No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Command Reference

CloudEngine 8800, 7800, 6800, and 5800 V200R002C50

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
HWTACACS Configuration Commands

HWTACACS Configuration Commands

display hwtacacs current-status

Function

The display hwtacacs current-status command displays the HWTACACS current status.

Format

display hwtacacs current-status [ template template-name ]

Parameters

Parameter Description Value
template template-name

Specifies the name of an HWTACACS server template.

The HWTACACS server template must exist.

Views

All views

Default Level

3: Management level

Usage Guidelines

The display hwtacacs current-status [ template template-name ] command displays the current status about the HWTACACS server.

Example

# Display the current status of the huawei template.

<HUAWEI> display hwtacacs current-status template huawei
Info: * means current server.
--------------------------------------------------------------------------------------
 Server type       IP address/Server Host Name     Port  Pending request    VPN       
-----------------------------------------------------------
*Authentication   authen_host                       23    0                 vpn1     
*Authorization    author_host                      123    0                 vpn1     
*Accounting       acct_host                         10    0                 vpn1     
 Authentication   10.2.2.2                          32    0                 vpn1     
 Authentication   10.3.3.3                          33    0                 vpn1     
 Authorization    10.1.1.1                          12    0                 vpn1     
 Authorization    author_host_sec                  233    0                 vpn1     
 Accounting       acct_host_sec                     11    0                 vpn1     
-------------------------------------------------------------------------------------
Table 16-31  Description of the display hwtacacs current-status template template-name command output.

Item

Description

Server type

Server type of HWTACACS server.

IP address/Server Host Name

HWTACACS server IP address or host name.

Port

HWTACACS server port number.

Pending request

Total number of pending requests.

VPN

Bound VPN.

# Display the current status of HWTACACS client.

<HUAWEI> display hwtacacs current-status
----------------------------------------
 HWTACACS service status      : Enabled 
 Total templates configured   : 1       
 Total servers configured     : 3       
----------------------------------------
Table 16-32  Description of the display hwtacacs current-status command output.

Item

Description

HWTACACS service status

HWTACACS service status, including
  • Enabled
  • Disabled

Total templates configured

Total number of templates configured.

Total servers configured

Total number of servers configured.

display hwtacacs server template

Function

The display hwtacacs server template command displays the configuration of HWTACACS server templates.

Format

display hwtacacs server template [ template-name [ verbose ] | template-name [ { authentication | authorization | accounting | common } [ { ip-address | ipv6-address | host host-name } [ vpn-instance vpn-instance-name ] ] [ statistics ] ] ]

Parameters

Parameter Description Value
template-name Specifies the name of an HWTACACS server template. The HWTACACS server template must exist.
verbose

Displays detailed information about HWTACACS server templates.

If verbose parameter is not specified, the configuration of all the HWTACACS server templates is displayed.

-
authentication Specifies the authentication server type. -
authorization Specifies the authorization server type. -
accounting Specifies the accounting server type. -
common Specifies the common server type. -
ip-address Specifies the IP address of a server. The address type must be unicast. The value is in dotted decimal notation.
vpn-instance vpn-instance-name Specifies the vpn-instance name. The VPN instance must exist.
ipv6-address Specifies the IPv6 address of a server. The value consists of 128 octets, which are classified into 8 groups. Each group contains 4 hexadecimal numbers in the format X:X:X:X:X:X:X:X.
host host-name

Specifies the host name of the server.

The value is a string of 1 to 255 case-sensitive characters, without spaces. It can be any combination of letters, digits, periods (.), hyphens (-), and underlines (_), and contains at least one letter or digit.

statistics Displays HWTACACS server statistics information. -

Views

All views

Default Level

3: Management level

Usage Guidelines

The display hwtacacs server template command output helps you check the configuration of HWTACACS server templates and isolate faults.

Example

# Display all the HWTACACS server template configuration.

<HUAWEI> display hwtacacs server template
--------------------------------------------------------------------------------
Template name                          : ht
Template ID                            : 0
Primary authentication server          : 10.1.1.1-49:-
Primary authorization server           : 10.1.1.1-49:-
Primary accounting server              : 10.1.1.1-49:-
Primary common server                  : 0.0.0.0-0:-
Current authentication server          : 10.1.1.2-49:-
Current authorization server           : 10.1.1.2-49:-
Current accounting server              : 10.1.1.2-49:-
Source IP address                      : 0.0.0.0
Shared key                             : ****************
Quiet interval (min)                   : 5
Response timeout interval (sec)        : 5
Domain included                        : Yes
Secondary authentication server count  : 1
Secondary authorization server count   : 1
Secondary accounting server count      : 1
Secondary common server count          : 0
--------------------------------------------------------------------------------
Table 16-33  Description of the display hwtacacs server template command output

Item

Description

Template name

HWTACACS server template name.

Template ID

HWTACACS server template ID.

Primary authentication server

Primary authentication server.

Primary authorization server

Primary authorization server.

Primary accounting server

Primary accounting server.

Primary common server

Primary common server.

Current authentication server

Current authentication server.

