03-HWTACACS Commands
Chapters Download (90.38 KB)
Table of Contents
1 HWTACACS Configuration Commands
HWTACACS Configuration Commands
data-flow-format (HWTACACS scheme view)
display stop-accounting-buffer
primary accounting (HWTACACS scheme view)
primary authentication (HWTACACS scheme view)
retry stop-accounting (HWTACACS scheme view)
secondary accounting (HWTACACS scheme view)
secondary authentication (HWTACACS scheme view)
stop-accounting-buffer enable (HWTACACS scheme view)
timer quiet (HWTACACS scheme view)
timer realtime-accounting (HWTACACS scheme view)
timer response-timeout (HWTACACS scheme view)
user-name-format (HWTACACS scheme view)
vpn-instance (HWTACACS scheme view)
Syntax
data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } } *
undo data-flow-format { data | packet }
View
HWTACACS scheme view
Default Level
2: System level
Parameters
data: Specifies the unit for data flows, which can be byte, kilobyte, megabyte, or gigabyte.
packet: Specifies the unit for data packets, which can be one-packet, kilo-packet, mega-packet, or giga-packet.
Description
Use the data-flow-format command to specify the unit for data flows or packets to be sent to a HWTACACS server.
Use the undo data-flow-format command to restore the default.
By default, the unit for data flows is byte and that for data packets is one-packet.
Related commands: display hwtacacs.
Examples
# Define HWTACACS scheme hwt1 to send data flows and packets destined for the TACACS server in kilobytes and kilo-packets.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] data-flow-format data kilo-byte packet kilo-packet
Syntax
display hwtacacs [ hwtacacs-scheme-name [ statistics ] ] [ slot slot-number ]
View
Any view
Default Level
2: System level
Parameters
hwtacacs-scheme-name: HWTACACS scheme name.
statistics: Displays detailed statistics about the HWTACACS server.
slot slot-number: Specifies the member number of the device in the IRF virtual device, which you can display with the display irf command. The value range for the slot-number argument depends on the number of members and numbering conditions in the current IRF virtual device. If no IRF virtual device exists, the slot-number argument is the current device number.
Description
Use the display hwtacacs command to display configuration information or statistics of the specified or all HWTACACS schemes.
Note that:
l If no HWTACACS scheme is specified, the command will display the configuration information of all HWTACACS schemes.
l If no IRF member ID is specified, the command will display the configuration information of the HWTACACS schemes on all IRF member devices.
Related commands: hwtacacs scheme.
Examples
# Display configuration information about HWTACACS scheme gy.
--------------------------------------------------------------------
HWTACACS-server template name : gy
Primary-authentication-server : 172.31.1.11:49
VPN instance : vpn1
Primary-authorization-server : 172.31.1.11:49
VPN instance : vpn1
Primary-accounting-server : 172.31.1.11:49
VPN instance : vpn1
Secondary-authentication-server : 0.0.0.0:0
VPN instance : -
Secondary-authorization-server : 0.0.0.0:0
VPN instance : -
Secondary-accounting-server : 0.0.0.0:0
Current-authentication-server : 172.31.1.11:49
VPN instance : vpn1
Current-authorization-server : 172.31.1.11:49
VPN instance : vpn1
Current-accounting-server : 172.31.1.11:49
VPN instance : vpn1
NAS-IP-address : 0.0.0.0
key authentication : 790131
key authorization : 790131
key accounting : 790131
VPN instance : -
Quiet-interval(min) : 5
Realtime-accounting-interval(min) : 12
Response-timeout-interval(sec) : 5
Acct-stop-PKT retransmit times : 100
Username format : with-domain
Data traffic-unit : B
Packet traffic-unit : one-packet
--------------------------------------------------------------------
Table 1-1 display hwtacacs command output description
|
Field |
Description |
|
HWTACACS-server template name |
Name of the HWTACACS scheme |
|
Primary-authentication-server |
IP address and port number of the primary authentication server. If there is no primary authentication server specified, the value of this field is 0.0.0.0:0. This rule is also applicable to the following eight fields. |
|
Primary-authorization-server |
IP address and port number of the primary authorization server |
|
Primary-accounting-server |
