HP 5500 Ei 5500 Si Switch Series Configuration Guide
Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 1686
21
Task Command Remarks
Display the user group configuration
information. display user-group [ group-name
] [ |
{ begin | exclude | include }
regular-expression ] Available in any view
Configuring RADIUS schemes
A RADIUS scheme specifies the RADIUS servers that the switch can cooperate with and defines a set of
parameters that the switch uses to exchange information with the RADIUS servers. There may be
authentication/authorization servers and accounting servers, or primary servers and...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1685.png "Page 1686
21
Task Command Remarks
Display the user group configuration
information. display user-group [ group-name
] [ |
{ begin | exclude | include }
regular-expression ] Available in any view
Configuring RADIUS schemes
A RADIUS scheme specifies the RADIUS servers that the switch can cooperate with and defines a set of
parameters that the switch uses to exchange information with the RADIUS servers. There may be
authentication/authorization servers and accounting servers, or primary servers and...")
![Page 1688
23
Step Command Remarks
3. Specify RADIUS
authentication/authorization
servers.
• Specify the primary RADIUS
authentication/authorization server:
primary authentication { ip-address |
ipv6 ipv6-address } [ port-number | key
[ cipher | simple ] key | probe
username name [ interval interval ] |
vpn-instance vpn-instance-name ] *
• Specify a secondary RADIUS
authentication/authorization server:
secondary authentication { ip-address |
ipv6 ipv6-address } [ port-number |...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1687.png "Page 1688
23
Step Command Remarks
3. Specify RADIUS
authentication/authorization
servers.
• Specify the primary RADIUS
authentication/authorization server:
primary authentication { ip-address |
ipv6 ipv6-address } [ port-number | key
[ cipher | simple ] key | probe
username name [ interval interval ] |
vpn-instance vpn-instance-name ] *
• Specify a secondary RADIUS
authentication/authorization server:
secondary authentication { ip-address |
ipv6 ipv6-address } [ port-number |...")
![Page 1689
24
Step Command Remarks
3. Specify RADIUS accounting
servers.
• Specify the primary RADIUS accounting
server:
primary accounting { ip-address | ipv6
ipv6-address } [ port-number | key [ cipher
| simple ] key | vpn-instance
vpn-instance-name ] *
• Specify a secondary RADIUS accounting
server:
secondary accounting { ip-address | ipv6
ipv6-address } [ port-number | key [ cipher
| simple ] key | vpn-instance
vpn-instance-name ] * Configure at least one
command.
No...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1688.png "Page 1689
24
Step Command Remarks
3. Specify RADIUS accounting
servers.
• Specify the primary RADIUS accounting
server:
primary accounting { ip-address | ipv6
ipv6-address } [ port-number | key [ cipher
| simple ] key | vpn-instance
vpn-instance-name ] *
• Specify a secondary RADIUS accounting
server:
secondary accounting { ip-address | ipv6
ipv6-address } [ port-number | key [ cipher
| simple ] key | vpn-instance
vpn-instance-name ] * Configure at least one
command.
No...")
![Page 1693
28
Step Command Remarks
3. Set the RADIUS server
status.
• Set the status of the primary RADIUS
authentication/authorization server:
state primary authentication { active | block }
• Set the status of the primary RADIUS
accounting server:
state primary accounting { active | block }
• Set the status of a secondary RADIUS
authentication/authorization server:
state secondary authentication [ ip
ipv4-address | ipv6 ipv6-address ] { active |
block }
• Set the status of a...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1692.png "Page 1693
28
Step Command Remarks
3. Set the RADIUS server
status.
• Set the status of the primary RADIUS
authentication/authorization server:
state primary authentication { active | block }
• Set the status of the primary RADIUS
accounting server:
state primary accounting { active | block }
• Set the status of a secondary RADIUS
authentication/authorization server:
state secondary authentication [ ip
ipv4-address | ipv6 ipv6-address ] { active |
block }
• Set the status of a...")
![Page 1694
29
Step Command Remarks
2. Specify a source IP
address for outgoing
RADIUS packets. radius nas-ip
{ ip-address |
ipv6 ipv6-address }
[ vpn-instance
vpn-instance-name ] By default, the IP address of the outbound
interface is used as the source IP address.
To specify a source IP address for a specific RADIUS scheme:
Step Command Remarks
1.