Current authorization server

Current authorization server.

Current accounting server

Current accounting server.

Source IP address

Source IP address.

Shared key

Shared secret key.

Quiet interval (min)

Quiet-interval time, in minutes.

Response timeout interval (sec)

Response timeout interval, in seconds.

Domain included

Domain included information. The value can be:
  • Yes
  • No

Secondary authentication server count

Secondary authentication server count.

Secondary authorization server count

Secondary authorization server count.

Secondary accounting server count

Secondary accounting server count.

Secondary common server count

Secondary common server count.

# Display detailed configuration of authentication servers of the template ht.

<HUAWEI> display hwtacacs server template ht authentication
--------------------------------------------------------------------------------
Template Name      : ht                                                         
Template ID        : 1                                                          
Server Type        : Authentication                                             
Server IP Address  : 10.1.1.1                                                
Server Id          : 0                                                          
Server Port        : 49                                                         
Shared Key         : -                                                          
Mux Mode           : Disable                                                    
VPN-Instance       : -                                                          
Server Status      : Active                                                     
Is Primary Server  : YES                                                        
Is Current Server  : YES                                                        
--------------------------------------------------------------------------------
# Display statistics about common servers of the template t1.
<HUAWEI> display hwtacacs server template t1 common
--------------------------------------------------------------------------------
 Template Name      :  t1
 Template ID        :  0
 Server Type        :  Common
 Server IP Address  :  10.1.1.1
 Server Id          :  255
 Server Port        :  49
 Shared Key         :
 Mux Mode           :  Disable
 VPN-Instance       :
 Server Status      :  Active
 Is Primary Server  :  NO
 Is Current Server  :  NO
--------------------------------------------------------------------------------
Table 16-34  Description of the display hwtacacs server template template-name { authentication | common } command output

Item

Description

Template Name

HWTACACS server template name.

Template ID

HWTACACS server template ID.

Server Type

Server type. The value can be:
  • Authentication
  • Authorization
  • Accounting
  • Common

Server IP Address

Server IP address.

Server Id

Server ID.

Server Port

Server port.

Shared Key

Shared secret key.

Mux Mode

Multiplexing mode. The value can be:
  • Enable
  • Disable

VPN-Instance

Name of VPN-Instance.

Server Status

Server status. The value can be:
  • Active
  • Down

Is Primary Server

Whether the server is primary or not. The value can be:
  • Yes
  • No

Is Current Server

Whether the server is current server or not. The value can be:
  • Yes
  • No

# Display detailed statistics of authentication servers of the template ht.

<HUAWEI> display hwtacacs server template ht authentication statistics
------------------------------------------------------------------              
 TemplateID                     : 1                                             
 Server IP Address              : 10.1.1.1                                   
 VPN-Instance                   : -                                             
 Server Type                    : Authentication                                
 Authen Server Open Request No  : 0                                             
 Authen Server Close Request No : 0                                             
 Authentication Request No      : 0                                             
 Authentication Response No     : 0                                             
------------------------------------------------------------------              
Table 16-35  Description of the display hwtacacs server template template-name authentication statistics command output

Item

Description

TemplateID

HWTACACS server template ID.

Server IP Address

Server IP address.

VPN-Instance

Name of VPN-Instance.

Server Type

Server type. The value can be:
  • Authentication
  • Authorization
  • Accounting
  • Common

Authen Server Open Request No

Authentication server open request number.

Authen Server Close Request No

Authentication server close request number.

Authentication Request No

Authentication request number.

Authentication Response No

Authentication response number.

# Display detailed statistics of the template ht.

<HUAWEI> display hwtacacs server template ht verbose
---------------------------------------------------------------------
 Authentication Server Open Count         : 1
 Authentication Server Close Count        : 1
 Authentication Request Packet Count      : 1
 Authentication Response Packet Count     : 1
 Authentication Passed Count              : 1
 Authentication Failed Count              : 0
 Authentication Response Error Count      : 0
 Authentication Response Follow Count     : 0
 Authentication Response Getdata Count    : 0
 Authentication Response Getpassword Count: 0
 Authentication Response Getuser Count    : 0 
 Authentication Send Continue Count       : 0 
 Authentication Send Abort Count          : 0 
 Authentication Response Restart Count    : 0
 Authentication Malformed Response Count  : 0
 Authorization Server Open Count          : 0
 Authorization Server Close Count         : 0
 Authorization Request Packet Count       : 0
 Authorization Response Packet Count      : 0
 Authorization Malformed Response Count   : 0
 Accounting Server Open Count             : 0
 Accounting Server Close Count            : 0
 Accounting Request Packet Count          : 0
 Accounting Response Packet Count         : 0
 Accounting Response Pass Count           : 0
 Accounting Response Follow Count         : 0
 Accounting Response Error Count          : 0
 Accounting Start Packet Count            : 0
 Accounting Stop Packet Count             : 0
 Accounting Malformed Response Count      : 0  
 ---------------------------------------------------------------------
Table 16-36  Description of the display hwtacacs server template template-name verbose command output

Item

Description

Authentication Server Open Count

Authentication server open count.