IP address and port number of the primary accounting server |
|
Secondary-authentication-server |
IP address and port number of the secondary authentication server |
|
Secondary-authorization-server |
IP address and port number of the secondary authorization server |
|
Secondary-accounting-server |
IP address and port number of the secondary accounting server |
|
Current-authentication-server |
IP address and port number of the currently used authentication server |
|
Current-authorization-server |
IP address and port number of the currently used authorization server |
|
Current-accounting-server |
IP address and port number of the currently used accounting server |
|
VPN instance |
VPN instance of the server |
|
NAS-IP-address |
IP address of the NAS If no NAS is specified, the value of this field is 0.0.0.0. |
|
key authentication |
Key for authentication |
|
key authorization |
Key for authorization |
|
key accounting |
Key for accounting |
|
Quiet-interval |
Quiet interval for the primary server |
|
Realtime-accounting-interval |
Real-time accounting interval |
|
Response-timeout-interval |
Server response timeout period |
|
Acct-stop-PKT retransmit times |
Number of stop-accounting packet transmission retries |
|
Username format |
Format of the usernames to be sent to the HWTACACS server |
|
Data traffic-unit |
Unit for data flows |
|
Packet traffic-unit |
Unit for data packets |
Syntax
display stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name [ slot slot-number ]
View
Any view
Default Level
2: System level
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies a HWTACACS scheme by its name, a string of 1 to 32 characters.
slot slot-number: Specifies the member number of the device in the IRF virtual device, which you can display with the display irf command. The value range for the slot-number argument depends on the number of members and numbering conditions in the current IRF virtual device. If no IRF virtual device exists, the slot-number argument is the current device number.
Description
Use the display stop-accounting-buffer command to display information about the stop-accounting requests buffered in the device.
Related commands: reset stop-accounting-buffer, stop-accounting-buffer enable, retry stop-accounting.
Examples
# Display information about the buffered stop-accounting requests for HWTACACS scheme hwt1.
<Sysname> display stop-accounting-buffer hwtacacs-scheme hwt1
Slot 1:
Total 0 record(s) Matched
Syntax
hwtacacs nas-ip ip-address [ vpn-instance vpn-instance-name ]
undo hwtacacs nas-ip ip-address [ vpn-instance vpn-instance-name ]
View
System view
Default Level
2: System level
Parameters
ip-address: IP address in dotted decimal notation. It must be an address of the device and cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.
vpn-instance vpn-instance-name: Name of the VPN instance of the source IP address, a string of 1 to 31 case-sensitive characters. With a VPN specified, the command specifies a private-network source IP address. With no VPN specified, the command specifies a public-network source IP address.
Description
Use the hwtacacs nas-ip command to set the IP address for the device to use as the source address of the HWTACACS packets to be sent to the server.
Use the undo hwtacacs nas-ip command to remove the configuration.
By default, the source IP address of a packet sent to the server is the IP address of the outbound port.
Note that:
l Specifying a source address for the HWTACACS packets to be sent to the server can avoid the situation where the packets sent back by the HWTACACS server cannot reach the device as the result of a physical interface failure.
l You can specify up to 16 source IP addresses, which can include one public-network IP address at most. A newly specified public-network source IP address overwrites the previous one. Each VPN can have only one private-network source IP address specified. A private-network source IP address newly specified for a VPN overwrites the previous one.
l The nas-ip command in HWTACACS scheme view is only for the current HWTACACS scheme, while the hwtacacs nas-ip command in system view is for all HWTACACS schemes. However, the nas-ip command in HWTACACS scheme view overwrites the configuration of the hwtacacs nas-ip command.
Related commands: nas-ip.
