Configuring Shared Keys For Hwtacacs Messages; Configuring The Attributes Of Data To Be Sent To Tacacs Servers - H3C S5600 Series Operation Manual
Hide thumbs
Also See for S5600 Series:
- Operation manual (1278 pages) ,
- Configuration (313 pages) ,
- Operation manual (11 pages)
Table of Contents
Advertisement
You are not allowed to configure the same IP address for both primary and secondary accounting
servers. If you do this, the system will prompt that the configuration fails.
You can remove a server only when it is not used by any active TCP connection for sending
accounting messages.
Configuring Shared Keys for HWTACACS Messages
When using a TACACS server as an AAA server, you can set a key to improve the communication
security between the switch and the TACACS server.
The TACACS client and server adopt MD5 algorithm to encrypt HWTACACS messages before they are
exchanged between the two parties. The two parties verify the validity of the HWTACACS messages
received from each other by using the shared keys that have been set on them, and can accept and
respond to the messages only when both parties have the same shared key.
Follow these steps to configure shared keys for HWTACACS messages:
To do...
Enter system view
Create a HWTACACS scheme and
enter its view
Set a shared key for HWTACACS
authentication, authorization or
accounting messages
Configuring the Attributes of Data to be Sent to TACACS Servers
Follow these steps to configure the attributes for data to be sent to TACACS servers:
To do...
Enter system view
Create a HWTACACS scheme
and enter its view
Set the format of the usernames
to be sent to TACACS server
Set the units of data flows to
TACACS servers
Use the command...
system-view
hwtacacs scheme
hwtacacs-scheme-name
key { accounting |
authorization | authentication }
string
Use the command...
system-view
hwtacacs scheme
hwtacacs-scheme-name
user-name-format { with-domain |
without-domain }
data-flow-format data { byte |
giga-byte | kilo-byte | mega-byte }
data-flow-format packet
{ giga-packet | kilo-packet |
mega-packet | one-packet }
2-26
Remarks
—
Required
By default, no HWTACACS
scheme exists.
Required
By default, no such key is set.
Remarks
—
Required
By default, no HWTACACS
scheme exists.
Optional
By default, the usernames sent
from the switch to TACACS server
carry ISP domain names.
Optional
By default, in a TACACS scheme,
the data unit and packet unit for
outgoing HWTACACS flows are
byte and one-packet respectively.
- Quick Links:
- Audience
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
