HP A 5120 Manual

							31 
 
HWTACACS configuration task list 
Task Remarks 
Creating an HWTACACS scheme Required 
Specifying the HWTACACS authentication servers Required 
Specifying the HWTACACS authorization servers Optional 
Specifying the HWTACACS accounting servers Optional 
Setting the shared keys for HWTACACS packets Required 
Setting the username format and traffic statistics units Optional 
Specifying a source IP address for outgoing HWTACACS packets Optional 
Setting timers for controlling communication with HWTACACS servers Optional 
Displaying and maintaining HWTACACS Optional 
 
Creating an HWTACACS scheme 
The HWTACACS  protocol  is  configured on  a  per scheme basis. Before  performing  other HWTACACS 
configurations, follow these steps to create an HWTACACS scheme and enter HWTACACS scheme view: 
To do… Use the command… Remarks 
Enter system view system-view — 
Create an HWTACACS scheme 
and enter HWTACACS scheme 
view 
hwtacacs scheme hwtacacs-
scheme-name 
Required 
Not defined by default 
 
 NOTE: 
 Up to 16 HWTACACS schemes can be configured.  
 A scheme can be deleted only when it is not referenced.  
Specifying the HWTACACS authentication servers 
Follow these steps to specify the HWTACACS authentication servers: 
To do… Use the command… Remarks 
Enter system view system-view — 
Enter HWTACACS scheme 
view 
hwtacacs scheme hwtacacs-scheme-
name — 
Specify the primary 
HWTACACS authentication 
server 
primary authentication ip-address [ port-
number ] Required 
Configure at least one 
command. 
No authentication server is 
specified by default. 
Specify the secondary 
HWTACACS authentication 
server 
secondary authentication ip-address [ 
port-number ] 
  
						

							32 
 NOTE: 
 If both the primary and secondary authentication servers are specified, the secondary one is used when the 
primary one is not reachable. 
 If redundancy is not required, specify only the primary HWTACACS authentication server.  
 The IP addresses of the primary and secondary authentication servers cannot be the same. Otherwise, the 
configuration fails.  
 You can remove an authentication server only when no active TCP connection for sending authentication packets 
is using it.   
Specifying the HWTACACS authorization servers 
Follow these steps to specify the HWTACACS authorization servers: 
To do… Use the command… Remarks 
Enter system view system-view — 
Enter HWTACACS scheme 
view 
hwtacacs scheme hwtacacs-scheme-
name — 
Specify the primary 
HWTACACS authorization 
server 
primary authorization ip-address [ port-
number ] Required 
Configure at least one command. 
No authorization server is 
specified by default. 
Specify the secondary 
HWTACACS authorization 
server 
secondary authorization ip-address [ 
port-number ] 
 
 NOTE: 
 If both the primary and secondary authorization servers are specified, the secondary one is used when the 
primary one is not reachable. 
 If redundancy is not required, specify only the primary HWTACACS authorization server.  
 The IP addresses of the primary and secondary authorization servers cannot be the same. Otherwise, the 
configuration fails.  
 You can remove an authorization server only when no active TCP connection for sending authorization packets is 
using it.   
Specifying the HWTACACS accounting servers 
Follow these steps to specify the HWTACACS accounting servers and perform related configurations: 
To do… Use the command… Remarks 
Enter system view system-view — 
Enter HWTACACS scheme 
view 
hwtacacs scheme hwtacacs-scheme-
name — 
Specify the primary 
HWTACACS accounting server 
primary accounting ip-address [ 
port-number ] Required 
Configure at least one command. 
No accounting server is specified 
by default. Specify the secondary 
HWTACACS accounting server 
secondary accounting ip-address [ 
port-number ]  
						

							33 
To do… Use the command… Remarks 
Enable the device to buffer 
stop-accounting requests 
getting no responses 
stop-accounting-buffer enable Optional 
Enabled by default 
Set the maximum number of 
stop-accounting request 
transmission attempts 
retry stop-accounting retry-times Optional 
100 by default 
 
