(Optional) Configuring the HWTACACS Server Template

Procedure

1. Run system-view

   The system view is displayed.

2. Run hwtacacs enable

   The HWTACACS protocol is enabled.

3. Run hwtacacs-server service-name service-name

   A HWTACACS service name is configured.

   On an HWTACACS server, a user name can be allocated different rights based on different service names. After the hwtacacs-server service-name command is run, a user logging in to the device is allocated a right based on the configured HWTACACS service name.

4. (Optional) Run hwtacacs-server default remote-address

   A default remote address is configured for the communication between the HWTACACS client and server.

   When the HWTACACS client interworks with a third-party HWTACACS server, the third-party HWTACACS server may require the rem_addr field. To configure a default remote address for the communication between the HWTACACS client and server, run the hwtacacs-server default remote-address command. If a default remote address is configured and no remote address is carried in the rem_addr field of the authentication, authorization, and accounting request messages to be sent by the HWTACACS client to the server, the default remote address is added to the rem_addr field before the messages are sent.

5. Run hwtacacs-server template template-name

   The HWTACACS server template is created, and the HWTACACS server template view is displayed.

6. Run hwtacacs-server shared-key { cipher cipher-string | key-string }

   The shared key for the communication with the HWTACACS server is configured.

   The shared key can improve the security of the communication between the NetEngine 8000 F and the HWTACACS server.

   

   To ensure the valid identities of both parties, the key on the NetEngine 8000 F must be the same as that configured for the HWTACACS server.

7. You can use either of the following methods to configure IP address and shared key of the primary/secondary HWTACACS server.
   

   The priority of the HWTACACS common server is higher than that of the HWTACACS authentication/accounting/authorization server. If you configure the common server as the master server, configurations of the other servers (authentication, accounting, and authorization servers) cannot take effect.

   • Run the following command to configure the address and shared key of the primary/secondary HWTACACS common server.

     For IPv4 server: hwtacacs-server ip-address [ port ] [ shared-key { key-string | cipher cipher-string } | mux-mode | { vpn-instance vpn-instance-name | public-net } ] ^* [ secondary ]

     For IPv6 server: hwtacacs-server ipv6-address [ port ] [ shared-key { key-string | cipher cipher-string } | mux-mode | vpn-instance vpn-instance-name ] ^* [ secondary ]

   • Configure the addresses and shared keys for the primary/secondary HWTACACS authentication server, HWTACACS authorization server, and HWTACACS accounting server.

     1. For IPv4 server, run hwtacacs-server authentication { ip-address } [ port ] [ shared-key { key-string | cipher cipher-string } | mux-mode | { vpn-instance vpn-instance-name | public-net } ]^* [ secondary ]

        For IPv6 server, run hwtacacs-server authentication ipv6-address [ port ] [ shared-key { key-string | cipher cipher-string } | mux-mode | vpn-instance vpn-instance-name ] ^* [ secondary ]

        The address and shared key of the primary (secondary) HWTACACS authentication server are configured.

     2. For IPv4 server, run hwtacacs-server authorization { ip-address } [ port ] [ shared-key { key-string | cipher cipher-string } | mux-mode | { vpn-instance vpn-instance-name | public-net } ]^* [ secondary ]

        For IPv6 server, run hwtacacs-server authorization ipv6-address [ port ] [ shared-key { key-string | cipher cipher-string } | mux-mode | vpn-instance vpn-instance-name ] ^* [ secondary ]

        The address and shared key of the primary (secondary) HWTACACS authorization server are configured.

     3. For IPv4 server, run hwtacacs-server accounting ip-address [ port ] [ shared-key { key-string | cipher cipher-string } | mux-mode | { vpn-instance vpn-instance-name | public-net } ] ^* [ secondary ]

        For IPv6 server, run hwtacacs-server accounting ipv6-address [ port ] [ shared-key { key-string | cipher cipher-string } | mux-mode | vpn-instance vpn-instance-name ] ^* [ secondary ]

        The address and shared key of the primary (secondary) HWTACACS accounting server are configured.

8. (Optional) Run hwtacacs-server source-ip ip-address

   The source IP address for the communication between the device and the HWTACACS server is configured.

9. (Optional) Run hwtacacs-server timer response-timeout value

   The response timeout period of the HWTACACS server is configured.

   If the device does not receive any response from the HWTACACS server within the timeout period, it considers that the HWTACACS server is faulty. Then the device tries to perform authentication and authorization by using other methods.

10. (Optional) Run hwtacacs-server timer quiet value

    The time for the primary server to return in the active state is specified.

11. (Optional) Run hwtacacs-server user-name domain-included

    Whether the user name of the HWTACACS server contains the domain name is determined.

    If the HWTACACS server does not accept the user name that contains the domain name, you can delete the domain name and then send the user name without the domain name to the HWTACACS server.

    

    The user name is usually in the format of "user name@domain name".

12. (Optional) Run hwtacacs-user change-password hwtacacs-server template-name

    The HWTACACS user password is changed.

13. Run commit

    The configuration is committed.