Enter system view.
system-view N/A
2. Enter RADIUS scheme view. radius scheme
radius-scheme-name N/A
3.
Specify a source IP address...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1693.png "Page 1694
29
Step Command Remarks
2. Specify a source IP
address for outgoing
RADIUS packets. radius nas-ip
{ ip-address |
ipv6 ipv6-address }
[ vpn-instance
vpn-instance-name ] By default, the IP address of the outbound
interface is used as the source IP address.
To specify a source IP address for a specific RADIUS scheme:
Step Command Remarks
1.
Enter system view.
system-view N/A
2. Enter RADIUS scheme view. radius scheme
radius-scheme-name N/A
3.
Specify a source IP address...")
26
When the RADIUS server runs on IMC, you must set the RADIUS server type to extended. When the
RADIUS server runs third-party RADIUS server software , either RADIUS server type applies. For the switch
to function as a RADIUS server to authenticate login users, you must set the RADIUS server type to
standard .
To set the RADIUS server type:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter RADIUS scheme view. radius scheme
radius-scheme-name N/A
3.
Set the RADIUS server type. server-type
{ extended |
standard } Optional.
The default RADIUS server type is
standard
.
NOTE:
Changing the RADIUS server type restores the unit fo r data flows and that for packets that are sent to the
RADIUS server to the defaults.
Setting the maximum number of RADI US request transmission attempts
Because RADIUS uses UDP packets to transfer data, the communication process is not reliable. RADIUS
uses a retransmission mechanism to improve the reliability. If a NAS sends a RADIUS request to a
RADIUS server but receives no response after the response timeout timer (defined by the timer
response-timeout command) expires, it retransmits the request. If the number of transmission attempts
exceeds the specified limit but it still receives no response, it tries to communicate with other RADIUS
servers in active state. If no other servers are in active state at the time, it considers the authentication or
accounting attempt a failure. For more information about RADIUS server states, see Setting the status of
RA
DIUS servers .
To set the maximum number of RADIUS request transmission attempts for a scheme:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter RADIUS scheme view. radius scheme
radius-scheme-name N/A
3.
Set the maximum number of
RADIUS request transmission
attempts. retry
retry-times Optional.
The default setting is 3.
NOTE:
• The maximum number of transmission attempts of RADIUS packets multiplied by the RADIUS server
response timeout period cannot be greater than 75 seconds.
• For more information about the RADIUS server response timeout period, see Setting timers for
co
ntrolling communication with RADIUS servers .
Setting the status of RADIUS servers
By setting the status of RADIUS servers to blocked or active, you can control which servers the switch
communicates with for authentication, authorization, and accounting or turn to when the current servers
27 are not available anymore. In practice, you can specify one primary RADIUS server and multiple secondary RADIUS servers, with the secondary servers functioning as the backup of the primary servers. Generally, the switch chooses servers based on these rules: • When the primary server is in active state, the switch communicates with the primary server. If the primary server fails, the switch changes the server’s status to blocked and starts a quiet timer for the server, and then turns to a secondary server in active state (a secondary server configured earlier has a higher priority). If the secondary server is unreachable, the switch changes the server’s status to blocked, starts a quiet timer for the server, an d continues to check the next secondary server in active state. This search process continues until the switch finds an available secondary server or has checked all secondary servers in active state. If the quiet timer of a server expires or an authentication or accounting response is received from the server, the status of the server changes back to active automatically, but the switch does not check the server again during the authentication or accounting process. If no serv er is found reachable during one search process, the switch considers the authentication or accounting attempt a failure. • Once the accounting process of a user starts, the switch keeps sending the user’s real-time accounting requests and stop-accounting requests to the same accounting server. If you remove the accounting server, real-time accounting requests and stop-accounting requests for the user cannot be delivered to the server anymore. • If you remove an authentication or accounting server in use, the communication of the switch with the server soon times out, and the switch looks for a server in active state from scratch by checking any primary server first and then secondary servers in the order they are configured. • When the primary server and secondary servers are all in blocked state, the switch communicates with the primary server. If the primary server is available, its status changes to active. Otherwise, its status remains to be blocked. • If one server is in active state and all the others are in blocked state, the switch only tries to communicate with the server in active state, even if the server is unavailable. • After receiving an authentication/accounting response from a server, the switch changes the status of the server identified by the source IP address of the response to active if the current status of the server is blocked. By defau l t, the swi tch sets the status of al l R A D I US ser vers to active. I n c ases s uch as a ser ver fai lu re, you can change the status of the server to blocked to avoid communication with the server. To set the status of RADIUS servers in a RADIUS scheme: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter RADIUS scheme view. radius scheme radius-scheme-name N/A
28
Step Command Remarks
3. Set the RADIUS server
status.
