the buffering feature is enabled.

5. (Optional.) Set the maximum number of transmission attempts for individual HWTACACS stop-accounting requests.

retry stop-accounting retries

The default setting is 100.

Specifying the shared keys for secure HWTACACS communication

The HWTACACS client and server use the MD5 algorithm and shared keys to generate the Authenticator value for packet authentication and user password encryption. The client and server must use the same key for each type of communication.

Perform this task to configure shared keys for servers in an HWTACACS scheme. The keys take effect on all servers for which a shared key is not individually configured.

To specify a shared key for secure HWTACACS communication:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enter HWTACACS scheme view.

hwtacacs scheme hwtacacs-scheme-name

N/A

3. Specify a shared key for secure HWTACACS authentication, authorization, or accounting communication.

key { accounting | authentication | authorization } { cipher | simple } string

By default, no shared key is specified for secure HWTACACS communication.

The shared key configured on the device must be the same as the shared key configured on the HWTACACS server.

Specifying an MPLS L3VPN instance for the scheme

The VPN instance specified for an HWTACACS scheme applies to all servers in that scheme. If a VPN instance is also configured for an individual HWTACACS server, the VPN instance specified for the HWTACACS scheme does not take effect on that server.

To specify a VPN instance for an HWTACACS scheme:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enter HWTACACS scheme view.

hwtacacs scheme hwtacacs-scheme-name

N/A

3. Specify a VPN instance for the HWTACACS scheme.

vpn-instance vpn-instance-name

By default, an HWTACACS scheme belongs to the public network.

Setting the username format and traffic statistics units

A username is typically in the userid@isp-name format, where the isp-name argument represents the user's ISP domain name. By default, the ISP domain name is included in a username. If HWTACACS servers do not recognize usernames that contain ISP domain names, you can configure the device to send usernames without domain names to the servers.

If two or more ISP domains use the same HWTACACS scheme, configure the HWTACACS scheme to keep the ISP domain name in usernames for domain identification.

The device reports online user traffic statistics in accounting packets. The traffic measurement units are configurable, but they must be the same as the traffic measurement units configured on the HWTACACS accounting servers.

To set the username format and traffic statistics units for an HWTACACS scheme:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enter HWTACACS scheme view.

hwtacacs scheme hwtacacs-scheme-name

N/A

3. Set the format of usernames sent to the HWTACACS servers.

user-name-format { keep-original | with-domain | without-domain }

By default, the ISP domain name is included in a username.

4. (Optional.) Set the data flow and packet measurement units for traffic statistics.

data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } }*

By default, traffic is counted in bytes and packets.

Specifying the source IP address for outgoing HWTACACS packets

The source IP address of HWTACACS packets that a NAS sends must match the IP address of the NAS configured on the HWTACACS server. An HWTACACS server identifies a NAS by IP address. When the HWTACACS server receives a packet, it checks whether the source IP address of the packet is the IP address of a managed NAS.

To communicate with the HWTACACS server, the source address of outgoing HWTACACS packets is typically the IP address of an egress interface on the NAS. However, in some situations, you must change the source IP address. For example, when VRRP is configured for stateful failover, configure the virtual IP of the uplink VRRP group as the source address.

You can specify the source IP address for outgoing HWTACACS packets in HWTACACS scheme view or in system view.

Before sending an HWTACACS packet, the NAS selects a source IP address in the following order:

  1. The source IP address specified for the HWTACACS scheme.

  2. The source IP address specified in system view for the VPN or public network, depending on where the HWTACACS server resides.

  3. The IP address of the outbound interface specified by the route.

To specify a source IP address for all HWTACACS schemes of a VPN or the public network:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Specify a source IP address for outgoing HWTACACS packets.

hwtacacs nas-ip { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]

By default, the primary IP address of the HWTACACS packet outbound interface is used as the source IP address.

To specify a source IP address for an HWTACACS scheme:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enter HWTACACS scheme view.

hwtacacs scheme hwtacacs-scheme-name

N/A

3. Specify the source IP address of outgoing HWTACACS packets.

nas-ip { ipv4-address | ipv6 ipv6-address }

By default, the source IP address specified by the hwtacacs nas-ip command in system view is used. If the source IP address is not specified, the primary IP address of the outbound interface is used.

Setting HWTACACS timers

The device uses the following timers to control communication with an HWTACACS server:

The server quiet timer setting affects the status of HWTACACS servers. If the scheme includes one primary HWTACACS server and multiple secondary HWTACACS servers, the device communicates with the HWTACACS servers based on the following rules:

To set HWTACACS timers:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enter HWTACACS scheme view.

hwtacacs scheme hwtacacs-scheme-name

N/A

3. Set the HWTACACS server response timeout timer.

timer response-timeout seconds

By default, the HWTACACS server response timeout timer is 5 seconds.

4. Set the real-time accounting interval.

timer realtime-accounting minutes

By default, the real-time accounting interval is 12 minutes.

A short interval helps improve accounting precision but requires many system resources. When there are 1000 or more users, set a longer interval.

5. Set the server quiet timer.

timer quiet minutes

By default, the server quiet timer is 5 minutes.

Displaying and maintaining HWTACACS

Execute display commands in any view and reset commands in user view.

Task

Command

Display the configuration or server statistics of HWTACACS schemes.

display hwtacacs scheme [ hwtacacs-scheme-name [ statistics ] ]

Display information about buffered HWTACACS stop-accounting requests to which no responses have been received.

display stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name

Clear HWTACACS statistics.

reset hwtacacs statistics { accounting | all | authentication | authorization }

Clear the buffered HWTACACS stop-accounting requests to which no responses have been received.

reset stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name