3Com Switch 8800 Advanced Software V5 Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 9400sl 4-Port 10-GbE Module

891

892

893

894

895

896

897

898

899

900

906 CHAPTER 70: AAA, RADIUS AND HWTACACS CONFIGURATION

■ The IP addresses of the primary and secondary accounting servers cannot be

the same. Otherwise, the configuration fails.

■ You can remove an accounting server only when no active TCP connection for

sending accounting packets is using it.

■ Currently, neither RADIUS nor HWTACACS supports keeping accounts on FTP

users.

Setting the Shared Key

for HWTACACS Packets

When using a HWTACACS server as an AAA server, you can set a key to secure the

communications between the device and the HWTACACS server.

The HWTACACS client and HWTACACS server use the MD5 algorithm to encrypt

packets exchanged between them and a shared key to verify the packets. Only

when the same key is used can they properly receive the packets and make

responses.

Follow these steps to set the shared key for HWTACACS packets:

Configuring Attributes

Related to the Data Sent

to the HWTACACS

Server

Follow these steps to configure the attributes related to the data sent to the

HWTACACS server:

To do... Use the command... Remarks

Enter system view system-view -

Create a HWTACACS scheme

and enter HWTACACS

scheme view

hwtacacs scheme

hwtacacs-scheme-name

Required

No HWTACACS scheme exists

by default.

Set the shared keys for

HWTACACS authentication,

authorization, and accounting

packets

key { accounting |

authorization |

authentication } string

Required

No shared key exists by

default.

To do... Use the command... Remarks

Enter system view system-view -

Create a HWTACACS scheme

and enter HWTACACS scheme

view

hwtacacs scheme

hwtacacs-scheme-name

Required

No HWTACACS scheme exists

by default.

Specify the format of the

username to be sent to a

HWTACACS server

user-name-format {

with-domain |

without-domain }

Optional

By default, the ISP domain

name is included in the

username.

Specify the unit for data flows

or packets to be sent to a

HWTACACS server

data-flow-format { data {

byte | giga-byte | kilo-byte |

mega-byte } | packet {

giga-packet | kilo-packet |

mega-packet | one-packet }

Optional

The defaults are as follows:

Byte for data flows, and

One-packet for data packets.

Set the source

IP address of

the device to

send

HWTACACS

packets

HWTACACS

scheme view

Nas-ip ip-address Use either command

By default, the outbound port

serves as the source IP

address to send HWTACACS

packets

In system view quit

hwtacacs nas-ip ip-address