Examples
# Set the IP address for the device to use as the source address of the HWTACACS packets to 129.10.10.1.
<Sysname> system-view
[Sysname] hwtacacs nas-ip 129.10.10.1
Syntax
hwtacacs scheme hwtacacs-scheme-name
undo hwtacacs scheme hwtacacs-scheme-name
View
System view
Default Level
3: Manage level
Parameters
hwtacacs-scheme-name: HWTACACS scheme name, a case-insensitive string of 1 to 32 characters.
Description
Use the hwtacacs scheme command to create an HWTACACS scheme and enter HWTACACS scheme view.
Use the undo hwtacacs scheme command to delete an HWTACACS scheme.
By default, no HWTACACS scheme exists.
Note that you cannot delete an HWTACACS scheme with online users.
Examples
# Create an HWTACACS scheme named hwt1 and enter HWTACACS scheme view.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1]
Syntax
key { accounting | authentication | authorization } string
undo key { accounting | authentication | authorization } string
View
HWTACACS scheme view
Default Level
2: System level
Parameters
accounting: Sets the shared key for HWTACACS accounting packets.
authentication: Sets the shared key for HWTACACS authentication packets.
authorization: Sets the shared key for HWTACACS authorization packets.
string: Shared key, a case-sensitive string of 1 to 64 characters.
Description
Use the key command to set the shared key for HWTACACS authentication, authorization, or accounting packets.
Use the undo key command to remove the configuration.
By default, no shared key is configured.
Related commands: display hwtacacs.
Examples
# Set the shared key for HWTACACS accounting packets to hello for HWTACACS scheme hwt1.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] key accounting hello
Syntax
nas-ip ip-address
undo nas-ip
View
HWTACACS scheme view
Default Level
2: System level
Parameters
ip-address: IP address in dotted decimal notation. It must be an address of the device and cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.
Description
Use the nas-ip command to set the IP address for the device to use as the source address of the HWTACACS packets to be sent to the server.
Use the undo nas-ip command to remove the configuration.
By default, the source IP address of a packet sent to the server is the IP address of the outbound port.
Note that:
l Specifying a source address for the HWTACACS packets to be sent to the server can avoid the situation where the packets sent back by the HWTACACS server cannot reach the device as the result of a physical interface failure.
l If you configure the command for more than one time, the last configuration takes effect.
l The nas-ip command in HWTACACS scheme view is only for the current HWTACACS scheme, while the hwtacacs nas-ip command in system view is for all HWTACACS schemes. However, the nas-ip command in HWTACACS scheme view overwrites the configuration of the hwtacacs nas-ip command.
Related commands: hwtacacs nas-ip.
Examples
# Set the IP address for the device to use as the source address of the HWTACACS packets to 10.1.1.1.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] nas-ip 10.1.1.1
Syntax
primary accounting ip-address [ port-number | vpn-instance vpn-instance-name ] *
undo primary accounting
View
HWTACACS scheme view
Default Level
2: System level
Parameters
ip-address: IP address of the primary HWTACACS accounting server, a valid unicast address in dotted decimal notation. The default is 0.0.0.0.
port-number: Port number of the primary HWTACACS accounting server. It ranges from 1 to 65535 and defaults to 49.
vpn-instance vpn-instance-name: Name of the VPN instance of the primary HWTACACS accounting server, a string of 1 to 31 case-sensitive characters.
Description
Use the primary accounting command to specify the primary HWTACACS accounting server.
Use the undo primary accounting command to remove the configuration.
By default, no primary HWTACACS accounting server is specified.
Note that:
l The IP addresses of the primary and secondary accounting servers cannot be the same. Otherwise, the configuration fails.
l The HWTACACS service port configured on the device and that of the HWTACACS server must be consistent.
l If the server to be specified resides on an MPLS VPN, you also need to specify that VPN with the primary accounting command to ensure normal communication with the server. The VPN specified here takes precedence over the VPN specified for the RADIUS scheme.
l If you configure the command for more than one time, the last configuration takes effect.
l If you configure the command for more than one time, the last configuration takes effect.
l You can remove an accounting server only when no active TCP connection for sending accounting packets is using it.
