Configuring shared keys for hwtacacs messages – H3C Technologies H3C WX3000 Series Unified Switches User Manual

Page 273

Advertising
background image

25-21

z

You are not allowed to configure the same IP address for both primary and secondary accounting
servers. If you do this, the system will prompt that the configuration fails.

z

You can remove a server only when it is not used by any active TCP connection for sending
accounting messages.

Configuring Shared Keys for HWTACACS Messages

When using a TACACS server as an AAA server, you can set a key to improve the communication
security between the device and the TACACS server.

The TACACS client and server adopt MD5 algorithm to encrypt HWTACACS messages before they are
exchanged between the two parties. The two parties verify the validity of the HWTACACS messages
received from each other by using the shared keys that have been set on them, and can accept and
respond to the messages only when both parties have the same shared key.

Follow these steps to configure shared keys for HWTACACS messages:

To do…

Use the command…

Remarks

Enter system view

system-view

Create a HWTACACS scheme and
enter its view

hwtacacs scheme

hwtacacs-scheme-name

Required
By default, no HWTACACS
scheme exists.

Set a shared key for HWTACACS
authentication, authorization or
accounting messages

key

{ accounting | authorization |

authentication

} string

Required
By default, no such key is set.

Configuring the Attributes of Data to be Sent to TACACS Servers

Follow these steps to configure the attributes for data to be sent to TACACS servers:

To do…

Use the command…

Remarks

Enter system view

system-view

Create a HWTACACS
scheme and enter its view

hwtacacs scheme

hwtacacs-scheme-name

Required
By default, no HWTACACS scheme
exists.

Set the format of the user
names to be sent to
TACACS server

user-name-format

{ with-domain |

without-domain

}

Optional
By default, the user names sent from
the device to TACACS server carry ISP
domain names.

data-flow-format data

{ byte |

giga-byte

| kilo-byte | mega-byte }

Set the units of data flows
to TACACS servers

data-flow-format packet

{ giga-packet

| kilo-packet | mega-packet |
one-packet

}

Optional
By default, in a TACACS scheme, the
data unit and packet unit for outgoing
HWTACACS flows are byte and
one-packet respectively.

Advertising
Popular Brands
Popular manuals