No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR500, AR510, and AR530 V200R007 Commands Reference

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
HWTACACS Configuration Commands

HWTACACS Configuration Commands

display hwtacacs-server accounting-stop-packet

Function

The display hwtacacs-server accounting-stop-packet command displays information about accounting-stop packets on the HWTACACS server.

Format

display hwtacacs-server accounting-stop-packet { all | number | ip { ip-address | ipv6-address } }

Parameters

Parameter

Description

Value

all

Displays all the accounting-stop packets.

-

number

Displays the accounting-stop packets starting from the specified number.

The value is an integer that ranges from 1 to 65535.

ip ip-address

Displays the accounting-stop packets with the specified IP address.

The value of ip-address is in dotted decimal notation.

ip ipv6-address

Displays the accounting-stop packets with the specified IPv6 address.

The value is a 32-digit hexadecimal number, in the format X:X:X:X:X:X:X:X.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The display hwtacacs-server accounting-stop-packet command output helps you check configurations or isolate faults.

Example

# Display all the accounting-stop packets.

<Huawei> display hwtacacs-server accounting-stop-packet all
-------------------------------------------------------------
NO. SendTime      IP Address                         Template
1   10            192.168.1.110                        tac
-------------------------------------------------------------
Whole accounting stop packet to resend:1
Table 14-26  Description of the display hwtacacs-server accounting-stop-packet command output

Item

Description

NO.

Number of the accounting-stop packet specified by the system.

SendTime

Number of times that accounting-stop packets are sent.

IP Address

IP address of the HWTACACS server.

Template

HWTACACS server template.

display hwtacacs-server template

Function

The display hwtacacs-server template command displays the configuration of HWTACACS server templates.

Format

display hwtacacs-server template [ template-name [ verbose ] ]

Parameters

Parameter

Description

Value

template-name

Displays the configuration of the specified HWTACACS server template.

The HWTACACS server template must already exist.

verbose

Displays detailed statistics about HWTACACS server templates.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The display hwtacacs-server template command output helps you check the configuration of HWTACACS server templates and isolate faults.

Example

# Display the configuration of the HWTACACS server template template0.

<Huawei> display hwtacacs-server template template0
  ---------------------------------------------------------------------------   
  HWTACACS-server template name   : template0                                   
  Authentication Server 1         : 10.10.10.1:49 Weight:80 Vrf:- Status:UP     
  Authentication Server 2         : 10.10.10.2:49 Weight:40 Vrf:- Status:UP     
  Authorization  Server 1         : 10.10.20.1:49 Weight:80 Vrf:- Status:UP     
  Authorization  Server 2         : 10.10.20.2:49 Weight:40 Vrf:- Status:UP     
  Accounting     Server 1         : 10.10.30.1:49 Weight:80 Vrf:- Status:UP     
  Accounting     Server 2         : 10.10.30.2:49 Weight:40 Vrf:- Status:UP     
  Current-authentication-server   : 10.10.10.1:49 Weight:80 Vrf:- Status:UP     
  Current-authorization-server    : 10.10.20.1:49 Weight:80 Vrf:- Status:UP     
  Current-accounting-server       : 10.10.30.1:49 Weight:80 Vrf:- Status:UP     
  Source-IP-address               : 0.0.0.0                                     
  Source-IPv6-address             : ::                                          
  Shared-key                      : ****************                            
  Quiet-interval(min)             : 5                                           
  Response-timeout-Interval(sec)  : 5                                           
  Domain-included                 : Orignal                                     
  Traffic-unit                    : B 
  ---------------------------------------------------------------------------   
Table 14-27  Description of the display hwtacacs-server template command output

Item

Description

HWTACACS-server template name

Name of the HWTACACS server template.

Authentication Server 1

IP address, port number, and weight of authentication server 1.

Authentication Server 2

IP address, port number, and weight of authentication server 2.

Authorization Server 1

IP address, port number, and weight of authorization server 1.

Authorization Server 2

IP address, port number, and weight of authorization server 2.

Accounting Server 1

IP address, port number, and weight of accounting server 1.

Accounting Server 2

IP address, port number, and weight of accounting server 2.

Current-authentication-server

IP address, port number, and weight of the current authentication server.

Current-authorization-server

IP address, port number, and weight of the current authorization server.