Examples
# Specify the primary accounting server 10.163.155.12 with TCP port number 49.
<Sysname> system-view
[Sysname] hwtacacs scheme test1
[Sysname-hwtacacs-test1] primary accounting 10.163.155.12 49
Syntax
primary authentication ip-address [ port-number | vpn-instance vpn-instance-name ] *
undo primary authentication
View
HWTACACS scheme view
Default Level
2: System level
Parameters
ip-address: IP address of the primary HWTACACS authentication server, a valid unicast address in dotted decimal notation. The default is 0.0.0.0.
port-number: Port number of the primary HWTACACS authentication server. It ranges from 1 to 65535 and defaults to 49.
vpn-instance vpn-instance-name: Name of the VPN instance of the primary HWTACACS authentication server, a string of 1 to 31 case-sensitive characters.
Description
Use the primary authentication command to specify the primary HWTACACS authentication server.
Use the undo primary authentication command to remove the configuration.
By default, no primary HWTACACS authentication server is specified.
Note that:
l The IP addresses of the primary and secondary authentication servers cannot be the same. Otherwise, the configuration fails.
l The HWTACACS service port configured on the device and that of the HWTACACS server must be consistent.
l If the server to be specified resides on an MPLS VPN, you also need to specify that VPN with the primary accounting command to ensure normal communication with the server. The VPN specified here takes precedence over the VPN specified for the RADIUS scheme.
l If you configure the command for more than one time, the last configuration takes effect.
l If you configure the command for more than one time, the last configuration takes effect.
l You can remove an authentication server only when no active TCP connection for sending authentication packets is using it.
Related commands: display hwtacacs, hwtacacs scheme, vpn-instance (HWTACACS scheme view).
Examples
# Specify the primary authentication server 10.163.155.13 with TCP port number 49.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] primary authentication 10.163.155.13 49
Syntax
primary authorization ip-address [ port-number | vpn-instance vpn-instance-name ] *]
undo primary authorization
View
HWTACACS scheme view
Default Level
2: System level
Parameters
ip-address: IP address of the primary HWTACACS authorization server, a valid unicast address in dotted decimal notation. The default is 0.0.0.0.
port-number: Port number of the primary HWTACACS authorization server. It ranges from 1 to 65535 and defaults to 49.
vpn-instance vpn-instance-name: Name of the VPN instance of the primary HWTACACS authorization server, a string of 1 to 31 case-sensitive characters.
Description
Use the primary authorization command to specify the primary HWTACACS authorization server.
Use the undo primary authorization command to remove the configuration.
By default, no primary HWTACACS authorization server is specified.
Note that:
l The IP addresses of the primary and secondary authorization servers cannot be the same. Otherwise, the configuration fails.
l The HWTACACS service port configured on the device and that of the HWTACACS server must be consistent.
l If the server to be specified resides on an MPLS VPN, you also need to specify that VPN with the primary authorization command to ensure normal communication with the server. The VPN specified here takes precedence over the VPN specified for the RADIUS scheme.
l If you configure the command for more than one time, the last configuration takes effect.
l If you configure the command for more than one time, the last configuration takes effect.
l You can remove an authorization server only when no active TCP connection for sending authorization packets is using it.
Related commands: display hwtacacs, hwtacacs scheme, vpn-instance (HWTACACS scheme view).
Examples
# Configure the primary authorization server 10.163.155.13 with TCP port number 49.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] primary authorization 10.163.155.13 49
Syntax
reset hwtacacs statistics { accounting | all | authentication | authorization } [ slot slot-number ]
View
User view
Default Level
1: Monitor level
Parameters
accounting: Clears HWTACACS accounting statistics.
all: Clears all HWTACACS statistics.
authentication: Clears HWTACACS authentication statistics.
authorization: Clears HWTACACS authorization statistics.
slot slot-number: Specifies the member number of the device in the IRF virtual device, which you can display with the display irf command. The value range for the slot-number argument depends on the number of members and numbering conditions in the current IRF virtual device. If no IRF virtual device exists, the slot-number argument is the current device number.