 NOTE: 
 If both the primary and secondary accounting servers are specified, the secondary server is used when the 
primary server is not reachable. 
 If redundancy is not required, specify only the primary HWTACACS accounting server.  
 The IP addresses of the primary and secondary accounting servers cannot be the same. Otherwise, the 
configuration will fail.  
 You can remove an accounting server only when no active TCP connection for sending accounting packets is 
using it. 
 HWTACACS does not support keeping accounts on FTP users.  
Setting the shared keys for HWTACACS packets 
The HWTACACS client  and HWTACACS server  use  the  MD5  algorithm  to  encrypt  packets  exchanged 
between  them and use shared  keys to verify  the  packets.  Only  when they  use the  same  key for  an 
exchanged packet can they receive the packets and make responses properly. 
Follow these steps to set the shared keys for HWTACACS packets: 
To do… Use the command… Remarks 
Enter system view system-view — 
Enter HWTACACS scheme view hwtacacs scheme hwtacacs-scheme-
name — 
Set the shared keys for 
HWTACACS authentication, 
authorization, and accounting 
packets 
key { accounting | authentication | 
authorization } string 
Required 
No shared key by default 
 
Setting the username format and traffic statistics units 
A username  is usually in  the  format  of userid@isp-name,  where isp-name represents  the  name  of the ISP 
domain  the  user  belongs  to  and  is  used  by  the  device  to  determine  which  users  belong  to  which  ISP 
domains.  However,  some HWTACACS servers cannot recognize  usernames that  contain an  ISP  domain 
name.  In  this  case, the device must  remove  the  domain  name of  each  username before  sending the 
username. You can set the username format on the device for this purpose. 
The  device  periodically  sends  accounting  updates  to  HWTACACS accounting  servers  to  report  the  traffic 
statistics  of  online  users.  For  normal  and  accurate  traffic  statistics,  make  sure  that  the  unit for data flows 
and that for packets on the device are consistent with those configured on the HWTACACS servers. 
Follow these steps to set the username format and the traffic statistics units for an HWTACACS scheme: 
To do… Use the command… Remarks 
Enter system view system-view —  
						

							34 
To do… Use the command… Remarks 
Enter HWTACACS scheme view hwtacacs scheme hwtacacs-scheme-
name — 
Set the format of usernames sent 
to the HWTACACS servers 
user-name-format { keep-original | 
with-domain | without-domain } 
Optional 
By default, the ISP domain name 
is included in the username. 
Specify the unit for data flows or 
packets sent to the HWTACACS 
servers 
data-flow-format { data { byte | 
giga-byte | kilo-byte | mega-byte } 
| packet { giga-packet | kilo-
packet | mega-packet | one-packet 
} }* 
Optional 
byte for data flows and one-
packet for data packets by 
default. 
 
 NOTE: 
 If an HWTACACS server does not support a username with the domain name, configure the device to remove 
the domain name before sending the username to the server. 
 For level switching authentication, the user-name-format keep-original and user-name-format without-domain 
commands produce the same results: they ensure that usernames sent to the HWTACACS server carry no ISP 
domain name.   
Specifying a source IP address for outgoing HWTACACS packets 
The  source  IP  address  of HWTACACS packets  that  a  NAS  sends  must  match  the  IP  address of  the  NAS 
configured  on  the HWTACACS server.  An HWTACACS server  identifies  a  NAS  by  IP  address.  Upon 
receiving  an HWTACACS packet,  an HWTACACS server  checks  whether  the  source  IP  address  of  the 
packet  is  the  IP  address of any  managed  NAS.  If  yes,  the  server  processes  the  packet.  If  not,  the  server 
drops the packet. 
Usually, the  source  address  of outgoing HWTACACS  packets can be the IP  address of the  NAS’s  any 
interface that can communicate with the HWTACACS server. 
You can specify the source IP address for outgoing HWTACACS packets in HWTACACS scheme view for 
a specific HWTACACS scheme, or in system view for all HWTACACS schemes.  
Before sending an HWTACACS packet, a NAS selects a source IP address in this order: 
1. The source IP address specified for the HWTACACS scheme. 
2. The source IP address specified in system view. 
3. The IP address of the outbound interface specified by the route.  
Follow these steps to specify a source IP address for all HWTACACS schemes: 
To do… Use the command… Remarks 
Enter system view system-view — 
Specify a source IP address 
for outgoing HWTACACS 
packets 
hwtacacs nas-ip ip-address 
Required 
By default, the IP address of the outbound 
interface is used as the source IP address. 
 