Current-accounting-server

IP address, port number, and weight of the current accounting server.

Source-IP-address

Source IP address in HWTACACS packets.

Source-IPv6-address

Source IPv6 address in HWTACACS packets.

Shared-key

Shared key in HWTACACS packets.

Quiet-interval(min)

Interval for the server to return to the active state, in minutes.

Response-timeout-Interval(sec)

Specifies the response timeout interval of an HWTACACS server, in seconds.

Domain-included

Whether the user name sent to the HWTACACS server contains the domain name.

  • Yes: The user name contains the domain name.
  • No: The user name does not contain the domain name.
  • Original: The device does not modify the user name entered by the user.

Traffic-unit

Traffic unit used by the HWTACACS server, in bytes.

hwtacacs enable

Function

The hwtacacs enable command enables Huawei Terminal Access Controller Access Control System (HWTACACS).

The undo hwtacacs enable command disables HWTACACS.

By default, HWTACACS is enabled.

Format

hwtacacs enable

undo hwtacacs enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If you need to configure HWTACACS, you can use hwtacacs enable command to enable HWTACACS protocol.

Precautions

If the undo hwtacacs enable command is run when a user is performing HWTACACS authentication, authorization, or accounting, the command does not take effect.

Example

# Disable HWTACACS.

<Huawei> system-view
[Huawei] undo hwtacacs enable

hwtacacs-server (AAA domain view)

Function

The hwtacacs-server command applies an HWTACACS server template to a domain.

The undo hwtacacs-server command deletes an HWTACACS server template from a domain.

By default, no HWTACACS server template is configured in a domain.

Format

hwtacacs-server template-name

undo hwtacacs-server

Parameters

Parameter

Description

Value

template-name

Specifies the name of an HWTACACS server template.

The HWTACACS server template must already exist.

Views

AAA domain view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To perform HWTACACS authentication, authorization, and accounting for users in a domain, configure an HWTACACS server template in the domain. After the HWTACACS server template is configured in the domain, the configuration in the HWTACACS server template takes effect.

Prerequisites

An HWTACACS server template has been created by using the hwtacacs-server template command.

Example

# Apply the HWTACACS server template template1 to the domain tacacs1.

<Huawei> system-view
[Huawei] hwtacacs-server template template1
[Huawei-hwtacacs-huawei] quit
[Huawei] aaa
[Huawei-aaa] domain tacacs1
[Huawei-aaa-domain-tacacs1] hwtacacs-server template1

hwtacacs-server accounting

Function

The hwtacacs-server accounting command configures the HWTACACS accounting server.

The undo hwtacacs-server accounting command cancels the configuration of the HWTACACS accounting server.

By default, no HWTACACS accounting server is configured.

Format

hwtacacs-server accounting ip-address [ port ] [ public-net | vpn-instance vpn-instance-name ] [ weight weight-value ]

hwtacacs-server accounting ipv6-address [ port ] [ public-net ] [ weight weight-value ]

undo hwtacacs-server accounting [ ip-address [ port ] ]

Parameters

Parameter

Description

Value

ip-address

Specifies the IP address of an HWTACACS accounting server.

The value is a valid unicast address in dotted decimal notation.

ipv6-address

Specifies the IPv6 address of an HWTACACS accounting server.

The value is a 32-digit hexadecimal number, in the format X:X:X:X:X:X:X:X.

port

Specifies the port number of an HWTACACS accounting server.

The value is an integer that ranges from 1 to 65535. The default value is 49.

public-net

Indicates that the HWTACACS accounting server is connected to the public network.

-

vpn-instance vpn-instance-name

Specifies the name of a VPN instance that the HWTACACS accounting server is bound to.

The VPN instance must already exist.

weight weight-value

Specifies the weight of a HWTACACS accounting server.

NOTE:
When multiple servers are available, the device uses the server with the highest weight to perform accounting. If the servers have the same weights, the device uses the server configured first to perform accounting.

The value is an integer that ranges from 1 to 100. The default value is 80.

Views

HWTACACS server template view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The device does not support local accounting; therefore, you need to configure an HWTACACS accounting server to perform accounting. The device sends accounting packets to an HWTACACS accounting server only after the IP address of the HWTACACS accounting server is specified in an HWTACACS server template.

