When the router receives a connection teardown request from a host or a connection teardown
command from an administrator, it sends a stop-accounting request to the accounting server. Enable
buffering of non-responded stop-accounting requests to allow the router to buffer and resend a stop-
accounting request until it receives a response or until the number of stop-accounting attempts reaches
the configured limit. In the latter case, the router discards the packet.
To specify HWTACACS accounting servers and set relevant parameters for an HWTACACS scheme:
To do...
Enter system view.
1.
2.
Enter HWTACACS scheme view.
3.
Specify the primary HWTACACS
accounting server.
4.
Specify the secondary HWTACACS
accounting server.
5.
Enable buffering of stop-accounting
requests to which no responses are
received.
6.
Set the maximum number of stop-
accounting attempts.
NOTE:
An HWTACACS server can function as the primary accounting server of one scheme and as the
•
secondary accounting server of another scheme at the same time.
The IP addresses of the primary and secondary accounting servers cannot be the same. Otherwise,
•
the configuration fails.
Remove an accounting server only when no active TCP connection for sending accounting packets is
•
using it.
HWTACACS does not support accounting for FTP users.
•
Specifying the shared keys for authenticating HWTACACS packets
The HWTACACS client and HWTACACS server use the MD5 algorithm to encrypt packets exchanged
between them and use shared keys to authenticate the packets. They must use the same shared key for
the same type of packets.
To specify the shared keys for authenticating HWTACACS packets:
To do...
1.
Enter system view.
2.
Enter HWTACACS scheme view.
3.
Specify the shared keys for authenticating
HWTACACS authentication, authorization,
and accounting packets.
Command...
system-view
hwtacacs scheme hwtacacs-
scheme-name
primary accounting ip-address [
port-number | vpn-instance vpn-
instance-name ] *
secondary accounting ip-address [
port-number | vpn-instance vpn-
instance-name ] *
stop-accounting-buffer enable
retry stop-accounting retry-times
Command...
system-view
hwtacacs scheme hwtacacs-
scheme-name
key { accounting | authentication |
authorization } string
36
Remarks
—
—
Required.
Configure at least one
command.
No accounting server is
specified by default.
Optional.
Enabled by default.
Optional.
100 by default.
Remarks
—
—
Required.
No shared key by
default.