No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 V200R013C00 Command Reference

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
HWTACACS Configuration Commands

HWTACACS Configuration Commands

Command Support

Commands provided in this section and all the parameters in the commands are supported by all switch models by default, unless otherwise specified. For details, see specific commands.

display hwtacacs-server accounting-stop-packet

Function

The display hwtacacs-server accounting-stop-packet command displays information about Accounting-Stop packets sent by an HWTACACS server.

Format

display hwtacacs-server accounting-stop-packet { all | number | ip ip-address }

Parameters

Parameter

Description

Value

all

Displays information about all Accounting-Stop packets.

-

number

Displays information about Accounting-Stop packets starting from a specified number.

The value is an integer that ranges from 1 to 65535.

ip ip-address

Displays information about Accounting-Stop packets sent by the HWTACACS server with a specified IP address.

The value is in dotted decimal notation.

Views

All views

Default Level

3: Management level

Usage Guidelines

During HWTACACS troubleshooting, you can run this command to check information about Accounting-Stop packets sent by the HWTACACS server.

Example

# Display information about all Accounting-Stop packets.

<HUAWEI> display hwtacacs-server accounting-stop-packet all
-------------------------------------------------------------
NO. SendTime      IP Address                         Template
1   10            192.168.1.110                      tac
-------------------------------------------------------------
Whole accounting stop packet to resend:1
Table 13-36  Description of the display hwtacacs-server accounting-stop-packet command output

Item

Description

NO.

Number of the Accounting-Stop packet.

SendTime

Number of times that Accounting-Stop packets are sent.

IP Address

IP address of the HWTACACS server.

Template

Name of the HWTACACS server template.

Whole accounting stop packet to resend Total number of Accounting-Stop packets sent by a device.

display hwtacacs-server template

Function

The display hwtacacs-server template command displays the configurations of an HWTACACS server template.

Format

display hwtacacs-server template [ template-name ]

Parameters

Parameter Description Value
template-name Specifies the name of an HWTACACS server template.

The HWTACACS server template must already exist.

Views

All views

Default Level

3: Management level

Usage Guidelines

The display hwtacacs-server template command output helps you check the configuration of HWTACACS server templates and isolate faults.

Example

# Display the configuration of the HWTACACS server template template0.

<HUAWEI> display hwtacacs-server template template0
  ---------------------------------------------------------------------------
  HWTACACS-server template name   : template0
  Primary-authentication-server   : 10.7.66.66:49 Vrf:- Status:UP
  Primary-authorization-server    : 10.7.66.66:49 Vrf:- Status:UP
  Primary-accounting-server       : 10.7.66.66:49 Vrf:- Status:UP
  Secondary-authentication-server : 10.7.66.67:49 Vrf:- Status:UP
  Secondary-authorization-server  : 10.7.66.67:49 Vrf:- Status:UP
  Secondary-accounting-server     : 10.7.66.67:49 Vrf:- Status:UP
  Third-authentication-server     : -:0 Vrf:- Status:-
  Third-authorization-server      : -:0 Vrf:- Status:-
  Third-accounting-server         : -:0 Vrf:- Status:-
  Current-authentication-server   : 10.7.66.66:49 Vrf:- Status:UP
  Current-authorization-server    : 10.7.66.66:49 Vrf:- Status:UP
  Current-accounting-server       : 10.7.66.66:49 Vrf:- Status:UP
  Source-IP-address               : -
  Source-LoopBack                 : -
  Shared-key                      : ****************
  Quiet-interval(min)             : 5
  Response-timeout-Interval(sec)  : 5
  Domain-included                 : Original
  Traffic-unit                    : B
  ---------------------------------------------------------------------------
Table 13-37  Description of the display hwtacacs-server template command output

Item

Description

HWTACACS-server template name

Name of the HWTACACS server template.

Primary-authentication-server

IP address, port number, VPN instance, and status of the primary authentication server.

Primary-authorization-server

IP address, port number, VPN instance, and status of the primary authorization server.

Primary-accounting-server

IP address, port number, VPN instance, and status of the primary accounting server.

Secondary-authentication-server

IP address, port number, VPN instance, and status of the second authentication server.

Secondary-authorization-server

IP address, port number, VPN instance, and status of the second authorization server.

Secondary-accounting-server

IP address, port number, VPN instance, and status of the second accounting server.

Third-authentication-server

IP address, port number, VPN instance, and status of the third authentication server.

Third-authorization-server

IP address, port number, VPN instance, and status of the third authorization server.

Third-accounting-server

IP address, port number, VPN instance, and status of the third accounting server.

Current-authentication-server

IP address, port number, VPN instance, and status of the authentication server in use.

Current-authorization-server

IP address, port number, VPN instance, and status of the authorization server in use.