Precautions

You must specify different IP addresses for the HWTACACS accounting server 1 and server 2; otherwise, the configuration fails.

Example

# Configure the HWTACACS accounting server.

<Huawei> system-view
[Huawei] hwtacacs-server template test1
[Huawei-hwtacacs-test1] hwtacacs-server accounting 10.163.155.12 49

hwtacacs-server accounting-stop-packet resend

Function

The hwtacacs-server accounting-stop-packet resend command enables or disables retransmission of accounting-stop packets and sets the number of accounting-stop packets that can be retransmitted each time.

By default, 100 accounting-stop packets can be retransmitted each time.

Format

hwtacacs-server accounting-stop-packet resend { disable | enable number }

Parameters

Parameter

Description

Value

disable

Disables the retransmission of accounting-stop packets.

-

enable

Enables the retransmission of accounting-stop packets.

-

number

Specifies the number of retransmitted accounting-stop packets.

The value is an integer that ranges from 1 to 300.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After a user goes offline, the device sends an accounting-stop packet to an accounting server. After the accounting server receives the accounting-stop packet, it stops accounting for the user. If the accounting server does not receive the accounting-stop packet because of network faults, it continues to perform accounting for the user. As a result, the user is charged incorrectly. To solve this problem, configure the device to send accounting-stop packets multiple times.

Precautions

  • If disable is configured, an accounting-stop packet is transmitted only once even when packet transmission fails.
  • If enable number is configured, an accounting-stop packet is retransmitted if no response is returned or transmission fails. number specifies the number of retransmission times.

Example

# Enable the retransmission of accounting-stop packets and set the number of accounting-stop packets that can be retransmitted each time to 50.

<Huawei> system-view
[Huawei] hwtacacs-server accounting-stop-packet resend enable 50

hwtacacs-server authentication

Function

The hwtacacs-server authentication command configures the HWTACACS authentication server.

The undo hwtacacs-server authentication command cancels the configuration of the HWTACACS authentication server.

By default, no HWTACACS authentication server is configured.

Format

hwtacacs-server authentication ip-address [ port ] [ public-net | vpn-instance vpn-instance-name ] [ weight weight-value ]

hwtacacs-server authentication ipv6-address [ port ] [ public-net ] [ weight weight-value ]

undo hwtacacs-server authentication [ ip-address [ port ] ]

Parameters

Parameter

Description

Value

ip-address

Specifies the IP address of an HWTACACS authentication server.

The value is a valid unicast address in dotted decimal notation.

ipv6-address

Specifies the IPv6 address of an HWTACACS authentication server.

The value is a 32-digit hexadecimal number, in the format X:X:X:X:X:X:X:X.

port

Specifies the port number of an HWTACACS authentication server.

The value is an integer that ranges from 1 to 65535. The default value is 49.

public-net

Indicates that the HWTACACS authentication server is connected to the public network.

-

vpn-instance vpn-instance-name

Specifies the name of a VPN instance that the HWTACACS authentication server is bound to.

The VPN instance must already exist.

weight weight-value

Specifies the weight of a HWTACACS authentication server.

NOTE:
When multiple servers are available, the device uses the server with the highest weight to perform authentication. If the servers have the same weights, the device uses the server configured first to perform authentication.

The value is an integer that ranges from 1 to 100. The default value is 80.

Views

HWTACACS server template view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To perform HWTACACS authentication, configure an HWTACACS authentication server in an HWTACACS server template. The device sends authentication packets to an HWTACACS authentication server only after the IP address of the HWTACACS authentication server is specified in an HWTACACS server template.

When authentication servers 1 and 2 are configured and authentication server 1 is the primary one, the device sends an authentication request packet to the authentication server 2 in any of the following situations:
  • The device fails to send a request packet to the authentication server 1.
  • The authentication server 1 does not return an authentication response packet.
  • The authentication server 1 requires re-authentication.
  • The authentication server 1 considers that the received authentication request packet is incorrect.

Precautions

You can modify this configuration only when device does not set up TCP connection with the specified authentication server.

You must specify different IP addresses for the HWTACACS authentication server 1 and server 2; otherwise, the configuration fails.

Example

# Specify the IP address 10.163.155.13 for the HWTACACS authentication server.

<Huawei> system-view
[Huawei] hwtacacs-server template test1
[Huawei-hwtacacs-test1] hwtacacs-server authentication 10.163.155.13

hwtacacs-server authorization

Function

The hwtacacs-server authorization command configures the HWTACACS authorization server.

