primary authentication (HWTACACS scheme view)

Use primary authentication to specify the primary HWTACACS authentication server.

Use undo primary authentication to restore the default.


primary authentication { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *

undo primary authentication


The primary HWTACACS authentication server is not specified.


HWTACACS scheme view

Predefined user roles




host-name: Specifies the host name of the primary HWTACACS authentication server, a case-insensitive string of 1 to 253 characters.

ipv4-address: Specifies the IPv4 address of the primary HWTACACS authentication server.

ipv6 ipv6-address: Specifies the IPv6 address of the primary HWTACACS authentication server.

port-number: Specifies the service port number of the primary HWTACACS authentication server. The value range for the TCP port number is 1 to 65535. The default setting is 49.

key: Specifies the shared key for secure communication with the primary HWTACACS authentication server.

cipher: Specifies the key in encrypted form.

simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. This argument is case sensitive.

single-connection: The device and the primary HWTACACS authentication server use the same TCP connection to exchange all authentication packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges authentication packets with the primary authentication server for a user.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the primary HWTACACS authentication server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

Make sure the port number and shared key settings of the primary HWTACACS authentication server are the same as those configured on the server.

Two authentication servers specified for a scheme, primary or secondary, cannot have identical VPN instance, host name, IP address, and port number settings.

As a best practice, specify the single-connection keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.

If the specified server resides on an MPLS L3VPN, specify the VPN instance by using the vpn-instance vpn-instance-name option. The VPN instance specified by this command takes precedence over the VPN instance specified for the HWTACACS scheme.

You can remove an authentication server only when it is not used for user authentication. Removing an authentication server affects only authentication processes that occur after the remove operation.


# In HWTACACS scheme hwt1, specify the primary authentication server with IP address, TCP port number 49, and plaintext shared key 123456TESTauth&!.

<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] primary authentication 49 key simple 123456TESTauth&!

Related commands

display hwtacacs scheme

key (HWTACACS scheme view)

secondary authentication (HWTACACS scheme view)

vpn-instance (HWTACACS scheme view)