Configuring an HWTACACS Server

Context

When configuring an HWTACACS server template, you must specify the IP address, port number, and shared key of a specified HWTACACS server. Other settings, such as the HWTACACS user name format and traffic unit, have default values and can be modified based on network requirements.

The HWTACACS server template settings such as the HWTACACS user name format and shared key must be the same as those on the HWTACACS server.

To use the HWTACACS server to assign IP addresses to PPPoE dial-up users, you must run the hwtacacs-server authorization command to specify the HWTACACS server as the authorization server.

Procedure

Run system-view
The system view is displayed.
Run hwtacacs enable
HWTACACS is enabled.

By default, HWTACACS is enabled.
Run hwtacacs-server template template-name
An HWTACACS server template is created and the HWTACACS server template view is displayed.

By default, no HWTACACS server template is created on the device.

Configure HWTACACS authentication, authorization, and accounting servers.

IPv4 and IPv6 servers are configured at the same time in the same HWTACACS server template. The order for selecting servers is as follows: primary IPv4 server -> primary IPv6 server -> second secondary IPv4 server -> second secondary IPv6 server -> third secondary IPv4 server -> third secondary IPv6 server -> fourth secondary IPv4 server -> fourth secondary IPv6 server.

Configuration	Command	Description
Configure an HWTACACS authentication server.	hwtacacs-server authentication { ipv4-address \| ipv6-address } [ port ] [ vpn-instance vpn-instance-name ] [ secondary \| third \| fourth ]	By default, no HWTACACS authentication server is configured.
Configure an HWTACACS authorization server.	hwtacacs-server authorization { ipv4-address \| ipv6-address } [ port ] [ vpn-instance vpn-instance-name ] [ secondary \| third \| fourth ]	By default, no HWTACACS authorization server is configured.
Configure an HWTACACS accounting server.	hwtacacs-server accounting { ipv4-address \| ipv6-address } [ port ] [ vpn-instance vpn-instance-name ] [ secondary \| third \| fourth ]	By default, no HWTACACS accounting server is configured.

Set parameters for interconnection between the device and an HWTACACS server.

Procedure	Command	Description
Set the shared key for the HWTACACS server.	hwtacacs-server shared-key cipher key-string	By default, no shared key is set for an HWTACACS server.
(Optional) Configure the device to encapsulate the domain name in the user name when sending packets to the HWTACACS server.	hwtacacs-server user-name	By default, the device does not change the user name entered by the user when sending packets to the HWTACACS server.
(Optional) Set the HWTACACS traffic unit.	hwtacacs-server traffic-unit { byte \| kbyte \| mbyte \| gbyte }	The default HWTACACS traffic unit on the device is bytes.
(Optional) Set the source IP address for communication between the device and HWTACACS server.	hwtacacs-server source-ip { ip-address \| source-loopback interface- number } Or hwtacacs-server source-ipv6 { ipv6-address \| source-loopback interface-number }	By default, the device uses the IP address of the actual outbound interface as the source IP address encapsulated in HWTACACS packets.

(Optional) Set the response timeout interval and activation interval for the HWTACACS server.

Procedure	Command	Description
Set the response timeout interval for the HWTACACS server.	hwtacacs-server timer response-timeout interval	The default response timeout interval for an HWTACACS server is 5 seconds. If the device does not receive a response from an HWTACACS server within the response timeout interval, it considers that the HWTACACS server is unavailable. The device then attempts to use other authentication and authorization methods.
Set the interval at which the primary HWTACACS server restores to the active state.	hwtacacs-server timer quiet interval	The default interval at which the primary HWTACACS server restores to the active state is 5 minutes.

Procedure

Command

Description

Set the response timeout interval for the HWTACACS server.

hwtacacs-server timer response-timeout interval

The default response timeout interval for an HWTACACS server is 5 seconds.

If the device does not receive a response from an HWTACACS server within the response timeout interval, it considers that the HWTACACS server is unavailable. The device then attempts to use other authentication and authorization methods.

Set the interval at which the primary HWTACACS server restores to the active state.

hwtacacs-server timer quiet interval

The default interval at which the primary HWTACACS server restores to the active state is 5 minutes.

Run quit
The system view is displayed.
(Optional) Run hwtacacs-server accounting-stop-packetresend { disable | enable number }
The function of retransmitting Accounting-Stop packets is configured.

By default, the function of retransmitting Accounting-Stop packets is enabled and the number of retransmissions is 100.
Run return
The user view is displayed.
(Optional) Run hwtacacs-user change-password hwtacacs-server template-name
The password saved on the HWTACACS server is changed.

To ensure device security, you are advised to frequently change the password.
(Optional) Run test-aaa user-name user-password hwtacacs-template template-name [ accounting [ start | realtime | stop ] ]
Connectivity between the device and authentication or accounting server is tested. If a user passes HWTACACS authentication or accounting, the device is properly connected to the authentication or accounting server.