The undo hwtacacs-server authorization command cancels the configuration of the HWTACACS authorization server.

By default, no HWTACACS authorization server is configured.

Format

hwtacacs-server authorization ip-address [ port ] [ public-net | vpn-instance vpn-instance-name ] [ weight weight-value ]

hwtacacs-server authorization ipv6-address [ port ] [ public-net ] [ weight weight-value ]

undo hwtacacs-server authorization [ ip-address [ port ] ]

Parameters

Parameter

Description

Value

ip-address

Specifies the IP address of an HWTACACS authorization server.

The value is a valid unicast address in dotted decimal notation.

ipv6-address

Specifies the IPv6 address of an HWTACACS authorization server.

The value is a 32-digit hexadecimal number, in the format X:X:X:X:X:X:X:X.

port

Specifies the port number of an HWTACACS authorization server.

The value is an integer that ranges from 1 to 65535. The default value is 49.

public-net

Indicates that the HWTACACS authorization server is connected to the public network.

-

vpn-instance vpn-instance-name

Specifies the name of a VPN instance that the HWTACACS authorization server is bound to.

The VPN instance must already exist.

weight weight-value

Specifies the weight of a HWTACACS authorization server.

NOTE:
When multiple servers are available, the device uses the server with the highest weight to perform authorization. If the servers have the same weights, the device uses the server configured first to perform authorization.

The value is an integer that ranges from 1 to 100. The default value is 80.

Views

HWTACACS server template view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To perform HWTACACS authorization, specify an HWTACACS authorization server in an HWTACACS server template. The device sends authorization packets to an HWTACACS authorization server only after the IP address of the HWTACACS authorization server is specified in an HWTACACS server template.

Precautions

The setting can be modified only when no TCP connection is set up with the specified authorization server.

You must specify different IP addresses for the HWTACACS authorization server 1 and server 2; otherwise, the configuration fails.

Example

# Specify the IP address 10.163.155.13 for the HWTACACS authorization server.

<Huawei> system-view
[Huawei] hwtacacs-server template test1
[Huawei-hwtacacs-test1] hwtacacs-server authorization 10.163.155.13

hwtacacs-server shared-key

Function

The hwtacacs-server shared-key command configures the shared key of an HWTACACS server.

The undo hwtacacs-server shared-key command deletes the shared key of an HWTACACS server.

By default, no shared key of an HWTACACS server is configured.

Format

hwtacacs-server shared-key cipher key-string

undo hwtacacs-server shared-key

Parameters

Parameter

Description

Value

cipher

Indicates the shared key in cipher text.

-

key-string

Specifies the shared key of an HWTACACS server.

The value is a case-sensitive string without question marks (?) or spaces. The key-string may be a plain-text password consisting of 1 to 96 characters or a cipher-text password consisting of 20 to 152 characters.

Views

HWTACACS server template view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The shared key is used to encrypt the password and generate the response authenticator.

When exchanging authentication packets with an HWTACACS server, the device uses MD5 to encrypt important data such as the password to ensure security of data transmission over the network. The device and HWTACACS server must use the same key to ensure their validity in the authentication.

Precautions

To improve security, it is recommended that the shared key contains at least two types of lower-case letters, upper-case letters, numerals, and special characters, and contains at least 6 characters.

You can modify this configuration only when the HWTACACS server template is not in use.

To be compatible with the earlier versions, the device supports the shared key of 20 characters in cipher text. The length of the shared key cannot be configured.

Example

# Set the shared key of an HWTACACS server to Huawei@1234 in cipher text.

<Huawei> system-view
[Huawei] hwtacacs-server template template1
[Huawei-hwtacacs-template1] hwtacacs-server shared-key cipher Huawei@1234

hwtacacs-server source-ip

Function

The hwtacacs-server source-ip command configures the source IP address that the device encapsulates in HWTACACS packets to be sent to an HWTACACS server.

The undo hwtacacs-server source-ip command restores the default source IP address encapsulated in HWTACACS packets.

By default, no source IP address encapsulated in HWTACACS packets is configured, the device uses the IP address of the outbound interface as the source IP address encapsulated in HWTACACS packets.