Current-accounting-server

IP address, port number, VPN instance, and status of the accounting server in use.

Source-IP-address

Source IP address for communication between the device and the HWTACACS server.

Source-LoopBack

Number of the loopback interface. The IP address of the loopback interface is used as the source IP address for communication between the device and the HWTACACS server.

Shared-key

Shared key of the HWTACACS server.

Quiet-interval(min)

Interval for the primary server to return to the active state, in minutes.

Response-timeout-Interval(sec)

Response timeout interval of the HWTACACS server, in seconds.

Domain-included

Whether the user name contains an authentication domain name.

  • Yes: The user name contains the domain name.
  • No: The user name does not contain the domain name.
  • Original: The device does not modify the user name entered by the user.

Traffic-unit

Traffic unit used by the HWTACACS server, in bytes.

display hwtacacs-server template verbose

Function

The display hwtacacs-server template verbose command displays statistics on HWTACACS authentication, accounting, and authorization.

Format

display hwtacacs-server template template-name verbose

Parameters

Parameter

Description

Value

template-name

Specifies the name of an HWTACACS server template.

The HWTACACS server template must exist.

Views

All views

Default Level

3: Management level

Usage Guidelines

Usage Scenario

By viewing statistics on HWTACACS authentication, accounting, and authorization, administrators can better understand the interaction between modules, facilitating fault locating and troubleshooting.

You can run the reset hwtacacs-server statistics { all | accounting | authentication | authorization } command to delete statistics on HWTACACS authentication, accounting, and authorization.

Precautions

In the HWTACACS server template, you can query the relevant statistics only after the IP address of the authentication server, the IP address of the authorization server, or the IP address of the accounting server is configured.

Example

# Display statistics on HWTACACS authentication, accounting, and authorization in the HWTACACS server template test1.

[HUAWEI] display hwtacacs-server template test1 verbose
---[HWTACACS template test1 primary authentication]---                                                                              
HWTACACS server open number: 1670281960                                                                                             
HWTACACS server close number: 508333868                                                                                             
HWTACACS authen client access request packet number: 0                                                                              
HWTACACS authen client access response packet number: 0                                                                             
HWTACACS authen client unknown type number: 0                                                                                       
HWTACACS authen client timeout number: 0                                                                                            
HWTACACS authen client packet dropped number: 0                                                                                     
HWTACACS authen client access request change password number: 0                                                                     
HWTACACS authen client access request login number: 0                                                                               
HWTACACS authen client access request send authentication number: 0                                                                 
HWTACACS authen client access request send password number: 0                                                                       
HWTACACS authen client access connect abort number: 0                                                                               
HWTACACS authen client access connect packet number: 0                                                                              
HWTACACS authen client access response error number: 0                                                                              
HWTACACS authen client access response failure number: 0                                                                            
HWTACACS authen client access response follow number: 0                                                                             
HWTACACS authen client access response getdata number: 0                                                                            
HWTACACS authen client access response getpassword number: 0                                                                        
HWTACACS authen client access response getuser number: 0                                                                            
HWTACACS authen client access response pass number: 0                                                                               
HWTACACS authen client access response restart number: 0                                                                            
HWTACACS authen client malformed access response number: 0                                                                          
HWTACACS authen client round trip time(s): 0                                                                                        
---[HWTACACS template test1 primary authorization]---                                                                               
HWTACACS server open number: 1670281960                                                                                             
HWTACACS server close number: 508333868                                                                                             
HWTACACS author client request packet number: 0                                                                                     
HWTACACS author client response packet number: 0                                                                                    
HWTACACS author client timeout number: 0                                                                                            
HWTACACS author client packet dropped number: 0                                                                                     
HWTACACS author client unknown type number: 0                                                                                       
HWTACACS author client request EXEC number: 0                                                                                       
HWTACACS author client request PPP number: 0                                                                                        
HWTACACS author client request VPDN number: 0                                                                                       
HWTACACS author client response error number: 0                                                                                     
HWTACACS author client response EXEC number: 0                                                                                      
HWTACACS author client response PPP number: 0                                                                                       
HWTACACS author client response VPDN number: 0                                                                                      
HWTACACS author client round trip time(s): 0                                                                                        
---[HWTACACS template test1 primary accounting]---                                                                                  
HWTACACS server open number: 1670281960                                                                                             
HWTACACS server close number: 508333868                                                                                             
HWTACACS account client request packet number: 0                                                                                    
HWTACACS account client response packet number: 0                                                                                   
HWTACACS account client unknown type number: 0                                                                                      
HWTACACS account client timeout number: 0                                                                                           
HWTACACS account client packet dropped number: 0                                                                                    
HWTACACS account client request command level number: 0                                                                             
HWTACACS account client request connection number: 0                                                                                
HWTACACS account client request EXEC number: 0                                                                                      
HWTACACS account client request network number: 0                                                                                   
HWTACACS account client request system event number: 0                                                                              
HWTACACS account client request update number: 0                                                                                    
HWTACACS account client response error number: 0                                                                                    
HWTACACS account client round trip time(s): 0
Table 13-38  Description of the display hwtacacs-server template verbose command output

