R3166-R3206-HP High-End Firewalls Access Control Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

161

162

163

164

165

166

167

168

169

170

155

To do… Use the command…

Remarks

Enter system view system-view —

Enter HWTACACS scheme view

hwtacacs scheme

hwtacacs-scheme-name

—

Specify the primary HWTACACS

accounting server

primary accounting ip-address

[ port-number ]

Required

Configure at least one command.

No accounting server is specified

by default.

Specify the secondary

HWTACACS accounting server

secondary accounting ip-address

[ port-number ]

Enable buffering of

stop-accounting requests to which

no responses are received

stop-accounting-buffer enable

Optional

Enabled by default

Set the maximum number of

stop-accounting attempts

retry stop-accounting retry-times

Optional

100 by default

NOTE:

• An HWTACACS server can function as the primary accounting server of one scheme and as the

secondary accounting server of another scheme at the same time.

• The IP addresses of the primary and secondary accountin

servers cannot be the same. Otherwise, the

configuration fails.

• You can remove an accounting server only when no active TCP connection for sending accounting

packets is using it.

• HWTACACS does not support accounting for FTP users.

Specifying the shared keys for authenticating HWTACACS packets

The HWTACACS client and HWTACACS server use the MD5 algorithm to encrypt packets exchanged

between them and use shared keys to authenticate the packets. They must use the same shared key for the

same type of packets.

Follow these steps to specify the shared keys for authenticating HWTACACS packets:

To do… Use the command…

Remarks

Enter system view system-view —

Enter HWTACACS scheme view

hwtacacs scheme

hwtacacs-scheme-name

—

Specify the shared keys for

authenticating HWTACACS

authentication, authorization, and

accounting packets

key { accounting | authentication |

authorization } key

Required

No shared key by default

NOTE:

shared key configured on the device must be the same as that configured on the HWTACACS server.

Setting the username format and traffic statistics units

A username is usually in the format of userid@isp-name, where isp-name represents the name of the ISP

domain the user belongs to and is used by the device to determine which users belong to which ISP

domains. However, some HWTACACS servers cannot recognize usernames that contain an ISP domain