hwtacacs-server (AAA domain view)

Function

The hwtacacs-server command configures an HWTACACS server template for the current domain.

The undo hwtacacs-server command deletes the HWTACACS server template configured for the current domain.

By default, no hwtacacs profile is bound to a domain.

Format

hwtacacs-server template-name

undo hwtacacs-server

Parameters

Parameter Description Value
template-name

Specifies the name of an HWTACACS server template.

It is a case-insensitive string of 1 to 32 characters. The characters can be letters a to z (case insensitive), numbers 0 to 9, ., -, and _.

Views

AAA domain view

Default Level

3: Management level

Task Name and Operations

Task Name Operations
aaa write

Usage Guidelines

Usage Scenario

Before using this command, make sure that the HWTACACS server template already exists.

Precautions

The undo hwtacacs-server user-name domain-included command configuration brings system security risks. Running the hwtacacs-server user-name original command is recommended.

An HWTACACS template having the undo hwtacacs-server user-name domain-included configuration cannot be bound to the default admin domain or a domain having the adminuser-priority <level> configuration (configuration restoration is not affected).

The default admin domain is a domain configured using the default-domain admin <domain-name> command. An admin domain is the default admin domain or a domain having the adminuser-priority <level> configuration. By default, the default admin domain name is default_admin.

No.

Scenario Description

Solution

Impact

1

Only the default admin domain is configured with HWTACACS authorization, authentication, or accounting. An error message is displayed when an HWTACACS template is bound to the default admin domain.

[~HUAWEI-aaa-domain-default_admin] hwtacacs-server tac Error: Configuring devices in a RADIUS server group or TACACS server template bound to the admin domain to send user names without domain names brings security risks. Changing the mode to using the original user name is recommended.

Run the hwtacacs-server user-name original command to override the undo hwtacacs-server user-name domain-included configuration.

[~HUAWEI-hwtacacs-tac] hwtacacs-server user-name original

[*HUAWEI-hwtacacs-tac] commit

After the configurations are changed, user names that carry domain names are not supported. A login failure occurs if a user name carrying a domain name, such as, tacacs@default_admin is used for login.

2

An error message is displayed when an HWTACACS template is bound to a non-default admin domain, that is, a domain having the adminuser-priority level configuration.

The HWTACACS configurations are as follows:

[~HUAWEI-hwtacacs-tac] display this

#

hwtacacs-server template tac

hwtacacs-server 192.168.0.2

hwtacacs-server shared-key cipher %^%#/rZ2A\A7\1/S;S7/L$eD#~Ea#I36)3T#tNS_\0-2%^%

#

undo hwtacacs-server user-name domain-included

#

The configurations of the non-default admin domain are as follows:

[~HUAWEII-aaa-domain-dom1] display this

#

domain dom1

adminuser-priority 3

#

An error message is displayed when the HWTACACS template is bound to the non-default admin domain:

[~HUAWEI-aaa-domain-dom1] hwtacacs-server tac

Error: Configuring devices in a RADIUS server group or TACACS server template bound to the admin domain to send user names without domain names brings security risks. Changing the mode to using the original user name is recommended.

1. Run the hwtacacs-server user-name original command to override the undo hwtacacs-server user-name domain-included configuration.

[~HUAWEI] hwtacacs-server template tac

[~HUAWEI-hwtacacs-tac] hwtacacs-server user-name original

[*HUAWEI-hwtacacs-tac] commit

2. Add user names that carry domain names on the HWTACACS server.For example, add the user name user001@dom1 for an existing user name user001.

None.

3

An error message is displayed when the HWTACACS template bound to a non-admin domain is bound to the default admin domain.

An error message is displayed when the HWTACACS template is bound to the default admin domain:

[~HUAWEI-aaa-domain-default_admin] hwtacacs-server tac

Error: Configuring devices in a RADIUS server group or TACACS server template bound to the admin domain to send user names without domain names brings security risks. Changing the mode to using the original user name is recommended.

The configurations of the non-admin domain are as follows:

[~HUAWEI-aaa-domain-dom2] display this

#

domain dom2

hwtacacs-server tac

#

1. Create another HWTACACS template that has the same configurations as the HWTACACS template bound to the non-admin domain.