Follow these steps to specify a source IP address for a specific HWTACACS scheme: 
To do… Use the command… Remarks 
Enter system view system-view —  
						

							35 
To do… Use the command… Remarks 
Enter HWTACACS scheme 
view 
hwtacacs scheme hwtacacs-
scheme-name — 
Specify a source IP address 
for outgoing HWTACACS 
packets 
nas-ip ip-address 
Required 
By default, the IP address of the outbound 
interface is used as the source IP address. 
 
Setting timers for controlling communication with HWTACACS servers 
Follow these steps to set timers regarding HWTACACS servers: 
To do… Use the command… Remarks 
Enter system view system-view — 
Enter HWTACACS scheme view hwtacacs scheme hwtacacs-
scheme-name — 
Set the HWTACACS server 
response timeout timer timer response-timeout seconds Optional 
5 seconds by default 
Set the quiet timer for the primary 
server timer quiet minutes Optional 
5 minutes by default 
Set the real-time accounting 
interval timer realtime-accounting minutes Optional 
12 minutes by default 
 
 NOTE: 
 For real-time accounting, a NAS must transmit the accounting information of online users to the HWTACACS 
accounting server periodically. If the device does not receive any response to the information, it does not forcibly 
disconnect the online users.  
 The real-time accounting interval must be a multiple of 3. 
 The setting of the real-time accounting interval somewhat depends on the performance of the NAS and the 
HWTACACS server. A shorter interval requires higher performance.  
Displaying and maintaining HWTACACS 
To do… Use the command… Remarks 
Display configuration information or 
statistics of HWTACACS schemes 
display hwtacacs [ hwtacacs-server-
name [ statistics ] ] [ slot slot-number ] [ 
| { begin | exclude | include } regular-
expression ] 
Available in any view 
Display information about buffered 
stop-accounting requests that get no 
responses 
display stop-accounting-buffer 
hwtacacs-scheme hwtacacs-scheme-
name [ slot slot-number ] [ | { begin | 
exclude | include } regular-expression ] 
Available in any view 
Clear HWTACACS statistics 
reset hwtacacs statistics { accounting | 
all | authentication | authorization } [ 
slot slot-number ] 
Available in user view 
  
						