Authentication Server Close Count

Authentication server close count.

Authentication Request Packet Count

Authentication request packet count.

Authentication Response Packet Count

Authentication response packet count.

Authentication Passed Count

Authentication passed count.

Authentication Failed Count

Authentication failed count.

Authentication Response Error Count

Authentication response error count.

Authentication Response Follow Count

Authentication response follow count.

Authentication Response Getdata Count

Authentication response get data count.

Authentication Response Getpassword Count

Authentication response get password count.

Authentication Response Getuser Count

Authentication response get user count.

Authentication Send Continue Count

Number of consecutive authentication packets.

Authentication Send Abort Count

Number of discarded authentication packets.

Authentication Response Restart Count

Authentication response restart count.

Authentication Malformed Response Count

Authentication malformed response count.

Authorization Server Open Count

Authorization server open count.

Authorization Server Close Count

Authorization server close count.

Authorization Request Packet Count

Authorization request packet count.

Authorization Response Packet Count

Authorization response packet count.

Authorization Malformed Response Count

Authorization malformed response count.

Accounting Server Open Count

Accounting server open count.

Accounting Server Close Count

Accounting server close count.

Accounting Request Packet Count

Accounting request packet count.

Accounting Response Packet Count

Accounting response packet count.

Accounting Response Pass Count

Accounting passed count.

Accounting Response Follow Count

Accounting response follow count.

Accounting Response Error Count

Accounting response error count.

Accounting Start Packet Count

Accounting start packet count.

Accounting Stop Packet Count

Accounting stop packet count.

Accounting Malformed Response Count

Accounting malformed response count.

hwtacacs enable

Function

The hwtacacs enable command enables Huawei Terminal Access Controller Access Control System (HWTACACS).

The undo hwtacacs enable command disables HWTACACS.

By default, HWTACACS is disabled.

Format

hwtacacs enable

undo hwtacacs enable

Parameters

None

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

If you need to configure HWTACACS, you can use hwtacacs enable command to enable HWTACACS protocol.

Precautions

If the undo hwtacacs enable command is run when a user is performing HWTACACS authentication, authorization, or accounting, the command does not take effect.

Example

# Disable HWTACACS.

<HUAWEI> system-view
[~HUAWEI] undo hwtacacs enable

hwtacacs server

Function

The hwtacacs server command applies an HWTACACS server template to a domain.

The undo hwtacacs server command deletes an HWTACACS server template from a domain.

By default, no HWTACACS server template is configured in a domain.

Format

hwtacacs server template-name

undo hwtacacs server

Parameters

Parameter

Description

Value

template-name

Specifies the name of an HWTACACS server template.

The HWTACACS server template must exist.

Views

AAA domain view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To perform HWTACACS authentication, authorization, and accounting for users in a domain, configure an HWTACACS server template in the domain. After the HWTACACS server template is configured in the domain, the configuration in the HWTACACS server template takes effect.

Prerequisites

An HWTACACS server template has been created by using the hwtacacs server template command.

Example

# Apply the HWTACACS server template template1 to the domain tacacs1.

<HUAWEI> system-view
[~HUAWEI] hwtacacs server template template1
[*HUAWEI-hwtacacs-huawei] quit
[*HUAWEI] aaa
[*HUAWEI-aaa] domain tacacs1
[*HUAWEI-aaa-domain-tacacs1] hwtacacs server template1

hwtacacs server accounting

Function

The hwtacacs server accounting command configures the HWTACACS accounting server.

The undo hwtacacs server accounting command cancels the configuration of the HWTACACS accounting server.

By default, no HWTACACS accounting server is configured.

Format

hwtacacs server accounting ip-address [ port ] [ { vpn-instance vpn-instance-name | public-net } | shared-key { key-string | cipher cipher-string } | mux-mode ] * [ secondary ]

hwtacacs server accounting ipv6-address [ port ] [ shared-key { key-string | cipher cipher-string } | mux-mode | vpn-instance vpn-instance-name ] * [ secondary ]

hwtacacs server accounting host host-name [ port ] [ shared-key { key-string | cipher cipher-string } | mux-mode | { vpn-instance vpn-instance-name | public-net } ] * [ secondary ]

undo hwtacacs server accounting [ ip-address [ port ] [ { vpn-instance vpn-instance-name | public-net } | mux-mode ] * [ secondary ] ]

undo hwtacacs server accounting [ ipv6-address [ port ] [ mux-mode | vpn-instance vpn-instance-name ] [ secondary ] ]

undo hwtacacs server accounting [ ipv6-address [ port ] mux-mode vpn-instance vpn-instance-name [ secondary ] ]

undo hwtacacs server accounting [ ipv6-address [ port ] vpn-instance vpn-instance-name mux-mode secondary ]

undo hwtacacs server accounting host host-name [ port ] [ mux-mode | { vpn-instance vpn-instance-name | public-net } ] * [ secondary ]

Parameters

Parameter Description Value
ip-address

Specifies the IP addresses of the HWTACACS server.

