R3721-F3210-F3171-HP High-End Firewalls Access Control Command Reference-6PW101
158
If you configure the command repeatedly, only the last configuration takes effect.
You can remove an authentication server only when it is not used by any active TCP connection to send
authentication packets. Removing an authentication server affects only authentication processes that
occur after the remove operation.
NOTE:
The VPN specified by this command takes precedence over the VPN specified for the HWTACACS
scheme.
Related commands: display hwtacacs and vpn-instance (HWTACACS scheme view).
Examples
# Specify the IP address and port number of the primary authentication server for HWTACACS scheme
hwt1 a s 10 .16 3 .155 .13 a n d 49.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] primary authentication 10.163.155.13 49
primary authorization
Syntax
primary authorization ip-address [ port-number | vpn-instance vpn-instance-name ] *
undo primary authorization
View
HWTACACS scheme view
Default level
2: System level
Parameters
ip-address: IP address of the primary HWTACACS authorization server, in dotted decimal notation. The
default setting is 0.0.0.0.
port-number: Service port number of the primary HWTACACS authorization server. It ranges from 1 to
65535 and defaults to 49.
vpn-instance vpn-instance-name: Specifies the VPN to which the primary HWTACACS authorization
server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is
on the public network, do not specify this option.
Description
Use primary authorization to specify the primary HWTACACS authorization server.
Use undo primary authorization to remove the configuration.
By default, no primary HWTACACS authorization server is specified.
The IP addresses of the primary and secondary authorization servers must be different. Otherwise, the
configuration fails.
If the specified server resides on a VPN, specify the VPN by using the vpn-instance vpn-instance-name
option.