4000 Router Series Fundamentals Configuration Guide

# For the system-predefined domain system, configure the authentication method for login users and the

command authorization method to use the HWTACACS scheme and, if the HWTACACS server is

unavailable, use local authentication and local authorization as the backup.

[Device] domain system

[Device-isp-system] authentication login hwtacacs-scheme tac local

[Device-isp-system] authorization login hwtacacs-scheme tac local

[Device-isp-system] authorization command hwtacacs-scheme tac local

[Device-isp-system] accounting login none

[Device-isp-system] quit

# Create local user monitor, set the password to 123, assign the Telnet service, and set the default

privilege level to 1.

[Device] local-user monitor class manage

[Device-luser-manage-monitor] password simple 123

[Device-luser-manage-monitor] service-type telnet

[Device-luser-manage-monitor] authorization-attribute user-role level-1

Configuring command accounting

Command accounting allows the HWTACACS server to record all executed commands that are

supported by the device, regardless of the command execution result. This function helps control and

monitor user behavior on the device.

When command accounting is disabled, the accounting server does not record the commands executed

by users. If command accounting is enabled but command authorization is not, every executed

command is recorded on the HWTACACS server. If both command accounting and command

authorization are enabled, only authorized commands that are executed are recorded on the

HWTACACS server.

This section provides only the procedure for configuring command accounting. To make the command

accounting function take effect, you must configure a command accounting method in ISP domain view.

For more information, see Security Configuration Guide.

Configuration procedure

To configure command accounting:

Ste

Command

Remarks

1. Enter system view.

system-view N/A