Item

Description

HWTACACS template test1 primary authentication

Statistics on the primary authentication server in the HWTACACS server template test1. If the secondary and third authentication servers are configured, the relevant statistics are also displayed, including:

  • HWTACACS server open number: Number of times that the socket connection of the HWTACACS server is set up
  • HWTACACS server close number: Number of times that the socket connection of the HWTACACS server is disconnected
  • HWTACACS authen client access request packet number: Number of HWTACACS client authentication request packets
  • HWTACACS authen client access response packet number: Number of HWTACACS client authentication response packets
  • HWTACACS authen client unknown type number: Number of unknown HWTACACS client authentication messages
  • HWTACACS authen client timeout number: Number of HWTACACS client authentication timeouts
  • HWTACACS authen client packet dropped number: Number of times that HWTACACS client authentication packets are dropped
  • HWTACACS authen client access request change password number: Number of password change requests from an HWTACACS client
  • HWTACACS authen client access request login number: Number of HWTACACS client login requests
  • HWTACACS authen client access request send authentication number: Number of authentication requests sent by an HWTACACS client
  • HWTACACS authen client access request send password number: Number of times that an HWTACACS client sends passwords
  • HWTACACS authen client access connect abort number: Number of connection-stop packets sent by an HWTACACS client
  • HWTACACS authen client access connect packet number: Number of continuous packets sent by an HWTACACS client
  • HWTACACS authen client access response error number: Number of error packets received by an HWTACACS client
  • HWTACACS authen client access response failure number: Number of authentication failure packets received by an HWTACACS client
  • HWTACACS authen client access response follow number: Number of packets that an HWTACACS client receives from the server for re-authentication
  • HWTACACS authen client access response getdata number: Number of packets that an HWTACACS client receives from the server for user information
  • HWTACACS authen client access response getpassword number: Number of packets that an HWTACACS client receives from the server for user password
  • HWTACACS authen client access response getuser number: Number of packets that an HWTACACS client receives from the server for user name
  • HWTACACS authen client access response pass number: Number of authentication success packets received by an HWTACACS client
  • HWTACACS authen client access response restart number: Number of authentication restart packets that an HWTACACS client receives from the server
  • HWTACACS authen client malformed access response number: Number of invalid response packets received by an HWTACACS client
  • HWTACACS authen client round trip time(s): Last authentication response time of the HWTACACS server
HWTACACS template test1 primary authorization

Statistics on the primary authorization server in the HWTACACS server template test1. If the secondary and third authorization servers are configured, the relevant statistics are also displayed, including:

  • HWTACACS server open number: Number of times that the socket connection of the HWTACACS server is set up
  • HWTACACS server close number: Number of times that the socket connection of the HWTACACS server is disconnected
  • HWTACACS author client request packet number: Number of HWTACACS client authorization request packets
  • HWTACACS author client response packet number: Number of HWTACACS client authorization response packets
  • HWTACACS author client timeout number: Number of HWTACACS client authorization timeouts
  • HWTACACS author client packet dropped number: Number of times that HWTACACS client authorization packets are dropped
  • HWTACACS author client unknown type number: Number of unknown authorization packets on an HWTACACS client
  • HWTACACS author client request EXEC number: Number of EXEC user request packets authorized by an HWTACACS client
  • HWTACACS author client request PPP number: Number of PPP user request packets authorized by an HWTACACS client
  • HWTACACS author client request VPDN number: Number of VPDN user request packets authorized by an HWTACACS client
  • HWTACACS author client response error number: Number of error authorization response packets received by an HWTACACS client
  • HWTACACS author client response EXEC number: Number of authorized EXEC user response packets received by an HWTACACS client
  • HWTACACS author client response PPP number: Number of authorized PPP user response packets received by an HWTACACS client
  • HWTACACS author client response VPDN number: Number of authorized VPDN user response packets received by an HWTACACS client
  • HWTACACS author client round trip time(s): Last authorization response time of the HWTACACS server
HWTACACS template test1 primary accounting

Statistics on the primary accounting server in the HWTACACS server template test1. If the secondary and third accounting servers are configured, the relevant statistics are also displayed, including:

