Displaying and maintaining hwtacacs, Hwtacacs scheme configuration guidelines, Configuring aaa methods for isp domains – H3C Technologies H3C SecPath F1000-E User Manual

208

Displaying and maintaining HWTACACS

Task Command

Remarks

Display the configuration information
or statistics of HWTACACS schemes.

display hwtacacs
[ hwtacacs-server-name [ statistics ] ] [ |
{ begin | exclude | include }

regular-expression ]

Available in any view

Display information about buffered

stop-accounting requests for which no
responses have been received.

display stop-accounting-buffer
hwtacacs-scheme

hwtacacs-scheme-name [ | { begin |

exclude | include } regular-expression ]

Available in any view

Clear HWTACACS statistics.

reset hwtacacs statistics { accounting |
all | authentication | authorization }

Available in user view

Clear buffered stop-accounting
requests that get no responses.

reset stop-accounting-buffer
hwtacacs-scheme

hwtacacs-scheme-name

Available in user view

HWTACACS scheme configuration guidelines

When you configure the HWTACACS client, follow these guidelines:

•

Except for deleting HWTACACS schemes and changing the IP addresses of the HWTACACS
servers, you can make any changes to HWTACACS parameters, no matter whether there are users
online or not.

•

HWTACACS authentication must work with HWTACACS authorization. If only HWTACACS
authentication is configured but HWTACACS authorization is not, users cannot log in.

•

You can remove an authentication/authorization server or an accounting server only when no
active TCP connection for sending authentication/authorization or accounting packets is using it.

•

HWTACACS does not support accounting for FTP users.

Configuring AAA methods for ISP domains

You configure AAA methods for an ISP domain by referencing configured AAA schemes in ISP domain
view. Each ISP domain has a set of default AAA methods, which are local authentication, local

authorization, and local accounting by default and can be customized. If you do not configure any AAA

methods for an ISP domain, the firewall uses the system default AAA methods for authentication,

authorization, and accounting of the users in the domain.

Configuration prerequisites

To use local authentication for users in an ISP domain, configure local user accounts (see "

Configuring

local user attributes

") on the firewall.

To use remote authentication, authorization, and accounting, create the required RADIUS and

HWTACACS schemes as described in "

Configuring RADIUS schemes in the Web interface

," and

"

Configuring HWTACACS schemes in the Web interface

."