• Set the status of the primary RADIUS
authentication/authorization server:
state primary authentication { active | block }
• Set the status of the primary RADIUS
accounting server:
state primary accounting { active | block }
• Set the status of a secondary RADIUS
authentication/authorization server:
state secondary authentication [ ip
ipv4-address | ipv6 ipv6-address ] { active |
block }
• Set the status of a secondary RADIUS
accounting server:
state secondary accounting [ ip ipv4-address
| ipv6 ipv6-address ] { active | block } Optional.
By default, all servers in
the RADIUS scheme are
in active state.
NOTE:
• The server status set by the state command cannot be saved to the configuration file. After the switch
restarts, the status of each server is restored to active.
• To display the states of the servers, use the display radius scheme command.
Specifying the source IP address for outgoing RADIUS packets
The source IP address of RADIUS packets that a NAS sends must match the IP address of the NAS
configured on the RADIUS server. A RADIUS server identifies a NAS by its IP address. Upon receiving a
RADIUS packet, a RADIUS server checks whether the source IP address of the packet is the IP address of
any managed NAS. If yes, the server processes the packet. If not, the server drops the packet.
Usually, the source address of outgoing RADIUS packets can be the IP address of the NAS’s any
interface that can communicate with the RADIUS server. In some special scenarios, however, you must
change the source IP address. For example, if a Network Address Translation (NAT) device is present
between the NAS and the RADIUS server, the source IP address of outgoing RADIUS packets must be a
public IP address of the NAS. If the NAS is configured with the Virtual Router Redundancy Protocol (VRRP)
for stateful failover, the source IP address of outgoing RADIUS packets can be the virtual IP address of the
VRRP group to which the uplink belongs.
You can specify a source IP address for outgoing RADIUS packets in RADIUS scheme view for a specific
RADIUS scheme, or in system view for all RADIUS schemes whose servers are in a VPN or the public
network. Before sending a RADIUS packet, a NAS selects a source IP address in this order:
1. The source IP address specified for the RADIUS scheme.
2. The source IP address specified in system view fo r the VPN or public network, depending on where
the RADIUS server resides.
3. The IP address of the outbound interface specified by the route.
To specify a source IP address for all RADIUS schemes in a VPN or the public network:
Step Command Remarks
1. Enter system view.
system-view N/A
29
Step Command Remarks
2. Specify a source IP
address for outgoing
RADIUS packets. radius nas-ip
{ ip-address |
ipv6 ipv6-address }
[ vpn-instance
vpn-instance-name ] By default, the IP address of the outbound
interface is used as the source IP address.
To specify a source IP address for a specific RADIUS scheme:
Step Command Remarks
1.
Enter system view.
system-view N/A
2. Enter RADIUS scheme view. radius scheme
radius-scheme-name N/A
3.
Specify a source IP address
for outgoing RADIUS packets. nas-ip
{ ip-address | ipv6
ipv6-address } By default, the IP address of the
outbound interface is used as the
source IP address.
Specifying a backup source IP addr
ess for outgoing RADIUS packets (available only on the HP 5500 EI)
In a stateful failover scenario, the active switch authenticates portal users by interacting with the RADIUS
server, and synchronizes its online portal user info rmation to the standby switch through the backup link
established between them. The standby switch only receives and processes synchronization messages
from the active switch. However, when the active switch fails, the RADIUS server does not send RADIUS
packets to the standby switch because it does not know the IP address of the standby switch. To solve this
problem, configure the source IP address for outgoing RADIUS packets on each switch as the backup
source IP address for outgoing RADIUS packets on the other switch. With such configuration, the active
switch sends the source IP address for outgoing RADIUS packets that is configured on the standby switch
to the RADIUS server, so that the RADIUS server can send unsolicited RADIUS packets to the standby
switch.