  • HWTACACS server open number: Number of times that the socket connection of the HWTACACS server is set up
  • HWTACACS server close number: Number of times that the socket connection of the HWTACACS server is disconnected
  • HWTACACS account client request packet number: Number of HWTACACS client accounting request packets
  • HWTACACS account client response packet number: Number of HWTACACS client accounting response packets
  • HWTACACS account client unknown type number: Number of unknown HWTACACS client accounting packets
  • HWTACACS account client timeout number: Number of HWTACACS client accounting timeouts
  • HWTACACS account client packet dropped number: Number of times that HWTACACS client accounting packets are dropped
  • HWTACACS account client request command level number: Number of HWTACACS client accounting requests for command line packets
  • HWTACACS account client request connection number: Number of HWTACACS client accounting requests for connection
  • HWTACACS account client request EXEC number: Number of HWTACACS client accounting requests for EXEC packets
  • HWTACACS account client request network number: Number of HWTACACS client accounting requests for Network packets
  • HWTACACS account client request system event number: Number of HWTACACS client accounting requests for system event packets
  • HWTACACS account client request update number: Number of HWTACACS client accounting requests for update packets
  • HWTACACS account client response error number: Number of HWTACACS client accounting requests for error packets
  • HWTACACS account client round trip time(s): Response time of the last accounting packet of the HWTACACS server

hwtacacs enable

Function

The hwtacacs enable command enables Huawei Terminal Access Controller Access Control System (HWTACACS).

The undo hwtacacs enable command disables HWTACACS.

By default, HWTACACS is enabled.

Format

hwtacacs enable

undo hwtacacs enable

Parameters

None

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To use HWTACACS authentication, authorization, or accounting, run the hwtacacs enable command to enable the HWTACACS function.

Precautions

If the undo hwtacacs enable command is run when a user is performing HWTACACS authentication, authorization, or accounting, the command does not take effect.

Example

# Disable HWTACACS.

<HUAWEI> system-view
[HUAWEI] undo hwtacacs enable

hwtacacs-server

Function

The hwtacacs-server command applies an HWTACACS server template to a domain.

The undo hwtacacs-server command deletes an HWTACACS server template from a domain.

By default, no HWTACACS server template is applied to a domain.

Format

hwtacacs-server template-name

undo hwtacacs-server

Parameters

Parameter

Description

Value

template-name

Specifies the name of an HWTACACS server template.

The HWTACACS server template must already exist.

Views

AAA domain view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To perform HWTACACS authentication, authorization, and accounting for users in a domain, configure an HWTACACS server template in the domain. After the HWTACACS server template is configured in the domain, the configuration in the HWTACACS server template takes effect.

Prerequisites

An HWTACACS server template has been created by using the hwtacacs-server template command.

Example

# Apply the HWTACACS server template tacacs1 to the domain tacacs1.

<HUAWEI> system-view
[HUAWEI] hwtacacs-server template tacacs1
[HUAWEI-hwtacacs-tacacs1] quit
[HUAWEI] aaa
[HUAWEI-aaa] domain tacacs1
[HUAWEI-aaa-domain-tacacs1] hwtacacs-server tacacs1

hwtacacs-server accounting

Function

The hwtacacs-server accounting command configures an HWTACACS accounting server.

The undo hwtacacs-server accounting command cancels the configuration.

By default, no HWTACACS accounting server is configured.

Format

hwtacacs-server accounting ip-address [ port ] [ public-net | vpn-instance vpn-instance-name ] [ secondary | third ]

undo hwtacacs-server accounting [ secondary | third ]

Parameters

Parameter

Description

Value

ip-address

Specifies the IP address of an HWTACACS accounting server.

The value is a valid unicast address in dotted decimal notation.

port

Specifies the port number of an HWTACACS accounting server.

The value is an integer that ranges from 1 to 65535. The default value is 49.

public-net

Indicates that the HWTACACS accounting server is connected to the public network.

-

vpn-instance vpn-instance-name

Specifies the name of a VPN instance that the HWTACACS accounting server is bound to.

The value must be an existing VPN instance name.

secondary

Configures the second HWTACACS accounting server as the standby server. If secondary or third is not specified in the command, the primary HWTACACS accounting server is specified.

-

third

Specifies the third HWTACACS accounting server as the secondary server. If secondary or third is not specified in the command, the primary HWTACACS accounting server is configured.

-

Views

HWTACACS server template view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The device does not support local accounting; therefore, you need to configure an HWTACACS accounting server to perform accounting. The device sends accounting packets to an HWTACACS accounting server only after the accounting server is specified in an HWTACACS server template.

Precautions

  • You can modify this configuration only when device does not set up TCP connection with the specified accounting server.

  • The IP addresses of the primary and secondary servers must be different. Otherwise, the server configuration fails.

  • If the command is run for multiple times in the same HWTACACS server template to configure the servers with the same type (for example, the servers are all primary servers), only the latest configuration takes effect.

