The hwtacacs-server authentication command configures the primary and secondary HWTACACS authentication server for the template.
The undo hwtacacs-server authentication command deletes the primary HWTACACS authentication server from the template.
By default, no HWTACACS authentication server is configured.
hwtacacs-server authentication ipv6-address
hwtacacs-server authentication ipv6-address secondary
hwtacacs-server authentication ipv6-address port
hwtacacs-server authentication ipv6-address { shared-key { key-string | cipher key-string } | mux-mode | vpn-instance vpn-instance-name } *
hwtacacs-server authentication ipv6-address port { shared-key { key-string | cipher key-string } | mux-mode | vpn-instance vpn-instance-name } *
hwtacacs-server authentication ipv6-address port secondary
hwtacacs-server authentication ipv6-address { shared-key { key-string | cipher key-string } | mux-mode | vpn-instance vpn-instance-name } * secondary
hwtacacs-server authentication ipv6-address port { shared-key { key-string | cipher key-string } | mux-mode | vpn-instance vpn-instance-name } * secondary
undo hwtacacs-server authentication ipv6-address
undo hwtacacs-server authentication ipv6-address secondary
undo hwtacacs-server authentication ipv6-address port
undo hwtacacs-server authentication ipv6-address [ port ] { mux-mode | vpn-instance vpn-instance-name } *
undo hwtacacs-server authentication ipv6-address port secondary
undo hwtacacs-server authentication ipv6-address [ port ] { mux-mode | vpn-instance vpn-instance-name } * secondary
| Parameter | Description | Value |
|---|---|---|
| ipv6-address |
Specifies the IPv6 address of the server. |
The value is a 32-digit hexadecimal number, in the format of X:X:X:X:X:X:X:X. |
| secondary |
Sets the secondary HWTACACS server for the template. |
- |
| port |
Specifies the port number of a server. |
It is an integer data type. The value range is from 1 to 65535. By default, the value is 49. |
| shared-key |
Specifies the shared-key. |
- |
| key-string |
Specifies the shared key in encrypted or plain text. |
The value is a string of case-sensitive characters that can be letters or digits. Spaces are not supported. The password can be a string of 1 to 255 characters in plain text or a string of 20 to 432 characters in encrypted text. The new password is at least eight characters long and contains at least two of the following types: upper-case letters, lower-case letters, digits, and special characters. |
| cipher key-string |
Specifies the shared-key in encrypted or plain text, and the configured text will be displayed as encrypted text. |
The value is a string of case-sensitive characters that can be letters or digits. Spaces are not supported. The password can be a string of 1 to 255 characters in plain text or a string of 20 to 432 characters in encrypted text. The new password is at least eight characters long and contains at least two of the following types: upper-case letters, lower-case letters, digits, and special characters, except the question mark (?) and space. |
| mux-mode |
Sets the multiplexing mode for HWTACACS server. |
- |
| vpn-instance vpn-instance-name |
Specifies the VPN instance name. If the parameter vpn-instance is specified, the server is mapped to a VPN instance. If vpn-instance-name does not exist, the configuration is invalid. |
The value is a string of 1 to 31 case-sensitive characters, spaces not supported. In addition, the VPN instance name must not be _public_. When double quotation marks are used around the string, spaces are allowed in the string. |
| simple simple-key-string |
Specifies the shared key in plain text. |
The value is a string of case-sensitive characters that can be letters or digits. Spaces are not supported. The password can be a string of 1 to 255 characters in plain text. |
The IP addresses of the primary and the secondary authentication servers must be different; otherwise, the server configuration fails.
If the command is used repeatedly, the new configuration supersedes the previous one.
This server can be deleted only when it is not used in any active TCP connection for sending the authentication packets.
The IP address and port number of the authentication servers must be unique within the template for successful configuration.
When HWTACACS authentication is used for management users, you are advised to configure the user locking mechanism on the HWTACACS server. If the user locking mechanism is not configured, brute force cracking may occur.