Huawei SmartAX MA5616 Configuration Manual page 113

SmartAX MA5616 Multi-service Access Module
Configuration Guide
4.
Step 4 Configure the HWTACACS protocol.
The configuration of the HWTACACS protocol of the MA5616 is on the basis of the
HWTACACS server group. In actual networking scenarios, an HWTACACS server group can
be an independent HWTACACS server or a combination of two HWTACACS servers, that is,
a primary server and a secondary server with the same configuration but different IP addresses.
Each HWTACACS server template contains the primary/secondary server IP address, shared
key, and HWTACACS server type.
Primary and secondary authentication, accounting, and authorization servers can be configured.
The IP address of the primary server, however, must be different from that of the secondary
server. Otherwise, the configuration of primary and secondary servers will fail. By default, the
IP addresses of the primary and secondary servers are both 0.0.0.0.
1.
2.
3.
4.
5.
6.
7.
Issue 04 (2011-10-30)
Run the quit command to return to the AAA mode.
Run the hwtacacs-server template command to create an HWTACACS server template
and enter the HWTACACS server template mode.
Run the hwtacacs-server authentication command to configure a primary authentication
server. You can select secondary to configure a secondary authentication server.
NOTE
l To ensure normal communication between the MA5616 and the HWTACACS server, before
configuring the IP address and the UDP port of the HWTACACS server, make sure that the route
between the HWTACACS server and the MA5616 is in the normal state.
l Make sure that the HWTACACS server port of the MA5616 is the same as the port of the
HWTACACS server.
Run the hwtacacs-server accounting command to configure a primary accounting server.
You can select secondary to configure a secondary accounting server.
Run the hwtacacs-server authorization command to configure a primary authorization
server. You can select secondary to configure a secondary authorization server.
(Optional) Run the hwtacacs-server shared-key command to configure the shared key of
the HWTACACS server.
NOTE
l The HWTACACS client (MA5616) and the HWTACACS server use the MD5 algorithm to
encrypt the HWTACACS packets. They check the validity of the packets by configuring the
encryption key. They can receive the packets from each other and can respond to each other only
when their keys are the same.
l By default, the HWTACACS server does not have a key.
(Optional) Run the hwtacacs-server timer response-timeout to set the response timeout
time of the HWTACACS server.
NOTE
l If the HWTACACS server does not respond to the HWTACACS request packets within the
timeout time, the communication between the MA5616 and the current HWTACACS server is
considered interrupted.
l By default, the response timeout time of the HWTACACS server is 5s.
(Optional) In the global config mode, run the hwtacacs-server accounting-stop-packet
command to configure the re-transmission mechanism of the accounting-stop packets of
the HWTACACS server.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
3 Basic Configuration
102