Format

hwtacacs-server source-ip ip-address

undo hwtacacs-server source-ip

Parameters

Parameter

Description

Value

ip-address

Specifies an IP address.

The value is a valid unicast address in dotted decimal notation.

Views

HWTACACS server template view

Default Level

2: Configuration level

Usage Guidelines

After you specify the source IP address in HWTACACS packets, the device uses this IP address to communicate with the HWTACACS server.

Example

# Specify the source IP address 10.1.1.1 in HWTACACS packets.

<Huawei> system-view
[Huawei] hwtacacs-server template template1
[Huawei-hwtacacs-template1] hwtacacs-server source-ip 10.1.1.1

hwtacacs-server source-ipv6

Function

The hwtacacs-server source-ipv6 command configures the source IPv6 address in HWTACACS packets.

The undo hwtacacs-server source-ipv6 command deletes the source IPv6 address in HWTACACS packets.

By default, no source IPv6 address is configured in HWTACACS packets.

Format

hwtacacs-server source-ipv6 ipv6-address

undo hwtacacs-server source-ipv6

Parameters

Parameter

Description

Value

ipv6-address

Specifies the source IPv6 address in HWTACACS packets.

The value is a 32-digit hexadecimal number, in the format X:X:X:X:X:X:X:X.

Views

HWTACACS server template view

Default Level

2: Configuration level

Usage Guidelines

After you specify the source IPv6 address in HWTACACS packets, the device uses this IPv6 address to communicate with the HWTACACS server.

Example

# Specify the source IPv6 address fc00::1 in HWTACACS packets.

<Huawei> system-view
[Huawei] hwtacacs-server template test1
[Huawei-hwtacacs-test1] hwtacacs-server source-ipv6 fc00::1

hwtacacs-server template

Function

The hwtacacs-server template command creates an HWTACACS server template and enters the HWTACACS server template view.

The undo hwtacacs-server template command deletes an HWTACACS server template.

By default, no HWTACACS server template is configured on the device.

Format

hwtacacs-server template template-name

undo hwtacacs-server template template-name

Parameters

Parameter

Description

Value

template-name

Specifies the name of an HWTACACS server template.

The value is a string of 1 to 32 characters, including characters A to Z and a to z (case-sensitive), numerals (0 to 9), punctuation mark (.), dash (-), and underline (_). The value cannot be - or --.

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

You must create an HWTACACS server template before configuring HWTACACS authentication, authorization, and accounting You can perform HWTACACS configurations, such as the configuration of authentication servers, authorization servers, accounting servers, and shared key, only after an HWTACACS server template is created.

Follow-up Procedure

Configure an authentication server, accounting server, and shared key in the HWTACACS server template view, and run the hwtacacs-server (AAA domain view) command in the domain view to apply the HWTACACS server template.

Precautions

A maximum of 16 HWTACACS server templates can be created on the device.

You can modify an HWTACACS server template only when it is not in use.

When you run the undo hwtacacs-server template command to delete an HWTACACS server template in use, a message about a deletion failure is displayed on the device.

Example

# Create an HWTACACS server template template1 and enter the HWTACACS server template view.

<Huawei> system-view
[Huawei] hwtacacs-server template template1
[Huawei-hwtacacs-template1] 

hwtacacs-server timer quiet

Function

The hwtacacs-server timer quiet command sets the interval for the primary server to return to the active state.

The undo hwtacacs-server timer quiet command restores the default interval for the primary server to return to the active state.

By default, the interval for the primary HWTACACS server to return to the active state is 5 minutes.

Format

hwtacacs-server timer quiet interval

undo hwtacacs-server timer quiet

Parameters

Parameter

Description

Value

interval

Specifies the interval for the primary server to return to the active state.

The value is an integer ranging from 0 to 255, in minutes.

Views

HWTACACS server template view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If the primary server is unavailable, the device automatically switches services to the standby server and sends packets to the standby server. After the interval for the primary server to return to the active state is reached, the device attempts to establish a connection with the primary server.

  • If the primary server is still unavailable, the device continues to send packets to the standby server until the next interval is reached. Such a process repeats.
  • If the primary server is available, the device switches services to the primary server and sends packets to the primary server.

The interval for the primary server to return to the active state ensures that the primary server can be restored immediately and reduces the number of detection times during the switchover.

