Configuring Hwtacacs Protocol - H3C S9500 Series Operation Manual

Operation Manual – Security
H3C S9500 Series Routing Switches
Table 2-29 Create/Delete a local RADIUS authentication server
Create a local RADIUS authentication
server
Delete a local RADIUS authentication
server
By default, the IP address of local RADIUS authentication server group is 127.0.0.1 and
the password is null.
When using local RADIUS server function, note that,
1) The number of UDP port used for authentication/authorization is 1645 and that for
accounting is 1646.
2) The password configured by local-server command must be the same as that of
the RADIUS authentication/authorization packet configured by the command key
authentication in radius scheme view.
3) S9500 series serving as local RADIUS authentication servers currently only
support the CHAP and PAP authentication modes; they do not support the
MD5-challenge mode.

2.4 Configuring HWTACACS Protocol

The following sections describe HWTACACS configuration tasks.
Creating a HWTACAS Scheme
Configuring HWTACACS Authentication Servers
Configuring HWTACACS Authorization Servers
Configuring HWTACACS Accounting Servers and the Related Attributes
Configuring the Source Address for HWTACACS Packets Sent by NAS
Setting a Key for Securing the Communication with TACACS Server
Setting the Username Format Acceptable to the TACACS Server
Setting the Unit of Data Flows Destined for the TACACS Server
Setting Timers Regarding TACACS Server
Note:
Pay attention to the following when configuring a TACACS server:
HWTACACS server does not check whether a scheme is being used by users
when changing most of HWTACS attributes, unless you delete the scheme.
By default, the TACACS server has no key.
Operation
2-26
Chapter 2 AAA and RADIUS/HWTACACS
Command
local-server nas-ip ip-address key
password
undo local-server nas-ip ip-address
Protocol Configuration