The value is in dotted decimal notation. It must be a valid unicast address.
ipv6-address

Specifies the IPv6 addresses of the HWTACACS server.

The value consists of 128 octets, which are classified into 8 groups. Each group contains 4 hexadecimal numbers in the format X:X:X:X:X:X:X:X.
port

Specifies the port number of the HWTACACS server.

It is an integer data type. The value range is from 1 to 65535. The default value is 49.

vpn-instance vpn-instance-name

Specifies the vpn-instance name.

If the parameter vpn-instance is specified, the server is mapped to a VPN instance.

The VPN instance must exist.
public-net

Indicates that the HWTACACS accounting server on the public network is connected.

-
shared-key key-string

Specifies the shared-key.

The value is a string of case-sensitive characters without spaces. The password can be a string of 1 to 255 characters in plain text or a string of 20 to 432 characters in encrypted text. When double quotation marks are used around the string, spaces are allowed in the string.
shared-key cipher cipher-string

Specifies the shared-key in encrypted text.

The value is a string of case-sensitive characters without spaces. The password can be a string of 1 to 255 characters in plain text or a string of 20 to 432 characters in encrypted text. When double quotation marks are used around the string, spaces are allowed in the string.
mux-mode

Indicates that the HWTACACS server works in multiplex mode.

-
host host-name

Specifies the host name of the server.

The value is a string of 1 to 255 case-sensitive characters, without spaces. It can be any combination of letters, digits, periods (.), hyphens (-), and underlines (_), and contains at least one letter or digit.

secondary

Indicates the secondary HWTACACS server.

  • If the parameter secondary is not specified, the IP address is assigned to the primary HWTACACS accounting server.

  • If the parameter secondary is specified, the IP address is assigned to the secondary HWTACACS accounting server.

-

Views

HWTACACS server template view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The device does not support local accounting; therefore, you need to configure an HWTACACS accounting server to perform accounting. The device sends accounting packets to an HWTACACS accounting server only after the IP address of the HWTACACS accounting server is specified in an HWTACACS server template.

Precautions

You must specify different IP addresses for the primary and secondary HWTACACS accounting servers; otherwise, the configuration fails.

Example

# Configure the HWTACACS accounting server.

<HUAWEI> system-view
[~HUAWEI] hwtacacs server template test1
[*HUAWEI-hwtacacs-test1] hwtacacs server accounting 10.163.155.12 49

hwtacacs server authentication

Function

The hwtacacs server authentication command configures the HWTACACS authentication server.

The undo hwtacacs server authentication command cancels the configuration of the HWTACACS authentication server.

By default, no HWTACACS authentication server is configured.

Format

hwtacacs server authentication ip-address [ port ] [ { vpn-instance vpn-instance-name | public-net } | shared-key { key-string | cipher cipher-string } | mux-mode ] * [ secondary ]

hwtacacs server authentication ipv6-address [ port ] [ shared-key { key-string | cipher cipher-string } | mux-mode | vpn-instance vpn-instance-name ] * [ secondary ]

hwtacacs server authentication host host-name [ port ] [ shared-key { key-string | cipher cipher-string } | mux-mode | { vpn-instance vpn-instance-name | public-net } ] * [ secondary ]

undo hwtacacs server authentication [ ip-address [ port ] [ { vpn-instance vpn-instance-name | public-net } | mux-mode ] * [ secondary ] ]

undo hwtacacs server authentication [ ipv6-address [ port ] [ mux-mode | vpn-instance vpn-instance-name ] * [ secondary ] ]

undo hwtacacs server authentication host host-name [ port ] [ mux-mode | { vpn-instance vpn-instance-name | public-net } ] * [ secondary ]

Parameters

Parameter Description Value
ip-address

Specifies the IP address of a server.

The value is in dotted decimal notation and must be a valid unicast address.

ipv6-address

Specifies the IPv6 address of the server.

The value consists of 128 octets, which are classified into 8 groups. Each group contains 4 hexadecimal numbers in the format X:X:X:X:X:X:X:X.

port

Specifies the port number of a server.

It is an integer data type. The value range is from 1 to 65535. The default value is 49.

vpn-instance vpn-instance-name

Specifies the vpn-instance name.

The VPN instance must exist.

public-net

Indicates that the HWTACACS authentication server on the public network is connected.

-
shared-key

Specifies the shared-key.

-

key-string

Specifies the shared key in plain text.

The value is a string of case-sensitive characters without spaces. The password can be a string of 1 to 255 characters in plain text or a string of 20 to 432 characters in encrypted text. When double quotation marks are used around the string, spaces are allowed in the string.

cipher cipher-string

Specifies the shared-key in encrypted text.

The value is a string of case-sensitive characters without spaces. The password can be a string of 1 to 255 characters in plain text or a string of 20 to 432 characters in encrypted text. When double quotation marks are used around the string, spaces are allowed in the string.

mux-mode

Sets the multiplexing mode for the HWTACACS server.

-

host host-name

Specifies the host name of the server.

