HP FlexNetwork MSR Series Command Reference Manual page 142
Comware 7 security
Hide thumbs
Also See for FlexNetwork MSR Series:
- Configuration manual (392 pages) ,
- Configuration manuals (159 pages)
Advertisement
Views
HWTACACS scheme view
Predefined user roles
network-admin
Parameters
ipv4-address: Specifies the IPv4 address of the primary HWTACACS authentication server.
ipv6 ipv6-address: Specifies the IPv6 address of the primary HWTACACS authentication server.
port-number: Specifies the service port number of the primary HWTACACS authentication server.
The value range for the TCP port number is 1 to 65535. The default setting is 49.
key: Specifies the shared key for secure communication with the primary HWTACACS
authentication server.
cipher: Specifies the key in encrypted form.
simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form
will be stored in encrypted form.
string: Specifies the key. This argument is case sensitive.
•
In non-FIPS mode, the encrypted form of the key is a string of 1 to 373 characters. The plaintext
form of the key is a string of 1 to 255 characters.
•
In FIPS mode, the encrypted form of the key is a string of 15 to 373 characters. The plaintext
form of the key is a string of 15 to 255 characters. The plaintext string must contain digits,
uppercase letters, lowercase letters, and special characters.
single-connection: The device and the primary HWTACACS authentication server use the same
TCP connection to exchange all authentication packets for all users. If you do not specify this
keyword, the device establishes a new TCP connection each time it exchanges authentication
packets with the primary authentication server for a user. As a best practice, specify this keyword to
reduce TCP connections for improving system performance if the HWTACACS server supports the
single-connection method.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the primary
HWTACACS authentication server belongs. The vpn-instance-name argument is a case-sensitive
string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
Make sure that the port number and shared key settings of the primary HWTACACS authentication
server are the same as those configured on the server.
Two authentication servers specified for a scheme, primary or secondary, cannot have identical IP
address, port number, and VPN instance settings.
If the specified server resides on an MPLS L3VPN, specify the VPN instance by using the
vpn-instance vpn-instance-name option. The VPN instance specified by this command takes
precedence over the VPN instance specified for the HWTACACS scheme.
You can remove an authentication server only when it is not used for user authentication. Removing
an authentication server affects only authentication processes that occur after the remove operation.
Examples
# In HWTACACS scheme hwt1, specify the primary authentication server with IP address
10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTauth&!.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] primary authentication 10.163.155.13 49 key simple
123456TESTauth&!
124
Advertisement