You can specify a backup IP address for outgoing RADIUS packets in RADIUS scheme view for a specific
RADIUS scheme, or in system view for all RADIUS schemes whose servers are in a VPN or the public
network. Before sending a RADIUS packet, a NAS selects a backup source IP address in this order:
1. The backup source IP address specified for the RADIUS scheme.
2. The backup source IP address specified in system view for the VPN or public network, depending
on where the RADIUS server resides.
If no backup source IP address is specified in the views, the NAS sends no backup source IP address to
the server.
To specify a backup source IP address for all RADIUS schemes of a VPN or the public network:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Specify a backup source IP
address for outgoing RADIUS
packets. radius nas-backup-ip
ip-address
[ vpn-instance vpn-instance-name ]
Not specified by default.
To specify a backup source IP address for a RADIUS scheme:
30 Step Command Remarks 1. Enter system view. system-view N/A 2. Enter RADIUS scheme view. radius scheme radius-scheme-name N/A 3. Specify a backup source IP address for outgoing RADIUS packets. nas-backup-ip ip-address Not specified by default. NOTE: The backup source IP address specified for outgoing RADIUS packets ta kes effect only when stateful failover is configured, and it must be the source IP address for outgoing RADIUS packets that is confi gured on the standby switch. Setting timers for controlling communication with RADIUS servers The switch uses the following types of timers to control the communication with a RADIUS server: • Server response timeout timer (response-timeout)—Defines the RADIUS request retransmission interval. After sending a RADIUS request (authentication/authorization or accounting request), the switch starts this timer. If the switch receives no response from the RADIUS server before this timer expires, it resends the request. • Server quiet timer (quiet )—Defines the duration to keep an unreachable server in blocked state. If a server is not reachable, the switch changes the serv er’s status to blocked, starts this timer for the server, and tries to communicate with another server in active state. After this timer expires, the switch changes the status of the server back to active. • Real-time accounting timer (realtime-accounting)—Defines the interval at which the switch sends real-time accounting packets to the RADIUS acco unting server for online users. To implement real-time accounting, the switch must periodically send real-time accounting packets to the accounting server for online users. To set timers for controlling communication with RADIUS servers: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter RADIUS scheme view. radius scheme radius-scheme-name N/A 3. Set the RADIUS server response timeout timer. timer response-timeout seconds Optional. The default RADIUS server response timeout timer is 3 seconds. 4. Set the quiet timer for the servers. timer quiet minutes Optional. The quiet timer is 5 minutes. 5. Set the real-time accounting timer. timer realtime-accounting minutes Optional. The default real-time accounting timer is 12 minutes. • For a t ype of users, the maxi mu m nu mber of trans mi ss ion at tempts mu lti pl ie d by the R A D I US ser ver response timeout period must be less than the cl ient connection timeout time and must not exceed
31 75 seconds. Otherwise, stop-accounting messages cannot be buffered, and the primary/secondary server switchover cannot take place. For example, the product of the two parameters must be less than 10 seconds for voice users, and less than 30 seconds for Telnet users because the client connection timeout period for voice users is 10 seconds and that for Telnet users is 30 seconds. • When you configure the maximum number of RADIUS packet transmission attempts and the RADIUS server response timeout period, be sure to take the number of secondary servers into account. If the retransmission process takes too much time, the client connection in the access module may be timed out while the switch is trying to find an available server. • When a number of secondary servers are configured, the client connections of access modules that have a short client connection timeout period may st ill be timed out during initial authentication or accounting, even if the packet transmission attempt limit and server response timeout period are configured with small values. In this case, the next authentication or accounting attempt may succeed because the switch has set the state of the unreachable servers to blocked and the time for finding a reachable server is shortened. • Be sure to set the server quiet timer properly. Too short a quiet timer may result in frequent authentication or accounting failures because the switch has to repeatedly attempt to communicate with an unreachable server that is in active state. • For more information about the maximum number of RADIUS packet transmission attempts, see Setting the maximum number of RADIUS request transmission attempts . Configuring RADIUS accounting-on The accounting-on feature enables a switch to send accounting-on packets to the RADIUS server after it reboots, making the server log out users who logged in through the switch before the reboot. Without this feature, users who were online before the reboot cannot re-log in after the reboot, because the RADIUS server considers they are already online. If a switch sends an accounting-on packet to the RADIUS server but receives no response, it resends the packet to the server at a particular interval for a specified number of times. To configure the accounting-on feature for a RADIUS scheme: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter RADIUS scheme view. radius scheme radius-scheme-name N/A 3. Enable accounting-on and configure parameters. accounting-on enable [ interval seconds | send send-times ] * Disabled by default. The default interval is 3 seconds and the default number of send-times is 50. NOTE: The accounting-on feature requires the cooperation of the HP IMC network management system. Configuring the IP address of the security policy server The core of the HP EAD solution is integration and cooperation, and the security policy server is the management and control center. Using a collection of software, the security policy server provides functions such as user management, security policy management, security status assessment, security cooperation control, and security event audit.