The value is a string of 1 to 255 case-sensitive characters, without spaces. It can be any combination of letters, digits, periods (.), hyphens (-), and underlines (_), and contains at least one letter or digit.

secondary

Sets the secondary HWTACACS server for the template. If this parameter is not specified, the primary HWTACACS server for the template is set.

-

Views

HWTACACS server template view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To perform HWTACACS authentication, configure an HWTACACS authentication server in an HWTACACS server template. The device sends authentication packets to an HWTACACS authentication server only after the IP address of the HWTACACS authentication server is specified in an HWTACACS server template.

When both the primary and secondary authentication servers are configured, the device sends an authentication request packet to the secondary authentication server in any of the following situations:
  • The device fails to send a request packet to the primary authentication server.
  • The primary authentication server does not return an authentication response packet.
  • The primary authentication server requires re-authentication.
  • The primary authentication server considers that the received authentication request packet is incorrect.

When HWTACACS authentication is used for management users, you are advised to configure the user locking mechanism on the HWTACACS server. If the user locking mechanism is not configured, brute force cracking may occur.

Precautions

You can modify this configuration only when device does not set up TCP connection with the specified authentication server.

You must specify different IP addresses for the primary and secondary HWTACACS authentication servers; otherwise, the configuration fails.

Example

# Specify the IP address 10.163.155.13 for the HWTACACS authentication server.

<HUAWEI> system-view
[~HUAWEI] hwtacacs server template test1
[*HUAWEI-hwtacacs-test1] hwtacacs server authentication 10.163.155.13

hwtacacs server authorization

Function

The hwtacacs server authorization command configures the HWTACACS authorization server.

The undo hwtacacs server authorization command cancels the configuration of the HWTACACS authorization server.

By default, no HWTACACS authorization server is configured.

Format

hwtacacs server authorization ip-address [ port ] [ { vpn-instance vpn-instance-name | public-net } | shared-key { key-string | cipher cipher-string } | mux-mode ] * [ secondary ]

hwtacacs server authorization ipv6-address [ port ] [ shared-key { key-string | cipher cipher-string } | mux-mode | vpn-instance vpn-instance-name ] * [ secondary ]

hwtacacs server authorization host host-name [ port ] [ shared-key { key-string | cipher cipher-string } | mux-mode | { vpn-instance vpn-instance-name | public-net } ] * [ secondary ]

undo hwtacacs server authorization [ ip-address [ port ] [ { vpn-instance vpn-instance-name | public-net } | mux-mode ] * [ secondary ] ]

undo hwtacacs server authorization [ ipv6-address [ port ] [ mux-mode | vpn-instance vpn-instance-name ] * [ secondary ] ]

undo hwtacacs server authorization host host-name [ port ] [ mux-mode | { vpn-instance vpn-instance-name | public-net } ] * [ secondary ]

Parameters

Parameter Description Value
ip-address

Specifies the IP address of a server.

The value is in dotted decimal notation and must be a valid unicast address.

ipv6-address

Specifies the IPv6 address of the server.

The value consists of 128 octets, which are classified into 8 groups. Each group contains 4 hexadecimal numbers in the format X:X:X:X:X:X:X:X.

port

Specifies the port number of a server.

It is an integer data type. The value range is from 1 to 65535. The default value is 49.

vpn-instance vpn-instance-name

Specifies the vpn-instance name.

The VPN instance must exist.

public-net

Indicates that the HWTACACS authorization server on the public network is connected.

-
shared-key

Specifies the shared key.

-

key-string

Specifies the shared key in plain text.

The value is a string of case-sensitive characters without spaces. The password can be a string of 1 to 255 characters in plain text or a string of 20 to 432 characters in encrypted text. When double quotation marks are used around the string, spaces are allowed in the string.

cipher cipher-string

Specifies the shared-key in encrypted text.

The value is a string of case-sensitive characters without spaces. The password can be a string of 1 to 255 characters in plain text or a string of 20 to 432 characters in encrypted text. When double quotation marks are used around the string, spaces are allowed in the string.

mux-mode

Sets the multiplexing mode for the HWTACACS server.

-

host host-name

Specifies the host name of the server.

The value is a string of 1 to 255 case-sensitive characters, without spaces. It can be any combination of letters, digits, periods (.), hyphens (-), and underlines (_), and contains at least one letter or digit.

secondary

Sets the secondary HWTACACS server for the template. If this parameter is not specified, the primary HWTACACS server for the template is set.

-

Views

HWTACACS server template view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To perform HWTACACS authorization, specify an HWTACACS authorization server in an HWTACACS server template. The device sends authorization packets to an HWTACACS authorization server only after the IP address of the HWTACACS authorization server is specified in an HWTACACS server template.

Precautions

The setting can be modified only when no TCP connection is set up with the specified authorization server.

You must specify different IP addresses for the primary and secondary HWTACACS authorization servers; otherwise, the configuration fails.

Example

# Specify the IP address 10.163.155.13 for the HWTACACS authorization server.

<HUAWEI> system-view
[~HUAWEI] hwtacacs server template test1
[*HUAWEI-hwtacacs-test1] hwtacacs server authorization 10.163.155.13

hwtacacs server (HWTACACS server template view)

Function

The hwtacacs server command configures the HWTACACS common server for the template in the HWTACACS server template view.

