R3721-F3210-F3171-HP High-End Firewalls Access Control Configuration Guide-6PW101
196
2. Configure HWTACACS parameters as described in Table 54.
3. Click Apply.
Table 54 Configuration items
Item Descri
p
tion
NAS-IP
Source IP address for the firewall to use in HWTACACS packets to be sent to the
HWTACACS server. Use a loopback interface address instead of a physical
interface address as the source IP address to make sure the response packets
from the server can reach the firewall when the physical interface is down.
Realtime-Accounting
Interval
Real-time accounting interval, whose value must be a multiple of 3.
To implement real-time accounting on users, it is necessary to set the real-time
accounting interval. With this parameter is specified, the firewall will send the
accounting information of online users to the HWTACACS server every the
specified interval. According to the protocol, the firewall will not disconnect the
online users even if the server does not make any response properly.
If you leave this field blank, the real-time accounting interval is restored to the
default value.
IMPORTANT:
Consider the performance of the NAS and the HWTACACS server when you set
the real-time accounting interval. A shorter interval requires higher performance.
Use a longer interval when there are more than 1000 users. Table 55 sh
ows the
recommended ratios of the interval to the number of users.
Stop-Accounting Buffer
Enable or disable buffering stop-accounting requests without responses in the
firewall
Since stop-accounting requests affect the charge to users, a NAS must make its
best effort to send every stop-accounting request to the HWTACACS accounting
servers. For each stop-accounting request getting no response in the specified
period of time, the NAS buffers and resends the packet until it receives a
response or the number of transmission retries reaches the configured limit. In
the latter case, the NAS discards the packet.
Stop-Accounting Packet
Retransmission Times
The maximum number of stop-accounting packet transmission attempts if no
response is received for the stop-accounting packet
If stop-accounting buffer is disabled, this value is ineffective.
If you leave this field blank, the number of retransmission times is restored to the
default value.
Response Timeout Interval
Set the HWTACACS server response timeout time.
If no response is received from the server within the timeout interval, it may lead
to disconnection from the HWTACACS server.
If you leave this field blank, the response timeout period is restored to the default
value.
IMPORTANT:
As HWTACACS is based on TCP, the timeout of the server response timeout timer
and/or the TCP timeout timer will cause the NAS to be disconnected from the
HWTACACS server.
Quiet Interval
Specify the interval the primary server has to wait before being active.
If you leave this field blank, the quiet interval is restored to the default value.