The default value is recommended.

Precautions

When the quiet period of the active server is set to 0, if the active server fails, the device sends packets to the standby server. When the active server is recovered, the device does not connect to the active server, but still sends packets to the standby server until the standby server fails.

When you run the hwtacacs-server timer quiet command to change the interval for the primary server to return to the active state, the device does not check whether the HWTACACS server template is in use.

Example

# Set the interval for the primary server to return to the active state to 3 minutes.

<Huawei> system-view
[Huawei] hwtacacs-server template template1
[Huawei-hwtacacs-template1] hwtacacs-server timer quiet 3

hwtacacs-server timer response-timeout

Function

The hwtacacs-server timer response-timeout command sets the response timeout interval of an HWTACACS server.

The undo hwtacacs-server timer response-timeout command restores the default response timeout interval of an HWTACACS server.

By default, the response timeout interval for an HWTACACS server is 5 seconds.

Format

hwtacacs-server timer response-timeout interval

undo hwtacacs-server timer response-timeout

Parameters

Parameter

Description

Value

interval

Specifies the response timeout interval of an HWTACACS server.

The value is an integer ranging from 1 to 300, in seconds.

Views

HWTACACS server template view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After the device sends a request packet to an HWTACACS server, if the device does not receive a response packet in the specified timeout interval:
  • If only one HWTACACS server is configured, the device does not retransmit the request to this server.
  • If both active/standby HWTACACS servers are available and the TCP link between them works normally, the device retransmits the request to the standby server after timeout. If the TCP link is broken during the timeout interval, the device immediately retransmits the request to the standby server.
This improves reliability of HWTACACS authentication, authorization, and accounting.

The default value is recommended.

Precautions

You can modify this configuration only when the HWTACACS server template is not in use.

Example

# Set the response timeout interval of an HWTACACS server to 30s.

<Huawei> system-view
[Huawei] hwtacacs-server template test1
[Huawei-hwtacacs-test1] hwtacacs-server timer response-timeout 30

hwtacacs-server traffic-unit

Function

The hwtacacs-server traffic-unit command sets the traffic unit used by an HWTACACS server.

By default, the traffic unit is byte on the device.

Format

hwtacacs-server traffic-unit { byte | kbyte | mbyte | gbyte }

Parameters

Parameter

Description

Value

byte

Indicates that the traffic unit is byte.

-

kbyte

Indicates that the traffic unit is kilobyte.

-

mbyte

Indicates that the traffic unit is megabyte.

-

gbyte

Indicates that the traffic unit is gigabyte.

-

Views

HWTACACS server template view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Different HWTACACS servers may use different traffic units; therefore, you need to set the traffic unit for each HWTACACS server group on the device and the traffic unit must be the same as that on the HWTACACS server.

Precautions

You can change the traffic unit only when the HWTACACS server template is not in use.

Example

# Set the traffic unit used by an HWTACACS server to kilobyte.

<Huawei> system-view
[Huawei] hwtacacs-server template template1
[Huawei-hwtacacs-template1] hwtacacs-server traffic-unit kbyte

hwtacacs-server user-name domain-included

Function

The hwtacacs-server user-name domain-included command configures the device to encapsulate the domain name in the user name in HWTACACS packets to be sent to an HWTACACS server.

The hwtacacs-server user-name original command configures the device not to modify the user name entered by the user in the packets sent to the HWTACACS server.

The undo hwtacacs-server user-name domain-included command configures the device not to encapsulate the domain name in the user name when sending HWTACACS packets to an HWTACACS server.

By default, the device does not modify the user name entered by the user in the packets sent to the HWTACACS server.

Format

hwtacacs-server user-name domain-included

hwtacacs-server user-name original

undo hwtacacs-server user-name domain-included

Parameters

None

Views

HWTACACS server template view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The format of a user name is user name@domain name. In the user name, @ is the domain name delimiter. The domain name delimiter can also be any of the following symbols: \ / : < > | ' %.

If the HWTACACS server does not accept the user name with the domain name, run the undo hwtacacs-server user-name domain-included command to delete the domain name from the user name.

Precautions

You can modify this configuration only when the HWTACACS server template is not in use.