The undo hwtacacs server command deletes the HWTACACS common server from the template in the HWTACACS server template view.

By default, HWTACACS common server is not configured.

Format

hwtacacs server ip-address [ port ] [ { vpn-instance vpn-instance-name | public-net } | shared-key { key-string | cipher cipher-string } | mux-mode ] * [ secondary ]

hwtacacs server ipv6-address [ port ] [ shared-key { key-string | cipher cipher-string } | mux-mode | vpn-instance vpn-instance-name ] * [ secondary ]

hwtacacs server host host-name [ port ] [ shared-key { key-string | cipher cipher-string } | mux-mode | { vpn-instance vpn-instance-name | public-net } ] * [ secondary ]

undo hwtacacs server [ ip-address [ port ] [ [ vpn-instance vpn-instance-name | public-net ] | mux-mode ] * [ secondary ] ]

undo hwtacacs server [ ipv6-address [ port ] [ { mux-mode | vpn-instance vpn-instance-name } * ] [ secondary ] ]

undo hwtacacs server host host-name [ port ] [ mux-mode | [ vpn-instance vpn-instance-name | public-net ] ] * [ secondary ]

Parameters

Parameter Description Value
ip-address Specifies the IP address of a server. The value is in dotted decimal notation and must be a valid unicast address.
ipv6-address Specifies the IPv6 address of a server. The value consists of 128 octets, which are classified into 8 groups. Each group contains 4 hexadecimal numbers in the format X:X:X:X:X:X:X:X.
port Specifies the port number of a server. It is an integer data type. The value range is from 1 to 65535. The default value is 49.
vpn-instance vpn-instance-name Specifies the vpn-instance name.

The VPN instance must exist.

public-net

Indicates that the HWTACACS authentication server on the public network is connected.

-
shared-key Specifies the shared-key. -
key-string Specifies the shared key in plain text. The value is a string of case-sensitive characters. Spaces are not supported. The password can be a string of 1 to 255 characters in plain text or a string of 20 to 432 characters in encrypted text. When double quotation marks are used around the string, spaces are allowed in the string.
cipher cipher-string

Specifies the shared-key in encrypted text.

The value is a string of case-sensitive characters. Spaces are not supported. The password can be a string of 1 to 255 characters in plain text or a string of 20 to 432 characters in encrypted text. When double quotation marks are used around the string, spaces are allowed in the string.
mux-mode

Sets the multiplexing mode for the HWTACACS server.

When mux-mode is not specified, after a session is complete, the channel between the HWTACACS server and the local AAA server will be closed and does not go Up until another session request is received. When mux-mode is specified, if the interval between two sessions is shorter than the configured value, the channel between the HWTACACS server and the local AAA server will remain Up. Therefore, if sessions are established frequently, specifying mux-mode can improve file transmission efficiency.

-
host host-name

Specifies the host name of the server.

The value is a string of 1 to 255 case-sensitive characters, without spaces. It can be any combination of letters, digits, periods (.), hyphens (-), and underlines (_), and contains at least one letter or digit.

secondary Sets the secondary HWTACACS server for the template. If this parameter is not specified, the server is the primary server. -

Views

HWTACACS server template view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To configure the AAA servers in an HWTACACS server template, you must separately configure the IP addresses and VPN instances for the servers. Even if the AAA servers share the same IP address and VPN instance, the configurations have to be repeated for three times. To simplify operations, configure a common server.

Precautions

The priority of the common server is higher than that of the AAA servers. When the common server is configured as the primary server, the configurations on the AAA servers do not take effect.

The IP addresses of the primary and the secondary servers must be different; otherwise, the server configuration fails.

Example

# Configure a common server with the IP address 10.0.0.1 in the HWTACACS server template named temp1.

<HUAWEI> system-view
[~HUAWEI] hwtacacs server template temp1
[*HUAWEI-hwtacacs-temp1] hwtacacs server 10.0.0.1

hwtacacs server shared-key

Function

The hwtacacs server shared-key command configures the shared key of an HWTACACS server.

The undo hwtacacs server shared-key command deletes the shared key of an HWTACACS server.

By default, no shared key of an HWTACACS server is configured.

Format

hwtacacs server shared-key { cipher cipher-string | key-string }

undo hwtacacs server shared-key

Parameters

Parameter

Description

Value

cipher cipher-string

Specifies the shared-key in ciphertext.

The value is a string of case-sensitive characters without spaces. The password can be a string of 1 to 255 characters in plain text or a string of 20 to 432 characters in encrypted text.

NOTE:
The password cannot contain the question mark (?) or space. However, when quotation marks ("") are used around the password, spaces are allowed in the password.
key-string

Specifies the shared key in encrypted or simple text.

The shared key configured in simple text is displayed in ciphertext.

The value is a string of case-sensitive characters without spaces. The password can be a string of 1 to 255 characters in plain text or a string of 20 to 432 characters in encrypted text.