							36 
Configuring AAA methods for ISP domains 
You  configure  AAA  methods  for  an  ISP  domain  by  referencing  configured  AAA  schemes  in  ISP  domain 
view.  Each  ISP  domain  has  a  set  of default  AAA  methods,  which  are  local  authentication,  local 
authorization,  and  local  accounting  by  default  and  can be  customized.  If  you  do not  configure  any  AAA 
methods  for  an  ISP  domain,  the  device  uses  the  system  default  AAA  methods  for authentication, 
authorization, and accounting of the users in the domain. 
Configuration prerequisites 
To  use  local authentication for users  in  an  ISP  domain,  configure  local  user  accounts (see ―Configuring 
local user attributes―) on the access device. 
To  use remote  authentication,  authorization,  and  accounting,  create  the  required  RADIUS and 
HWTACACS  schemes  as  described  in ―Configuring  RADIUS schemes―  and ―Configuring  HWTACACS 
schemes.―  
Creating an ISP domain 
In a networking scenario with multiple ISPs, an access device may connect users of different ISPs. Because 
users  of  different  ISPs  may  have  different  user  attributes  (for  example,  different username  and  password 
structure, service type, and rights), you must configure ISP domains to distinguish the users and configure 
different AAA methods for the ISP domains. 
On a NAS,  each  user  belongs  to  an  ISP  domain. A  NAS  can accommodate up  to  16  ISP  domains, 
including  the  factory  default  ISP  domain,  which  is  named system.  If  a  user  does  not  provide  the  ISP 
domain name at login, the system considers that the user belongs to the default ISP domain. 
Follow these steps to create an ISP domain: 
To do… Use the command… Remarks 
Enter system view system-view — 
Create an ISP domain and enter 
ISP domain view domain isp-name Required 
Return to system view quit — 
Specify the default ISP domain domain default enable isp-
name 
Optional 
By default, the default ISP domain is the 
factory default ISP domain system. 
 
 NOTE: 
To delete the default ISP domain, you must change it to a non-default ISP domain (with the domain 
default disable command) first.  
Configuring ISP domain attributes 
Follow these steps to configure ISP domain attributes: 
To do… Use the command… Remarks 
Enter system view system-view —  
						

							37 
To do… Use the command… Remarks 
Enter ISP domain view domain isp-name — 
Place the ISP domain to the state of 
active or blocked state { active | block } 
Optional 
By default, an ISP domain is in the 
active state, and users in the domain 
can request network services. 
Specify the maximum number of 
active users in the ISP domain 
access-limit enable max-user-
number 
Optional 
No limit by default 
Configure the idle cut function idle-cut enable minute [ flow ] 
Optional 
Disabled by default 
This command is effective for only 
LAN users and portal users.  
Configure the self-service server 
location function self-service-url enable url-string Optional 
Disabled by default 
Specify the default authorization 
user profile 
authorization-attribute user-
profile profile-name 
Optional 
By default, an ISP domain has no 
default authorization user profile. 
 
 NOTE: 
 If a user passes authentication but is authorized with no user profile, the device authorizes the default user profile 
of the ISP domain to the user and restricts the user’s behavior based on the profile. For more information about 
the user profile, see the chapter “User profile configuration.” 
 A self-service RADIUS server, such as Intelligent Management Center (iMC), is required for the self-service server 
location function to work. With the self-service function, a user can manage and control his or her accounting 
information or card number. A server with self-service software is a self-service server.  
Configuring AAA authentication methods for an ISP domain 
In AAA, authentication, authorization, and accounting are separate processes. Authentication refers to the 
interactive  authentication  process  of  username/password/user  information  during an access  or  service 
request.  The  authentication  process does  not send  authorization  information  to  a  supplicant  or  trigger 
accounting.  
AAA supports the following authentication methods: 
 No  authentication (none)—All  users  are  trusted  and no  authentication  is  performed.  Generally, do 
not use this method. 
 Local  authentication (local)—Authentication  is  performed  by  the  NAS,  which  is  configured  with  the 
user  information, including the usernames,  passwords,  and  attributes.  Local  authentication  features 
high  speed and low  cost, but the amount  of information that can  be  stored  is  limited by the 
hardware. 
 Remote  authentication (scheme)—The access device cooperates with a RADIUS or HWTACACS 
server to authenticate users. The device can use the standard RADIUS protocol or extended RADIUS 
protocol  in  collaboration  with systems like iMC to  implement  user  authentication. Remote 
authentication  features  centralized  information  management,  high  capacity,  high  reliability,  and 
support for centralized authentication service for multiple access devices. You can configure local or  
						