If the user names in the HWTACACS packets sent from the device to HWTACACS server contain domain names, ensure that the total length of a user name (user name + domain name delimiter + domain name) is not longer than 64 characters; otherwise, the user name cannot be contained in HWTACACS packets. As a result, authentication will fail.

Example

# Configure the device not to encapsulate the domain name in the user name when sending HWTACACS packets to an HWTACACS server.

<Huawei> system-view
[Huawei] hwtacacs-server template template1
[Huawei-hwtacacs-template1] undo hwtacacs-server user-name domain-included

hwtacacs-user change-password hwtacacs-server

Function

The hwtacacs-user change-password hwtacacs-server command enables the device to change the passwords saved on the HWTACACS server.

Format

hwtacacs-user change-password hwtacacs-server template-name

Parameters

Parameter

Description

Value

template-name

Specifies the name of an HWTACACS server template.

The HWTACACS server template must already exist.

Views

User view

Default Level

0: Visit level

Usage Guidelines

Usage Scenario

To change the password saved on the HWTACACS server, users can run the hwtacacs-user change-password hwtacacs-server command on the device. You do not need to change the configuration on the HWTACACS server.

Precautions

  • Users are HWTACACS authenticated and the HWTACACS server template is configured.

  • Users can run this command to change the passwords only when the user names and passwords saved on the HWTACACS do not expire. When a user whose password has expired logs in to the device, the HWTACACS server does not allow the user to change the password and displays a message indicating that the authentication fails.

  • The system wait period is 30 seconds. If the TACACS server does not receive the user name, new password, or confirmed password from the user within such a period, it terminates the password change process.

  • Users can also press Ctrl+C to cancel password change.

  • HWTACACS users who pass AAA authentication can use the hwtacacs-user change-password hwtacacs-server command to change the passwords before the passwords expire. If a user needs to run this command to change the passwords of other users, the user must have the system rights.

Example

# Enable the user that passes HWTACACS authentication to change the password.

<Huawei> hwtacacs-user change-password hwtacacs-server huawei
Username:cj@huawei
Old Password:
New Password:
Re-enter New password:
Info: The password has been changed successfully.

reset hwtacacs-server accounting-stop-packet

Function

The reset hwtacacs-server accounting-stop-packet command clears statistics on the remaining buffer information of HWTACACS accounting-stop packets.

Format

reset hwtacacs-server accounting-stop-packet { all | ip { ipv4-address | ipv6-address } }

Parameters

Parameter

Description

Value

all

Clears statistics on the remaining buffer information of HWTACACS accounting-stop packets.

-

ip ip-address

Clears statistics on the remaining buffer information of HWTACACS accounting-stop packets with the specified IP address.

The value is in dotted decimal notation.

ip ipv6-address

Clears statistics on the remaining buffer information of HWTACACS accounting-stop packets with the specified IPv6 address.

The value is a 32-digit hexadecimal number, in the format X:X:X:X:X:X:X:X.

Views

User view

Default Level

3: Management level

Usage Guidelines

This command can clear statistics on the remaining buffer information of HWTACACS accounting-stop packets. The deleted statistics cannot be restored.

Example

# Clear statistics on the remaining buffer information of all HWTACACS accounting-stop packets.

<Huawei> reset hwtacacs-server accounting-stop-packet all

reset hwtacacs-server statistics

Function

The reset hwtacacs-server statistics command clears the statistics on HWTACACS authentication, accounting, and authorization.

Format

reset hwtacacs-server statistics { accounting | all | authentication | authorization }

Parameters

Parameter

Description

Value

accounting

Clears the statistics on HWTACACS accounting.

-

all

Clears all the statistics.

-

authentication

Clears the statistics on HWTACACS authentication.

-

authorization

Clears the statistics on HWTACACS authorization.

-

Views

User view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

Before collecting the statistics on HWTACACS authentication, accounting, and authorization in a specified period of time, run the reset hwtacacs-server statistics command to clear the existing statistics. Run the display hwtacacs-server template template-name verbose command to view the statistics on HWTACACS authentication, accounting, and authorization.

Precautions

The cleared statistics cannot be restored. Exercise caution when you run the command.

Example

# Clear all the statistics.

<Huawei> reset hwtacacs-server statistics all
Translation
Download
Updated: 2019-05-29

Document ID: EDOC1000097293

Views: 47605

Downloads: 102

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next