Manualshelf

R3721-F3210-F3171-HP High-End Firewalls Access Control Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
191192193194195196197198199200
193
the accounting server, real-time accounting requests and stop-accounting requests for the user
are no longer delivered to the server.
{ If you remove an authentication or accounting server in use, the communication of the firewall
with the server soon times out, and the firewall looks for a server in active state from scratch by
checking any primary server first and then the secondary servers in the order they are
configured.
{ When the primary server and secondary servers are all in blocked state, the firewall
communicates with the primary server. If the primary server is available, its statues changes to
active. Otherwise, its status remains to be blocked.
{ If one server is in active state but all the others are in blocked state, the firewall only tries to
communicate with the server in active state, even if the server is unavailable.
{ After receiving an authentication/accounting response from a server, the firewall changes the
status of the server identified by the source IP address of the response to active if the current
status of the server is blocked.
Table 51 lists the r
ecommended real-time accounting intervals.
Table 51 Recommended real-time accounting interval settings
Number of users
Real-time accountin
g
interval (in minutes)
1 to 99 3
100 to 499 6
500 to 999 12
ú
1000
ú
15
Configuring HWTACACS schemes in the web interface
NOTE:
You cannot remove the HWTACACS schemes in use or change the IP addresses of the HWTACACS
servers in use.
Table 52 HWTACACS configuration task list
Task Descri
p
tion
Creating an HWTACACS scheme
Required
Create an HWTACACS scheme named system.
By default, no HWTACACS scheme exists.
Configuring HWTACACS server
Authentication server and authorization server are mandatory and
accounting server is optional.
This section describes how to specify the primary and the secondary
HWTACACS authentication/authorization and accounting servers.
By default, no server is specified.
IMPORTANT:
If redundancy is not required, specify only the primary HWTACACS
authentication server.