NOTE:
The password cannot contain the question mark (?) or space. However, when quotation marks ("") are used around the password, spaces are allowed in the password.

Views

HWTACACS server template view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The shared key is used to encrypt the password and generate the response authenticator.

When exchanging authentication packets with an HWTACACS server, the device uses MD5 to encrypt important data such as the password to ensure security of data transmission over the network. The device and HWTACACS server must use the same key to ensure their validity in the authentication.

Precautions

For security purposes, it is recommended that the shared key contains at least two types of lower-case letters, upper-case letters, numerals, and special characters, and contains at least 6 characters.

You can modify this configuration only when the HWTACACS server template is not in use.

Example

# Set the shared key of an HWTACACS server to Huawei@1234 in cipher text.

<HUAWEI> system-view
[~HUAWEI] hwtacacs server template template1
[*HUAWEI-hwtacacs-template1] hwtacacs server shared-key cipher Huawei@1234

hwtacacs server source-ip

Function

The hwtacacs server source-ip command configures the source IP address that the device encapsulates in HWTACACS packets to be sent to an HWTACACS server.

The undo hwtacacs server source-ip command restores the default source IP address encapsulated in HWTACACS packets.

By default, no source IP address encapsulated in HWTACACS packets is configured, the device uses the IP address of the outbound interface as the source IP address encapsulated in HWTACACS packets.

Format

hwtacacs server source-ip ip-address

undo hwtacacs server source-ip

Parameters

Parameter

Description

Value

ip-address

Specifies an IP address.

The value is a valid unicast address in dotted decimal notation.

Views

HWTACACS server template view

Default Level

3: Management level

Usage Guidelines

After you specify the source IP address in HWTACACS packets, the device uses this IP address to communicate with the HWTACACS server.

Example

# Specify the source IP address 10.1.1.1 in HWTACACS packets.

<HUAWEI> system-view
[~HUAWEI] hwtacacs server template template1
[*HUAWEI-hwtacacs-template1] hwtacacs server source-ip 10.1.1.1

hwtacacs server template

Function

The hwtacacs server template command creates an HWTACACS server template and enters the HWTACACS server template view.

The undo hwtacacs server template command deletes an HWTACACS server template.

By default, no HWTACACS server template is configured on the device.

Format

hwtacacs server template template-name

undo hwtacacs server template template-name

Parameters

Parameter

Description

Value

template-name

Specifies the name of an HWTACACS server template.

The value is a string of 1 to 32 characters without spaces, including case-sensitive letters, digits (0 to 9), periods (.), hyphens (-), and underlines (_).

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

You must create an HWTACACS server template before configuring HWTACACS authentication, authorization, and accounting. You can perform HWTACACS configurations, such as the configuration of authentication servers, authorization servers, accounting servers, and shared key, only after an HWTACACS server template is created.

Follow-up Procedure

Configure an authentication server, accounting server, and shared key in the HWTACACS server template view, and run the hwtacacs server command in the domain view to apply the HWTACACS server template.

Precautions

A maximum of 128 HWTACACS server templates can be created on the device.

You can modify an HWTACACS server template only when it is not in use.

When you run the undo hwtacacs server template command to delete an HWTACACS server template in use, a message about a deletion failure is displayed on the device.

Example

# Create an HWTACACS server template template1 and enter the HWTACACS server template view.

<HUAWEI> system-view
[~HUAWEI] hwtacacs server template template1
[*HUAWEI-hwtacacs-template1] 

hwtacacs server timer quiet

Function

The hwtacacs server timer quiet command sets the interval for the primary server to return to the active state.

The undo hwtacacs server timer quiet command restores the default interval for the primary server to return to the active state.

By default, the interval for the primary HWTACACS server to return to the active state is 5 minutes.

Format

hwtacacs server timer quiet interval

undo hwtacacs server timer quiet

Parameters

Parameter

Description

Value

interval

Specifies the interval for the primary server to return to the active state.

The value is an integer ranging from 1 to 255, in minutes.

Views

HWTACACS server template view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

If the primary server is unavailable, the device automatically switches services to the secondary server and sends packets to the secondary server. After the interval for the primary server to return to the active state is reached, the device attempts to establish a connection with the primary server.

  • If the primary server is still unavailable, the device continues to send packets to the secondary server until the next interval is reached. Such a process repeats.
  • If the primary server is available, the device switches services to the primary server and sends packets to the primary server.

The interval for the primary server to return to the active state ensures that the primary server can be restored immediately and reduces the number of detection times during the switchover.

The default value is recommended.

Precautions

When you run the hwtacacs server timer quiet command to change the interval for the primary server to return to the active state, the device does not check whether the HWTACACS server template is in use.

Example

# Set the interval for the primary server to return to the active state to 3 minutes.

<HUAWEI> system-view
[~HUAWEI] hwtacacs server template template1
[*HUAWEI-hwtacacs-template1] hwtacacs server timer quiet 3

hwtacacs server timer response-timeout

Function

The hwtacacs server timer response-timeout command sets the response timeout interval of an HWTACACS server.

The undo hwtacacs server timer response-timeout command restores the default response timeout interval of an HWTACACS server.