32 The NAS checks the validity of received control packets and accepts only control packets from known servers. To use a security policy server that is independent of the AAA servers, you must configure the IP address of the security policy server on the NAS. To implement all EAD functions, configure both the IP address of the IMC security policy server and that of the IMC Platform on the NAS. To configure the IP address of the security policy server for a scheme: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter RADIUS scheme view. radius scheme radius-scheme-name N/A 3. Specify a security policy server. security-policy-server ip-address No security policy server is specified by default. Configuring interpretation of RADIUS class attribute as CAR parameters According to RFC 2865, a RADIUS server assigns the RADIUS class attribute (attribute 25) to a RADIUS client. However, the RFC only requires the RADIUS client to send the attribute to the accounting server on an as is basis. It does not require the RADIUS client to interpret the attribute. Some RADIUS servers use the class attribute to deliver the assigned committed access rate (CAR) parameters. In this case, the switch must interpret the attribute as the CAR paramet ers to implement user-based traffic monitoring and controlling. To configure the switch to interpret the RADIUS class attribute as CAR parameters: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter RADIUS scheme view. radius scheme radius-scheme-name N/A 3. Interpret the class attribute as CAR parameters. attribute 25 car By default, RADIUS attribute 25 is not interpreted as CAR parameters. NOTE: Whether interpretation of RADIUS class attribute as CAR parameters is supported depends on two factors: • Whether the switch supports CAR parameters assignment. • Whether the RADIUS server supports assigning CAR parameters through the class attribute. Enabling the trap function for RADIUS With the trap function, a NAS sends a trap message when either of the following events occurs: • The status of a RADIUS server changes. If a NA S receives no response to an accounting or authentication request before the specified maximum number of RADIUS request transmission attempts is exceeded, it considers the server unreachable, sets the status of the server to block and sends a trap message. If the NAS receives a resp onse from a RADIUS server that it considers unreachable, the NAS considers that the RADIUS server is reachable again, sets the status of the server to active, and sends a trap message. • The ratio of the number of failed transmission attempts to the total number of authentication request transmission attempts reaches the threshold. This th reshold ranges from 1% to 100% and defaults to 30%. This threshold can only be configured through the MIB.
33
The failure ratio is generally small. If a trap message is triggered because the failure ratio is higher than
the threshold, troubleshoot the configuration on and the communication between the NAS and the
RADIUS server.
To enable the trap function for RADIUS:
Step Command Remarks
1. Enter system view.
system-view N/A
2.
Enable the trap
function for RADIUS. radius trap
{ accounting-server-down |
authentication-error-threshold |
authentication-server-down } Disabled by default.
Enabling the RADIUS listening port of the RADIUS client
Only after you enable the RADIUS listening port of a RADIUS client, can the client receive and send
RADIUS packets. If RADIUS is not required, disable the
RADIUS listening port to avoid attacks that exploit
RADIUS packets.
To enable the RADIUS listening port of a RADIUS client:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enable the RADIUS listening
port of a RADIUS client. radius client enable Optional.
Enabled by default.
Setting the DSCP value for RADIUS protocol packets
A f i e l d i n a n I P v 4 o r I P v 6 h e a d e r c o n t
ains eight bits and is used to identify the service type of an IP packet.
In an IPv4 packet, this field is called Type of Service (ToS). In an IPv6 packet, this field is called Traffic
class. According to RFC 2474, the ToS field is redefined as the differentiated services (DS) field, where
a DSCP value is represented by the first six bits (0 to 5) and is in the range 0 to 63. The remaining two
bits (6 and 7) are reserved. When a packet is bein g transmitted, the network devices can identify its
DSCP value, and determines the transmission priority of the packet according to the DSCP value.
