HP 5500 Ei 5500 Si Switch Series Configuration Guide

36 
Specifying the HWTACACS authorization servers 
You can specify one primary authorization server and up to one secondary authorization server for an 
HWTACACS scheme. When the primary server is not available, any secondary server is used. In a 
scenario where redundancy is not required, specify only the primary server. 
Follow these guidelines when you specify HWTACACS authorization servers: 
•   An HWTACACS server can function as the primary authorization server of one scheme and as the 
secondary...

37 
To specify HWTACACS accounting servers and set relevant parameters for an HWTACACS scheme:  
Step Command Remarks 
1.  Enter system view. 
system-view  N/A 
2.  Enter HWTACACS scheme 
view.  hwtacacs scheme
 
hwtacacs-scheme-name  N/A 
3.
  Specify HWTACACS 
accounting servers. 
• Specify the primary HWTACACS 
accounting server: 
primary accounting  ip-address  
[ port-number  | vpn-instance 
vpn-instance-name  ] * 
• Specify the secondary 
HWTACACS accounting server: 
secondary accounting...

38 
Step Command 
1.  Enter system view. 
system-view 
2.  Enter HWTACACS scheme view. 
hwtacacs scheme hwtacacs-scheme-name  
3.  Specify a VPN for the HWTACACS scheme.  vpn-instance vpn-instance-name  
 
Setting the username format and traffic statistics units 
A username is usually in the format of  userid@isp-name , where isp-name  represents the name of the ISP 
domain the user belongs to and is used by the sw itch to determine which users belong to which ISP 
domai ns. However, some  HW TACACS ser...

39 
must change the source IP address. For example, if a Network Address Translation (NAT) device is 
present between the NAS and the HWTACACS server, the source IP address of outgoing HWTACACS 
packets must be a public IP address of the NAS. If the NAS is configured with the Virtual Router 
Redundancy Protocol (VRRP) for stateful failover, the source IP address of HWTACACS packets can be 
the virtual IP address of the VRRP group to which the uplink belongs. 
You can specify the source IP address for...

40 
To set timers for controlling communication with HWTACACS servers:  
Step Command Remarks 
1.  Enter system view. 
system-view  N/A 
2.  Enter HWTACACS scheme 
view.  hwtacacs scheme
 
hwtacacs-scheme-name  N/A 
3.
  Set the HWTACACS server 
response timeout timer.  timer response-timeout seconds  Optional. 
The default HWTACACS server 
response timeout timer is 5 
seconds. 
4.
  Set the quiet timer for the 
primary server.  timer quiet 
minutes  Optional. 
The default quiet timer for the 
primary...

41 
methods for an ISP domain, the switch uses the system default AAA methods for authentication, 
authorization, and accounting of the users in the domain. 
Configuration prerequisites 
To use local authentication for users in an ISP domain, configure local user accounts (see Configuring 
local u
ser attributes ) on the switch. 
To use remote authentication, authorization, and accounting, create the required RADIUS, and 
HWTACACS, schemes as described in  Configuring RADIUS schemes, Configuring HWTACACS...

42 
•  Idle cut: 
This function enables the switch to check the traffi c of each online user in the domain at the idle 
timeout interval, and to log out any user in the do main whose traffic during the idle timeout period 
is less than the specified minimum traffic. 
•   Self-service server location: 
By using the information defined in this attribute,  users can access the self-service server to manage 
their own accounts and passwords. 
•   Default authorization user profile: 
If a user passes...

43 
AAA supports the following authentication methods: 
•  No authentication  (none )—All users are trusted and no authenti cation is performed. Generally, do 
not use this method. 
•   Local authentication  (local )—Authentication is performed by the NAS, which is configured with the 
user information, including the usernames, passwords, and attributes. Local authentication allows 
high speed and low cost, but the amount of information that can be stored is limited by the size of 
the storage space. 
•...

44 
Step Command  Remarks 
1.  Enter system view. 
system-view  N/A 
2.  Enter ISP domain view. 
domain isp-name   N/A 
3.  Specify the default 
authentication method 
for all types of users.  authentication default
 { hwtacacs-scheme 
hwtacacs-scheme-name  [ local ] | local  | 
none  | radius-scheme  radius-scheme-name  
[ local ] }   Optional. 
The default authentication 
method is 
local for all types of 
users. 
4.   Specify the 
authentication method 
for LAN users.  authentication lan-access
 {...

45 
2.
 
Determine the access type or service type to be  configured. With AAA, you can configure an 
authorization scheme for each access type and service type, limi ting the authorization protocols 
that can be used for access. 
3.  Determine whether to configure an authorization  method for all access types or service types. 
Follow these guidelines when you configure AAA authorization methods for an ISP domain: 
•   The authorization method specified with the  authorization default command is for all...