Example

# Configure the primary HWTACACS accounting server.

<HUAWEI> system-view
[HUAWEI] hwtacacs-server template test1
[HUAWEI-hwtacacs-test1] hwtacacs-server accounting 10.163.155.12 52

hwtacacs-server accounting-stop-packet resend

Function

The hwtacacs-server accounting-stop-packet resend command enables or disables retransmission of accounting-stop packets and sets the number of accounting-stop packets that can be retransmitted each time.

By default, 100 accounting-stop packets can be retransmitted each time.

Format

hwtacacs-server accounting-stop-packet resend { disable | enable number }

Parameters

Parameter

Description

Value

disable

Disables the retransmission of accounting-stop packets.

-

enable number

Enables the retransmission of accounting-stop packets, and specifies the number of packets that can be retransmitted each time.

The value is an integer that ranges from 1 to 300.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

After a user goes offline, the device sends an accounting-stop packet to an accounting server. After the accounting server receives the accounting-stop packet, it stops accounting for the user. If the accounting server does not receive the accounting-stop packet because of network faults, it continues to perform accounting for the user. As a result, the user is charged incorrectly. To solve this problem, configure the device to send accounting-stop packets multiple times.

Precautions

  • If disable is configured, an accounting-stop packet is transmitted only once even when packet transmission fails.
  • If enable number is configured, number specifies the number of accounting-stop packets that can be retransmitted each time when the device does not receive any response packet from the HWTACACS server or fails to receive the response packet.

Example

# Enable the retransmission of accounting-stop packets and set the number of accounting-stop packets that can be retransmitted each time to 50.

<HUAWEI> system-view
[HUAWEI] hwtacacs-server accounting-stop-packet resend enable 50

hwtacacs-server authentication

Function

The hwtacacs-server authentication command configures the HWTACACS authentication server.

The undo hwtacacs-server authentication command deletes configurations of the HWTACACS authentication server.

By default, no HWTACACS authentication server is configured.

Format

hwtacacs-server authentication ip-address [ port ] [ public-net | vpn-instance vpn-instance-name ] [ secondary | third ]

undo hwtacacs-server authentication [ secondary | third ]

Parameters

Parameter

Description

Value

ip-address

Specifies the IP address of an HWTACACS authentication server.

The value is a valid unicast address in dotted decimal notation.

port

Specifies the port number of an HWTACACS authentication server.

The value is an integer that ranges from 1 to 65535. The default value is 49.

public-net

Indicates that the HWTACACS authentication server is connected to the public network.

-

vpn-instance vpn-instance-name

Specifies the name of a VPN instance that the HWTACACS accounting server is bound to.

The value must be an existing VPN instance name.

secondary

Configures the second HWTACACS authentication server as the standby server. If secondary or third is not specified in the command, the primary HWTACACS authentication server is specified.

-

third

Configures the third HWTACACS authentication server as the standby server. If the secondary and third parameters are not specified, the primary HWTACACS authentication server is configured.

-

Views

HWTACACS server template view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To authenticate users in HWTACACS mode, you must configure the HWTACACS authentication server. When both the primary and secondary authentication servers are configured, the device sends an authentication request packet to the secondary authentication server in any of the following situations:

  • The device fails to send a request packet to the primary authentication server.
  • If the device does not receive any authentication response packet from the primary server:
  • The primary authentication server requires re-authentication.
  • The primary authentication server considers that the received authentication request packet is incorrect.

Precautions

  • You can modify this configuration only when device does not set up TCP connection with the specified accounting server.

  • The IP addresses of the primary and secondary servers must be different. Otherwise, the server configuration fails.

  • If the command is run for multiple times in the same HWTACACS server template to configure the servers with the same type (for example, the servers are all primary servers), only the latest configuration takes effect.

Example

# Configure the primary HWTACACS authentication server.

<HUAWEI> system-view
[HUAWEI] hwtacacs-server template test1
[HUAWEI-hwtacacs-test1] hwtacacs-server authentication 10.163.155.12 49

hwtacacs-server authorization

Function

The hwtacacs-server authorization command configures the HWTACACS authorization server.

The undo hwtacacs-server authorization command deletes configurations of the HWTACACS authorization server.

By default, no HWTACACS authorization server is configured.

Format

hwtacacs-server authorization ip-address [ port ] [ public-net | vpn-instance vpn-instance-name ] [ secondary | third ]

undo hwtacacs-server authorization [ secondary | third ]

Parameters

Parameter

Description

Value

ip-address

Specifies the IP address of an HWTACACS authorization server.

The value is a valid unicast address in dotted decimal notation.

port

Specifies the port number of an HWTACACS authorization server.

The value is an integer that ranges from 1 to 65535. The default value is 49.

public-net

Indicates that the HWTACACS authorization server is connected to the public network.

-

vpn-instance vpn-instance-name

Specifies the name of a VPN instance that the HWTACACS authorization server is bound to.