[~HUAWEI] hwtacacs-server template tacnew

Info: Create a new HWTACACS-server template.

Warning: To improve the service security, please run the hwtacacs-server shared-key command to configure a shared key.

[~HUAWEI-hwtacacs-tacnew] hwtacacs-server 192.168.0.2

[*HUAWEI-hwtacacs-tacnew] hwtacacs-server shared-key cipher %^%#/rZ2A\A7\1/S;S7/L$eD#~Ea#I36)3T#tNS_\0-2%^%#

[*HUAWEI-hwtacacs-tacnew] commit

2. Run the hwtacacs-server user-name original command to override the undo hwtacacs-server user-name domain-included configuration.

[~HUAWEI-hwtacacs-tacnew] hwtacacs-server user-name original

[*HUAWEI-hwtacacs-tacnew] commit

[~HUAWEI-hwtacacs-tacnew] display this

#

hwtacacs-server template tacnew

hwtacacs-server 192.168.0.2

hwtacacs-server shared-key cipher %^%#/rZ2A\A7\1/S;S7/L$eD#~Ea#I36)3T#tNS_\0-2%^%#

hwtacacs-server user-name original

#

3. Bind the new HWTACACS template to the default admin domain.

[~HUAWEI-aaa-domain-default_admin] hwtacacs-server tacnew

[*HUAWEI-aaa-domain-default_admin] commit

After the configurations are changed, user names that carry the default admin domain name, such as tacacs@default_admin, are not supported. A login failure occurs if a user name carrying the default admin domain name is used for login. User names that carry common domain names, such as tacacs@dom2, are supported.

4

An error message is displayed when an HWTACACS template bound to a non-admin domain is bound to a common admin domain.

An HWTACACS template is bound to the non-admin domain:

[~HUAWEI-aaa-domain-dom2] display this

#

domain dom2

hwtacacs-server tac

#

An error message is displayed when the HWTACACS template is bound to the common admin domain:

[~HUAWEI-aaa-domain-dom1] hwtacacs-server tacError: Configuring devices in a RADIUS server group or TACACS server template bound to the admin domain to send user names without domain names brings security risks. Changing the mode to using the original user name is recommended.

1. Create another HWTACACS template that has the same configurations as the HWTACACS template bound to the non-admin domain.

[~HUAWEI] hwtacacs-server template tacnew

Info: Create a new HWTACACS-server template.

Warning: To improve the service security, please run the hwtacacs-server shared-key command to configure a shared key.

[~HUAWEI-hwtacacs-tacnew] hwtacacs-server 192.168.0.2

[*HUAWEI-hwtacacs-tacnew] hwtacacs-server shared-key cipher %^%#/rZ2A\A7\1/S;S7/L$eD#~Ea#I36)3T#tNS_\0-2%^%#

2. Run the hwtacacs-server user-name original command to override the undo hwtacacs-server user-name domain-included configuration.

[*HUAWEI-hwtacacs-tacnew] hwtacacs-server user-name original

[*HUAWEI-hwtacacs-tacnew] commit

[~HUAWEI-hwtacacs-tacnew] display this

#

hwtacacs-server template tacnew

hwtacacs-server 192.168.0.2

hwtacacs-server shared-key cipher %^%#/rZ2A\A7\1/S;S7/L$eD#~Ea#I36)3T#tNS_\0-2%^%#

hwtacacs-server user-name original

#

3. Bind the new HWTACACS template to the common admin domain.

[~HUAWEI-aaa-domain-dom1] hwtacacs-server tacnew

[*HUAWEI-aaa-domain-dom1] commit

4. Add user names that carry domain names on the HWTACACS server.For example, add the user name user001@dom1 for an existing user name user001.

None.

Example

# Configure the HWTACACS server template named huawei for the current domain.
<HUAWEI> system-view
[~HUAWEI] hwtacacs-server template huawei
[*HUAWEI-hwtacacs-huawei] quit
[*HUAWEI] aaa
[*HUAWEI-aaa] domain Huawei
[*HUAWEI-aaa-domain-huawei] hwtacacs-server huawei
Parent Topic: AAA and User Management Configuration Commands (Administrative User)
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >