Table of Contents
Advertisement
Views
HWTACACS scheme view
Predefined user roles
network-admin
Parameters
ipv4-address: Specifies the IPv4 address of the secondary HWTACACS authorization server.
ipv6 ipv6-address: Specifies the IPv6 address of the secondary HWTACACS authorization server.
port-number: Specifies the service port number of the secondary HWTACACS authorization server.
The value range for the TCP port number is 1 to 65535. The default setting is 49.
key: Specifies the shared key for secure communication with the secondary HWTACACS
authorization server.
cipher: Specifies the key in encrypted form.
simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form
will be stored in encrypted form.
string: Specifies the key. This argument is case sensitive.
•
In non-FIPS mode, the encrypted form of the key is a string of 1 to 373 characters. The plaintext
form of the key is a string of 1 to 255 characters.
•
In FIPS mode, the encrypted form of the key is a string of 15 to 373 characters. The plaintext
form of the key is a string of 15 to 255 characters. The plaintext string must contain digits,
uppercase letters, lowercase letters, and special characters.
single-connection: The device and the secondary HWTACACS authorization server use the same
TCP connection to exchange all authorization packets for all users. If you do not specify this keyword,
the device establishes a new TCP connection each time it exchanges authorization packets with the
secondary authorization server for a user.
Usage guidelines
Make sure the port number and shared key settings of the secondary HWTACACS authorization
server are the same as those configured on the server.
An HWTACACS scheme supports a maximum of 16 secondary HWTACACS authorization servers. If
the primary server fails, the device tries to communicate with a secondary server in active state. The
device connects to the secondary servers in the order they are configured.
If you do not specify any parameters for the undo secondary authorization command, the
command removes all secondary authorization servers.
Two authorization servers specified for a scheme, primary or secondary, cannot have identical IP
address and port number settings.
As a best practice, specify the single-connection keyword to reduce TCP connections for improving
system performance if the HWTACACS server supports the single-connection method.
You can remove an authorization server only when it is not used for user authorization. Removing an
authorization server affects only authorization processes that occur after the remove operation.
Examples
# In HWTACACS scheme hwt1, specify a secondary authorization server with IP address
10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTautr&!.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] secondary authorization 10.163.155.13 49 key simple
123456TESTautr&!
109
Advertisement
Chapters
Table of Contents