The value must be an existing VPN instance name.

secondary

Configures the second HWTACACS authorization server as the standby server. If secondary or third is not specified in the command, the primary HWTACACS authorization server is specified.

-

third

Configures the third HWTACACS authorization server as the standby server. If the secondary and third parameters are not specified, the primary HWTACACS authorization server is configured.

-

Views

HWTACACS server template view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To authorize users in HWTACACS mode, you must configure the HWTACACS authorization server.

Precautions

  • You can modify this configuration only when device does not set up TCP connection with the specified accounting server.

  • The IP addresses of the primary and secondary servers must be different. Otherwise, the server configuration fails.

  • If the command is run for multiple times in the same HWTACACS server template to configure the servers with the same type (for example, the servers are all primary servers), only the latest configuration takes effect.

Example

# Configure the primary HWTACACS authorization server.

<HUAWEI> system-view
[HUAWEI] hwtacacs-server template test1
[HUAWEI-hwtacacs-test1] hwtacacs-server authorization 10.163.155.12 49

hwtacacs-server shared-key

Function

The hwtacacs-server shared-key command sets a shared key for an HWTACACS server.

The undo hwtacacs-server shared-key command cancels the configuration.

By default, the HWTACACS server is not configured with any shared key.

Format

hwtacacs-server shared-key cipher key-string

undo hwtacacs-server shared-key

Parameters

Parameter Description Value
cipher Indicates the shared key in cipher text. -
key-string Specifies a shared key.

The value is a case-sensitive string without question marks (?) or spaces. The key is processed as cipher text no matter whether the cipher keyword is specified. The key-string may be a plain text consisting of 1 to 255 characters or a cipher text consisting of 20 to 392 characters.

Views

HWTACACS server template view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The shared key is used to encrypt the password and generate the response authenticator.

When exchanging authentication packets with an HWTACACS server, the device uses MD5 to encrypt important data such as the password to ensure security of data transmission over the network. The device and HWTACACS server must use the same key to ensure their validity in the authentication.

Precautions

To improve security, it is recommended that the password contains at least two types of lower-case letters, upper-case letters, numerals, and special characters, and contains at least 6 characters.

You can modify this configuration only when the HWTACACS server template is not in use.

Example

# Set the shared key of the HWTACACS server to Admin@123.

<HUAWEI> system-view
[HUAWEI] hwtacacs-server template test1
[HUAWEI-hwtacacs-test1] hwtacacs-server shared-key cipher Admin@123

hwtacacs-server source-ip

Function

The hwtacacs-server source-ip command specifies the source IP address used by a device to communicate with an HWTACACS server.

The undo hwtacacs-server source-ip command cancels the configuration.

By default, the device uses the IP address of the actual outbound interface as the source IP address encapsulated in HWTACACS packets.

Format

hwtacacs-server source-ip ip-address

hwtacacs-server source-ip source-loopback interface-number

undo hwtacacs-server source-ip

Parameters

Parameter Description Value
ip-address Specifies the source IP address for communication between the device and HWTACACS server. The value is a valid unicast address in dotted decimal notation.
source-loopback interface-number

Specifies the IP address of the LoopBack interface as the source IP address for communication between the device and HWTACACS server.

The loopback interface must already exist.

Views

HWTACACS server template view

Default Level

3: Management level

Usage Guidelines

You can configure all HWTACACS packets sent by the device to use the same source IP address. In this way, an HWTACACS server uses only one IP address to communicate with the device.

Example

# Specify the source IP address 10.1.1.1 for communication between the device and HWTACACS server.

<HUAWEI> system-view
[HUAWEI] hwtacacs-server template test1
[HUAWEI-hwtacacs-test1] hwtacacs-server source-ip 10.1.1.1

hwtacacs-server template

Function

The hwtacacs-server template command creates an HWTACACS server template and enters the HWTACACS server template view.

The undo hwtacacs-server template command deletes an HWTACACS server template.

By default, no HWTACACS server template is configured.

Format

hwtacacs-server template template-name

undo hwtacacs-server template template-name

Parameters

Parameter

Description

Value

template-name

Specifies the name of an HWTACACS server template.

The value is a string of 1 to 32 case-sensitive characters. The name contains only letters, digits (0-9), dots (.), underscores (_) and hyphens (-), and a combination of the above characters. The value cannot be - or --.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

You can perform HWTACACS configurations, such as the configuration of authentication servers, authorization servers, accounting servers, and shared key, only after an HWTACACS server template is created.

Follow-up Procedure

Configure an authentication server, accounting server, and shared key in the HWTACACS server template view, and run the hwtacacs-server command in the domain view to apply the HWTACACS server template.

Precautions

You can modify the content of a template or delete a template only when the template is not in use.

