Configuring Shared Keys For Hwtacacs Messages - H3C S5100-SI Series Operation Manual

Operation Manual – AAA
H3C S5100-SI/EI Series Ethernet Switches
Enable the
stop-accounting message
retransmission function
and set the maximum
number of transmission
attempts of a buffered
stop-accounting message
Caution:
You are not allowed to configure the same IP address for both primary and
secondary accounting servers. If you do this, the system will prompt that the
configuration fails.
You can remove a server only when it is not used by any active TCP connection for
sending accounting messages.

2.3.5 Configuring Shared Keys for HWTACACS Messages

When using a TACACS server as an AAA server, you can set a key to improve the
communication security between the switch and the TACACS server.
The TACACS client and server adopt MD5 algorithm to encrypt HWTACACS messages
before they are exchanged between the two parties. The two parties verify the validity
of the HWTACACS messages received from each other by using the shared keys that
have been set on them, and can accept and respond to the messages only when both
parties have the same shared key.
Follow these steps to configure shared keys for HWTACACS messages:
Enter system view
Create a HWTACACS
scheme and enter its view
Set a shared key for
HWTACACS
authentication,
authorization or
accounting messages
To do...
retry stop-accounting
retry-times
To do...
system-view
hwtacacs scheme
hwtacacs-scheme-name
key { accounting |
authorization |
authentication } string
Use the command...
Use the command...
2-29
Chapter 2 AAA Configuration
Remarks
Optional
By default, the
stop-accounting
messages retransmission
function is enabled and
the system can transmit a
buffered stop-accounting
request for 100 times.
Remarks
—
Required
By default, no
HWTACACS scheme
exists.
Required
By default, no such key is
set.