R3721-F3210-F3171-HP High-End Firewalls Access Control Command Reference-6PW101
167
By default, the ISP domain name is included in the username.
A username is generally in the format userid@isp-name, of which isp-name is used by the firewall to
determine the ISP domain to which a user belongs. Some earlier HWTACACS servers, however, cannot
recognize a username including an ISP domain name. Before sending a username including a domain
name to such an HWTACACS server, the firewall must remove the domain name. This command allows
you to specify whether to include a domain name in a username to be sent to an HWTACACS server.
If an HWTACACS scheme defines that the username is sent without the ISP domain name, do not apply
the HWTACACS scheme to more than one ISP domain, avoiding the confused situation where the
HWTACACS server regards two users in different ISP domains but with the same userid as one.
If the HWTACACS scheme is used for wireless users, specify the keep-original keyword. Otherwise,
authentication of the wireless users may fail.
Examples
# Configure the firewall to remove the ISP domain name in the username sent to the HWTACACS servers
for the HWTACACS scheme hwt1.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] user-name-format without-domain
vpn-instance (HWTACACS scheme view)
Syntax
vpn-instance vpn-instance-name
undo vpn-instance
View
HWTACACS scheme view
Default level
2: System level
Parameters
vpn-instance-name: Name of VPN instance, a case-sensitive string of 1 to 31 characters.
Description
Use vpn-instance to specify a VPN for the HWTACACS scheme.
Use undo vpn-instance to remove the configuration.
The VPN specified here takes effect for all servers in the HWTACACS scheme for which no specific VPN
instance is specified.
Related commands: display hwtacacs.
Examples
# Specify VPN instance test for HWTACACS scheme hwt1.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] vpn-instance test