HP 5120 SI Series Security Configuration Manual page 46

Setting the shared keys for HWTACACS packets
The HWTACACS client and HWTACACS server use the MD5 algorithm to encrypt packets exchanged
between them and use shared keys to verify the packets. Only when they use the same key for an
exchanged packet can they receive the packets and make responses properly.
The shared key configured at the time you specify a primary or secondary server takes precedence over
the one configured by using the key command in this section. If you do not specify a shared key when
you specify the server, the device searches for the shared key configured by using the key command to
communicate with the server.
Follow these steps to set the shared keys for HWTACACS packets:
To do...
Enter system view
Enter HWTACACS scheme view
Set the shared keys for
HWTACACS authentication,
authorization, and accounting
packets
Setting the username format and traffic statistics units
A username is usually in the format of userid@isp-name, where isp-name represents the name of the ISP
domain the user belongs to and is used by the device to determine which users belong to which ISP
domains. However, some HWTACACS servers cannot recognize usernames that contain an ISP domain
name. In this case, the device must remove the domain name of each username before sending the
username. You can set the username format on the device for this purpose.
The device periodically sends accounting updates to HWTACACS accounting servers to report the traffic
statistics of online users. For normal and accurate traffic statistics, make sure that the unit for data flows
and that for packets on the device are consistent with those configured on the HWTACACS servers.
Follow these steps to set the username format and the traffic statistics units for an HWTACACS scheme:
To do...
Enter system view
Enter HWTACACS scheme view
Set the format of usernames sent to
the HWTACACS servers
Specify the unit for data flows or
packets sent to the HWTACACS
servers
Use the command...
system-view
hwtacacs scheme
hwtacacs-scheme-name
key { accounting | authentication |
authorization } [ cipher | simple ] key
Use the command...
system-view
hwtacacs scheme
hwtacacs-scheme-name
user-name-format { keep-original |
with-domain | without-domain }
data-flow-format { data { byte |
giga-byte | kilo-byte | mega-byte }
| packet { giga-packet | kilo-packet
| mega-packet | one-packet } }*
34
Remarks
—
—
Required
No shared key by default
Remarks
—
—
Optional
By default, the ISP domain name
is included in the username.
Optional
byte for data flows and
one-packet for data packets by
default.