HP VPN Firewall Appliances Access Control Configuration Guide
221
Ste
p
Command
Remarks
2. Enter HWTACACS scheme
view.
hwtacacs scheme
hwtacacs-scheme-name
N/A
3. Set the HWTACACS server
response timeout timer.
timer response-timeout
seconds
Optional.
The default HWTACACS server response
timeout timer is 5 seconds.
4. Set the quiet timer for the
primary server.
timer quiet minutes
Optional.
The default quiet timer for the primary server is
5 minutes.
5. Set the real-time
accounting interval.
timer realtime-accounting
minutes
Optional.
The default real-time accounting interval is 12
minutes.
Displaying and maintaining HWTACACS
Task Command
Remarks
Display the configuration or statistics of
HWTACACS schemes.
display hwtacacs [ hwtacacs-server-name
[ statistics ] ] [ | { begin | exclude | include }
regular-expression ]
Available in
any view.
Display information about buffered
stop-accounting requests for which no
responses have been received.
display stop-accounting-buffer hwtacacs-scheme
hwtacacs-scheme-name [ | { begin | exclude |
include } regular-expression ]
Available in
any view.
Clear HWTACACS statistics.
reset hwtacacs statistics { accounting | all |
authentication | authorization }
Available in
user view.
Clear buffered stop-accounting
requests that get no responses.
reset stop-accounting-buffer hwtacacs-scheme
hwtacacs-scheme-name
Available in
user view.
Configuring AAA methods for ISP domains
By default, the device uses local (default) AAA methods for users in an ISP domain. To use other AAA
methods for them, configure the device to reference existing AAA schemes for the ISP domain. For
information about configuring AAA schemes, see "Configuring RADIUS schemes" and "Configuring
HW
TACACS s
chemes."
To use local authentication for users in an ISP domain, first configure local user accounts on the device
(see "Configuring local user attributes")
.
Creating an ISP domain
In a networking scenario with multiple ISPs, the device can connect users of different ISPs. Different ISP
users can have different user attributes (such as username and password structures), different service
types, and different rights. To manage these ISP users, you need to create ISP domains and then
configure AAA methods and domain attributes for each ISP domain.
The device can accommodate up to 16 ISP domains, including the system predefined ISP domain system.
You can specify one ISP domain as the default domain.
On the device, each user belongs to an ISP domain. If a user provides no ISP domain name at login, the
device considers the user belongs to the default ISP domain.