Example

# Create an HWTACACS server template template1 and enter the HWTACACS server template view.

<HUAWEI> system-view
[HUAWEI] hwtacacs-server template template1
[HUAWEI-hwtacacs-template1] 

hwtacacs-server timer quiet

Function

The hwtacacs-server timer quiet command sets the quiet interval before the primary server reverts to the active state.

The undo hwtacacs-server timer quiet command restores the default quiet interval before the primary server reverts to the active state.

By default, the quiet interval before the primary HWTACACS server reverts to the active state is 5 minutes.

Format

hwtacacs-server timer quiet interval

undo hwtacacs-server timer quiet

Parameters

Parameter

Description

Value

interval

Specifies the quiet interval before the primary server reverts to the active state.

The value is an integer ranging from 0 to 255, in minutes.

Views

HWTACACS server template view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

If the primary server is unavailable, the device automatically switches services to the standby server and sends packets to the standby server. After the quiet interval before the primary server reverts to the active state expires, the device attempts to establish a connection with the primary server.

  • If the primary server is still unavailable, the device continues to send packets to the standby server until the next interval expires. Such a process repeats.
  • If the primary server is available, the device switches services to the primary server and sends packets to the primary server.

The quiet interval before the primary server reverts to the active state ensures that the primary server can be restored immediately and reduces the number of detection times during the switchover.

The default value is recommended.

Precautions

When the quiet interval of the active server is set to 0, if the active server fails, the device sends packets to the standby server. When the active server is recovered, the device does not connect to the active server, but still sends packets to the standby server until the standby server fails.

When you run the hwtacacs-server timer quiet command to change the quiet interval before the primary server reverts to the active state, the device does not check whether the HWTACACS server template is in use.

Example

# Set the quiet interval before the primary server reverts to the active state to 3 minutes.

<HUAWEI> system-view
[HUAWEI] hwtacacs-server template template1
[HUAWEI-hwtacacs-template1] hwtacacs-server timer quiet 3

hwtacacs-server timer response-timeout

Function

The hwtacacs-server timer response-timeout command sets the response timeout interval of an HWTACACS server.

The undo hwtacacs-server timer response-timeout command restores the default response timeout interval of an HWTACACS server.

By default, the response timeout interval for an HWTACACS server is 5 seconds.

Format

hwtacacs-server timer response-timeout interval

undo hwtacacs-server timer response-timeout

Parameters

Parameter

Description

Value

interval

Specifies the response timeout interval of an HWTACACS server.

The value is an integer ranging from 1 to 300, in seconds.

Views

HWTACACS server template view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

After the device sends a request packet to the HWTACACS server, if the device does not receive any response packet from the server within the specified response timeout interval:
  • If only one HWTACACS server is configured, the device does not retransmit the request to this server.
  • If both active/standby HWTACACS servers are available and the TCP link between them works normally, the device retransmits the request to the standby server after timeout. If the TCP link is broken during the timeout interval, the device immediately retransmits the request to the standby server.
This improves reliability of HWTACACS authentication, authorization, and accounting.

The default value is recommended.

Precautions

You can modify this configuration only when the HWTACACS server template is not in use.

Example

# Set the response timeout interval of an HWTACACS server to 30s.

<HUAWEI> system-view
[HUAWEI] hwtacacs-server template test1
[HUAWEI-hwtacacs-test1] hwtacacs-server timer response-timeout 30

hwtacacs-server traffic-unit

Function

The hwtacacs-server traffic-unit command sets the traffic unit used by an HWTACACS server.

The undo hwtacacs-server traffic-unit command restores the default traffic unit used by the HWTACACS server.

By default, the traffic unit is byte on the device.

Format

hwtacacs-server traffic-unit { byte | kbyte | mbyte | gbyte }

undo hwtacacs-server traffic-unit

Parameters

Parameter

Description

Value

byte

Indicates that the traffic unit is byte.

-

kbyte

Indicates that the traffic unit is KByte.

-

mbyte

Indicates that the traffic unit is MByte.

-

gbyte

Indicates that the traffic unit is GByte.

-

Views

HWTACACS server template view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

Different HWTACACS servers may use different traffic units; therefore, you need to set the traffic unit for each HWTACACS server group on the device and the traffic unit must be the same as that on the HWTACACS server.

Precautions

You can modify this configuration only when the HWTACACS server template is not in use.

Example

# Set the traffic unit used by an HWTACACS server to KByte.

<HUAWEI> system-view
[HUAWEI] hwtacacs-server template template1
[HUAWEI-hwtacacs-template1] hwtacacs-server traffic-unit kbyte

hwtacacs-server user-name domain-included

Function

The hwtacacs-server user-name domain-included command configures the device to encapsulate the domain name in the user name in HWTACACS packets to be sent to an HWTACACS server.

The hwtacacs-server user-name original command configures the device not to modify the user name entered by the user in the packets sent to the HWTACACS server.