							38 
no authentication  as  the  backup method  to  be  used  when the  remote  server  is  not  available.  No 
authentication can only be configured for LAN users as the backup method of remote authentication.  
You  can  configure  AAA  authentication to  work  alone  without  authorization  and  accounting. By default, 
an ISP domain uses the local authentication method. 
Before configuring authentication methods, complete the following tasks: 
 For  RADIUS or HWTACACS  authentication,  configure  the  RADIUS or HWTACACS  scheme  to  be 
referenced first. The local and none authentication methods do not require any scheme.  
 Determine  the  access  mode  or  service  type  to  be  configured.  With  AAA,  you  can  configure  an 
authentication method for  each  access  mode  and  service  type,  limiting  the  authentication  protocols 
that can be used for access. 
 Determine whether to configure an authentication method for all access modes or service types. 
Follow these steps to configure AAA authentication methods for an ISP domain: 
To do… Use the command… Remarks 
Enter system view system-view — 
Enter ISP domain view domain isp-name — 
Specify the default 
authentication method for all 
types of users 
authentication default { hwtacacs-scheme 
hwtacacs-scheme-name [ local ] | local | 
none | radius-scheme radius-scheme-name [ 
local ] }  
Optional 
local by default 
Specify the authentication 
method for LAN users 
authentication lan-access { local | none | 
radius-scheme radius-scheme-name [ local | 
none ] } 
Optional 
The default authentication 
method is used by default. 
Specify the authentication 
method for login users 
authentication login { hwtacacs-scheme 
hwtacacs-scheme-name [ local ] | local | 
none | radius-scheme radius-scheme-name [ 
local ] } 
Optional 
The default authentication 
method is used by default. 
Specify the authentication 
method for portal users 
authentication portal { local | none | 
radius-scheme radius-scheme-name [ local ] 
} 
Optional 
The default authentication 
method is used by default. 
Specify the authentication 
method for privilege level 
switching  
authentication super { hwtacacs-scheme 
hwtacacs-scheme-name | radius-scheme 
radius-scheme-name } 
Optional 
The default authentication 
method is used by default. 
  
						

							39 
  NOTE: 
 The authentication method specified with the authentication default command is for all types of users and has a 
priority lower than that for a specific access mode. 
 With an authentication method that references a RADIUS scheme, AAA accepts only the authentication result 
from the RADIUS server. The Access-Accept message from the RADIUS server does include the authorization 
information, but the authentication process ignores the information. 
 With the radius-scheme radius-scheme-name local, or hwtacacs-scheme hwtacacs-scheme-name local keyword 
and argument combination configured, local authentication is the backup method and is used only when the 
remote server is not available. 
 If you specify only the local or none keyword in an authentication method configuration command, the device 
has no backup authentication method and performs only local authentication or does not perform any 
authentication. 
 If the method for level switching authentication references an HWTACACS scheme, the device uses the login 
username of a user for level switching authentication of the user by default. If the method for level switching 
authentication references a RADIUS scheme, the system uses the username configured for the corresponding 
privilege level on the RADIUS server for level switching authentication, rather than the original username, the 
login username or the username entered by the user. A username configured on the RADIUS server is in the 
format of $enablevel$, where level specifies the privilege level to which the user wants to switch. For example, if 
user user1 of domain aaa wants to switch the privilege level to 3, the system uses $enab3@aaa$ for 
authentication when the domain name is required and uses $enab3$ for authentication when the domain name 
is not required.  
Configuring AAA authorization methods for an ISP domain 
In  AAA,  authorization is  a  separate  process  at  the  same  level  as  authentication  and  accounting.  Its 
responsibility  is  to  send  authorization  requests  to  the  specified  authorization  servers and  to  send 
authorization  information  to  users after  successful  authorization.  Authorization method configuration  is 
optional in AAA configuration. 
AAA supports the following authorization methods: 
 No authorization (none)—The  access  device  performs  no  authorization  exchange. After  passing 
authentication,  non-login  users  can  access  the  network, FTP  users  can  access the root  directory  of 
the device, and other login users have only the rights of Level 0 (visiting). 
 Local authorization (local)—The access device performs authorization according to the user attributes 
configured for users. 
 Remote authorization (scheme)—The access device cooperates with a RADIUS  or an HWTACACS 
server to authorize users. RADIUS authorization is  bound  with  RADIUS  authentication.  RADIUS 
authorization  can  work  only  after  RADIUS  authentication  is  successful,  and  the authorization 
information  is  carried  in  the Access-Accept  message. HWTACACS  authorization is  separate  from 
HWTACACS  authentication,  and  the  authorization  information  is  carried  in  the  authorization 
response after successful authentication. You can configure local authorization or no authorization as 
the backup method to be used when the remote server is not available. 
Before configuring authorization methods, complete the following tasks: 
1. For HWTACACS authorization, configure the HWTACACS scheme to be referenced first. For 
RADIUS authorization, the RADIUS authorization scheme must be the same as the RADIUS 
authentication scheme; otherwise, it does not take effect. 
2. Determine the access mode or service type to be configured. With AAA, you can configure an 
authorization scheme for each access mode and service type, limiting the authorization protocols 
that can be used for access.  
						