By default, the response timeout interval for an HWTACACS server is 5 seconds.

Format

hwtacacs server timer response-timeout interval

undo hwtacacs server timer response-timeout

Parameters

Parameter

Description

Value

interval

Specifies the response timeout interval of an HWTACACS server.

The value is an integer ranging from 1 to 300, in seconds.

Views

HWTACACS server template view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

After the device sends a request packet to an HWTACACS server, if the device does not receive a response packet in the specified timeout interval:
  • If only one HWTACACS server is configured, the device retransmits the request to this server.
  • If primary and secondary HWTACACS servers are configured, the device retransmits the request to the secondary server.
This improves reliability of HWTACACS authentication, authorization, and accounting.

The default value is recommended.

Precautions

You can modify this configuration only when the HWTACACS server template is not in use.

Example

# Set the response timeout interval of an HWTACACS server to 30s.

<HUAWEI> system-view
[~HUAWEI] hwtacacs server template test1
[*HUAWEI-hwtacacs-test1] hwtacacs server timer response-timeout 30

hwtacacs server user-name domain-excluded

Function

The hwtacacs server user-name domain-excluded command configures the device not to encapsulate the domain name in the user name in HWTACACS packets to be sent to an HWTACACS server.

The undo hwtacacs server user-name domain-excluded command configures the device to encapsulate the domain name in the user name when sending HWTACACS packets to an HWTACACS server.

By default, the device encapsulates the domain name in the user name when sending HWTACACS packets to an HWTACACS server.

Format

hwtacacs server user-name domain-excluded

undo hwtacacs server user-name domain-excluded

Parameters

None

Views

HWTACACS server template view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The format of a user name is user name@domain name. In the user name, @ is the domain name delimiter. The domain name delimiter can also be any of the following symbols: \ / : < > | ' %.

If the HWTACACS server does not accept the user name with the domain name, run the hwtacacs server user-name domain-excluded command to delete the domain name from the user name.

Precautions

You can modify this configuration only when the HWTACACS server template is not in use.

Example

# Configure the device to encapsulate the domain name in the user name when sending HWTACACS packets to an HWTACACS server.

<HUAWEI> system-view
[~HUAWEI] hwtacacs server template template1
[*HUAWEI-hwtacacs-template1] undo hwtacacs server user-name domain-excluded

hwtacacs-user change-password hwtacacs server

Function

The hwtacacs-user change-password hwtacacs server command enables the device to change the passwords saved on the HWTACACS server.

Format

hwtacacs-user change-password hwtacacs server template-name

Parameters

Parameter

Description

Value

template-name

Specifies the name of an HWTACACS server template.

The HWTACACS server template must exist.

Views

User view

Default Level

0: Visit level

Usage Guidelines

Usage Scenario

To change the password saved on the HWTACACS server, users can run the hwtacacs-user change-password hwtacacs-server command on the device. You do not need to change the configuration on the HWTACACS server.

Precautions

  • Users are HWTACACS authenticated and the HWTACACS server template is configured.

  • Users can run this command to change the passwords only when the user names and passwords saved on the HWTACACS do not expire. When a user whose password has expired logs in to the device, the HWTACACS server does not allow the user to change the password and displays a message indicating that the authentication fails.

  • The system wait period is 30 seconds. If the TACACS server does not receive the user name, new password, or confirmed password from the user within such a period, it terminates the password change process.

  • Users can also press Ctrl+C to cancel password change.

  • HWTACACS users who pass AAA authentication can use the hwtacacs-user change-password hwtacacs-server command to change the passwords before the passwords expire. If a user needs to run this command to change the passwords of other users, the user must have the system rights.

Example

# Enable the user that passes HWTACACS authentication to change the password.

<HUAWEI> hwtacacs-user change-password hwtacacs server huawei
Info: EXEC is in an interactive process, please wait...
Username:cj@huawei
Old Password:
New Password:
Re-enter New password:
Info: The password has been changed successfully.

reset hwtacacs server statistics

Function

The reset hwtacacs server statistics command clears the statistics on HWTACACS authentication, accounting, and authorization.

Format

reset hwtacacs server statistics { accounting | all | authentication | authorization | common }

Parameters

Parameter

Description

Value

accounting

Clears the statistics on HWTACACS accounting.

-

all

Clears all the statistics.

-

authentication

Clears the statistics on HWTACACS authentication.

-

authorization

Clears the statistics on HWTACACS authorization.

-

common Resets the HWTACACS common server. -

Views

User view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

Before collecting the statistics on HWTACACS authentication, accounting, and authorization in a specified period of time, run the reset hwtacacs server statistics command to clear the existing statistics. Run the display hwtacacs server template template-name verbose command to view the statistics on HWTACACS authentication, accounting, and authorization.

Precautions

The cleared statistics cannot be restored. Exercise caution when you run the command.

Example

# Clear all the statistics.

<HUAWEI> reset hwtacacs server statistics all
Translation
Download
Updated: 2019-03-21

Document ID: EDOC1000166501

Views: 69244

Downloads: 374

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next