The undo hwtacacs-server user-name domain-included command configures the device not to encapsulate the domain name in the user name when sending HWTACACS packets to an HWTACACS server.

By default, the device encapsulates the domain name in the user name when sending HWTACACS packets to an HWTACACS server.

By default, the device does not modify the user name entered by the user in the packets sent to the HWTACACS server.

Format

hwtacacs-server user-name domain-included

hwtacacs-server user-name original

undo hwtacacs-server user-name domain-included

Parameters

None

Views

HWTACACS server template view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The format of a user name is user name@domain name. In the user name, @ is the domain name delimiter.

If the HWTACACS server does not accept the user name with the domain name, run the undo hwtacacs-server user-name domain-included command to delete the domain name from the user name.

Precautions

You can modify this configuration only when the HWTACACS server template is not in use.

If the user names in the HWTACACS packets sent from the device to HWTACACS server contain domain names, ensure that the total length of a user name (user name + domain name delimiter + domain name) is not longer than 64 characters; otherwise, the user name cannot be contained in HWTACACS packets. As a result, authentication will fail.

Example

# Configure the device to encapsulate the domain name in the user name when sending HWTACACS packets to an HWTACACS server.

<HUAWEI> system-view
[HUAWEI] hwtacacs-server template template1
[HUAWEI-hwtacacs-template1] hwtacacs-server user-name domain-included

hwtacacs-user change-password hwtacacs-server

Function

The hwtacacs-user change-password hwtacacs-server command enables the device to change the passwords saved on the HWTACACS server.

Format

hwtacacs-user change-password hwtacacs-server template-name

Parameters

Parameter

Description

Value

template-name

Specifies the name of an HWTACACS server template.

The HWTACACS server template must already exist.

Views

User view

Default Level

0: Visit level

Usage Guidelines

Usage Scenario

To change the password saved on the HWTACACS server, users can run the hwtacacs-user change-password hwtacacs-server command on the device. You do not need to change the configuration on the HWTACACS server.

Precautions

  • Users are HWTACACS authenticated and the HWTACACS server template is configured.

  • Users can run this command to change the passwords only when the user names and passwords saved on the HWTACACS do not expire. When a user whose password has expired logs in to the device, the HWTACACS server does not allow the user to change the password and displays a message indicating that the authentication fails.

  • The system wait period is 30 seconds. If the TACACS server does not receive the user name, new password, or confirmed password from the user within such a period, it terminates the password change process.

  • Users can also press Ctrl+C to cancel password change.

  • HWTACACS users who pass AAA authentication can use the hwtacacs-user change-password hwtacacs-server command to change the passwords before the passwords expire. If a user needs to run this command to change the passwords of other users, the user must have the system rights.

Example

# Enable the user that passes HWTACACS authentication to change the password.

<HUAWEI> hwtacacs-user change-password hwtacacs-server huawei
Username:cj@huawei
Old Password:
New Password:
Re-enter New password:
Info: The password has been changed successfully.

reset hwtacacs-server accounting-stop-packet

Function

The reset hwtacacs-server accounting-stop-packet command clears statistics on Accounting Stop packets.

Format

reset hwtacacs-server accounting-stop-packet { all | ip ip-address }

Parameters

Parameter

Description

Value

all

Clears the statistics about all accounting-stop packets.

-

ip ip-address

Clears the statistics about the Accounting-Stop packets sent by the HWTACACS server with a specified IP address.

The value is in dotted decimal notation.

Views

User view

Default Level

3: Management level

Usage Guidelines

Statistics cannot be restored once being cleared.

Example

# Clear statistics on all Accounting Stop packets.

<HUAWEI> reset hwtacacs-server accounting-stop-packet all

reset hwtacacs-server statistics

Function

The reset hwtacacs-server statistics command clears the statistics on HWTACACS authentication, accounting, and authorization.

Format

reset hwtacacs-server statistics { all | accounting | authentication | authorization }

Parameters

Parameter

Description

Value

all

Clears all the statistics.

-

accounting

Clears the statistics on HWTACACS accounting.

-

authentication

Clears the statistics on HWTACACS authentication.

-

authorization

Clears the statistics on HWTACACS authorization.

-

Views

User view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

Before collecting the statistics on HWTACACS authentication, accounting, and authorization in a specified period of time, run the reset hwtacacs-server statistics command to clear the existing statistics. Run the display hwtacacs-server template template-name verbose command to view the statistics on HWTACACS authentication, accounting, and authorization.

Precautions

The cleared statistics cannot be restored. Exercise caution when you run the command.

Example

# Clear all the statistics.

<HUAWEI> reset hwtacacs-server statistics all
Translation
Download
Updated: 2019-04-09

Document ID: EDOC1100065659

Views: 126478

Downloads: 88

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next