							40 
3. Determine whether to configure an authorization method for all access modes or service types. 
Follow these steps to configure AAA authorization methods for an ISP domain: 
To do… Use the command… Remarks 
Enter system view system-view — 
Enter ISP domain view domain isp-name — 
Specify the default 
authorization method for all 
types of users 
authorization default { hwtacacs-scheme 
hwtacacs-scheme-name [ local ] | local | 
none | radius-scheme radius-scheme-name 
[ local ] } 
Optional 
local by default 
Specify the command 
authorization method 
authorization command { hwtacacs-scheme 
hwtacacs-scheme-name [ local | none ] | 
local | none } 
Optional 
The default authorization 
method is used by default. 
Specify the authorization 
method for LAN users 
authorization lan-access { local | none | 
radius-scheme radius-scheme-name [ local 
| none ] } 
Optional 
The default authorization 
method is used by default. 
Specify the authorization 
method for login users 
authorization login { hwtacacs-scheme 
hwtacacs-scheme-name [ local ] | local | 
none | radius-scheme radius-scheme-name 
[ local ] } 
Optional 
The default authorization 
method is used by default. 
Specify the authorization 
method for portal users 
authorization portal { local | none | 
radius-scheme radius-scheme-name [ local 
] } 
Optional 
The default authorization 
method is used by default. 
 
 NOTE: 
 The authorization method specified with the authorization default command is for all types of users and has a 
priority lower than that for a specific access mode. 
 RADIUS authorization is special in that it takes effect only when the RADIUS authorization scheme is the same as 
the RADIUS authentication scheme. In addition, if a RADIUS authorization fails, the error message returned to 
the NAS says that the server is not responding. 
 With the radius-scheme radius-scheme-name local, or hwtacacs-scheme hwtacacs-scheme-name [ local | 
none ] keyword and argument combination configured, local authorization or no authorization is the backup 
method and is used only when the remote server is not available.  
 If you specify only the local or none keyword in an authorization method configuration command, the device 
has no backup authorization method and performs only local authorization or does not perform any 
authorization. 
 The authorization information from the RADIUS server is sent to the RADIUS client along with the authentication 
response message. You cannot specify a separate RADIUS authorization server. If you use RADIUS for 
authorization and authentication, you must use the same scheme setting for authorization and authentication; 
otherwise, the system will display an error message.  
Configuring AAA accounting methods for an ISP domain 
In  AAA,  accounting  is  a  separate  process  at  the  same  level  as  authentication  and  authorization.  Its 
responsibility  is  to  send  accounting  start/update/end  requests  to  the  specified  accounting  server. 
Accounting is not required, and accounting method configuration is optional. 
AAA supports the following accounting methods:  
 No accounting (none)—The system does not perform accounting for the users.