When you configure the DSCP value for some types of protocol packets, you should specify the ToS field
value rather than the DSCP value. Because the DSCP fiel d is the first six bits of the ToS field, each four
c o n t i n u o u s To S f i e l d v a l u e s , s t a r t i n g f ro m 0 , c o r re s p o n d t o o n e D SC P v a l u e. A n e a s i e r w a y t o c o nve r t t h e
DSCP value to the ToS value is to multiply the expected DSCP value by four to get the ToS field value.
To set the DSCP value for RADIUS protocol packets:
Step Command Remarks
1. Enter system view. system-view N/A
2. Set the DSCP value for IPv4
RADIUS protocol packets. radius dscp
dscp-value Optional.
By default, the DSCP value in IPv4
RADIUS protocol packets is 0.
3.
Set the DSCP value for IPv6
RADIUS protocol packets. radius ipv6 dscp
dscp-value Optional.
By default, the DSCP value in IPv6
RADIUS protocol packets is 0.
34
Displaying and maintaining RADIUS
Task Command Remarks
Display the configuration information
of RADIUS schemes. display radius scheme
[ radius-scheme-name
] [ slot
slot-number ] [ | { begin | exclude |
include } regular-expression ] Available in any view
Display the statistics for RADIUS
packets . display radius statistics
[ slot
slot-number ] [ | { begin | exclude |
include } regular-expression ] Available in any view
Display information about buffered
stop-accounting requests for which no
responses have been received . display stop-accounting-buffer
{ radius-scheme radius-server-name |
session-id session-id | time-range
start-time stop-time | user-name
user-name } [ slot slot-number ] [ |
{ begin | exclude | include }
regular-expression ] Available in any view
Clear RADIUS statistics .
reset radius statistics [ slot slot-number ] Available in user view
Clear the buffered stop-accounting
requests for which no responses have
been receive. reset stop-accounting-buffer
{ radius-scheme radius-server-name |
session-id session-id | time-range
start-time stop-time | user-name
user-name } [ slot slot-number ] Available in user view
Configuring HWTACACS schemes
NOTE:
You cannot remove the HWTACACS schemes in use or change the IP addresses of the HWTACACS
servers in use.
HWTACACS configuration task list
Task Remarks
Creating an HWTACACS scheme Required
Specifying the HWTACACS authentication servers Required
Specifying the HWTACACS authorization servers Optional
Specifying the HWTACACS accounting servers and the relevant parameters Optional
Specifying the shared keys for secure HWTACACS communication Required
Specifying the VPN to which the servers belong Optional
Setting the username format and traffic statistics units Optional
Specifying a source IP address for outgoing HWTACACS packets Optional
Setting timers for controlling communication with HWTACACS servers Optional
Displaying and maintaining HWTACACS Optional
35 Creating an HWTACACS scheme The HWTACACS protocol is configured on a per scheme basis. Before performing other HWTACACS configurations, follow these steps to create an HWTACACS scheme and enter HWTACACS scheme view: Step Command Remarks 1. Enter system view. system-view N/A 2. Create an HWTACACS scheme and enter HWTACACS scheme view. hwtacacs scheme hwtacacs-scheme-name Not defined by default. NOTE: • Up to 16 HWTACACS schemes can be configured. • A scheme can be deleted only when it is not referenced. Specifying the HWTACACS authentication servers You can specify one primary authentication server and up to one secondary authentication server for an HWTACACS scheme. When the primary server is not available, any secondary server is used. In a scenario where redundancy is not required, specify only the primary server. Follow these guidelines when you specify HWTACACS authentication servers: • An HWTACACS server can function as the primary authentication server of one scheme and as the secondary authentication server of another scheme at the same time. • The IP addresses of the primary and secondary authentication servers cannot be the same. Otherwise, the configuration fails. • You can remove an authentication server only when no active TCP connection for sending authentication packets is using it. To specify HWTACACS authentication servers for an HWTACACS scheme: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter HWTACACS scheme view. hwtacacs scheme hwtacacs-scheme-name N/A 3. Specify HWTACACS authentication servers. • Specify the primary HWTACACS authentication server: primary authentication ip-address [ port-number | vpn-instance vpn-instance-name ] * • Specify the secondary HWTACACS authentication server: secondary authentication ip-address [ port-number | vpn-instance vpn-instance-name ] * Configure at least one command. No authentication server is specified by default.