Description
Use the reset hwtacacs statistics command to clear HWTACACS statistics.
Related commands: display hwtacacs.
Examples
# Clear all HWTACACS statistics.
<Sysname> reset hwtacacs statistics all
Syntax
reset stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name [ slot slot-number ]
View
User view
Default Level
2: System level
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies a HWTACACS scheme by its name, a string of 1 to 32 characters.
slot slot-number: Specifies the member number of the device in the IRF virtual device, which you can display with the display irf command. The value range for the slot-number argument depends on the number of members and numbering conditions in the current IRF virtual device. If no IRF virtual device exists, the slot-number argument is the current device number.
Description
Use the reset stop-accounting-buffer command to clear the buffered stop-accounting requests that get no responses.
Related commands: stop-accounting-buffer enable, retry stop-accounting, display stop-accounting-buffer.
Examples
# Clear the buffered stop-accounting requests for HWTACACS scheme hwt1.
<Sysname> reset stop-accounting-buffer hwtacacs-scheme hwt1
Syntax
retry stop-accounting retry-times
undo retry stop-accounting
View
HWTACACS scheme view
Default Level
2: System level
Parameters
retry-times: Maximum number of stop-accounting request transmission attempts. It ranges from 1 to 300 and defaults to 100.
Description
Use the retry stop-accounting command to set the maximum number of stop-accounting request transmission attempts.
Use the undo retry stop-accounting command to restore the default.
Related commands: reset stop-accounting-buffer, hwtacacs scheme, display stop-accounting-buffer.
Examples
# Set the maximum number of stop-accounting request transmission attempts to 50.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] retry stop-accounting 50
Syntax
secondary accounting ip-address [ port-number | vpn-instance vpn-instance-name ] *
undo secondary accounting
View
HWTACACS scheme view
Default Level
2: System level
Parameters
ip-address: IP address of the secondary HWTACACS accounting server, a valid unicast address in dotted decimal notation. The default is 0.0.0.0.
port-number: Port number of the secondary HWTACACS accounting server. It ranges from 1 to 65535 and defaults to 49.
vpn-instance vpn-instance-name: Name of the VPN instance of the secondary HWTACACS accounting server, a string of 1 to 31 case-sensitive characters.
Description
Use the secondary accounting command to specify the secondary HWTACACS accounting server.
Use the undo secondary accounting command to remove the configuration.
By default, no secondary HWTACACS accounting server is specified.
Note that:
l The IP addresses of the primary and secondary accounting servers cannot be the same. Otherwise, the configuration fails.
l The HWTACACS service port configured on the device and that of the HWTACACS server must be consistent.
l If the server to be specified resides on an MPLS VPN, you also need to specify that VPN with the secondary accounting command to ensure normal communication with the server. The VPN specified here takes precedence over the VPN specified for the RADIUS scheme.
l If you configure the command for more than one time, the last configuration takes effect.
l You can remove an accounting server only when no active TCP connection for sending accounting packets is using it.
Related commands: display hwtacacs, hwtacacs scheme, vpn-instance (HWTACACS scheme view).
Examples
# Specify the secondary accounting server 10.163.155.12 with TCP port number 49.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] secondary accounting 10.163.155.12 49
Syntax
secondary authentication ip-address [ port-number | vpn-instance vpn-instance-name ] *
undo secondary authentication
View
HWTACACS scheme view
Default Level
2: System level
Parameters
ip-address: IP address of the secondary HWTACACS authentication server, a valid unicast address in dotted decimal notation. The default is 0.0.0.0.
port-number: Port number of the secondary HWTACACS authentication server. It ranges from 1 to 65535 and defaults to 49.
vpn-instance vpn-instance-name: Name of the VPN instance of the secondary HWTACACS authentication server, a string of 1 to 31 case-sensitive characters.
Description
Use the secondary authentication command to specify the secondary HWTACACS authentication server.
Use the undo secondary authentication command to remove the configuration.
By default, no secondary HWTACACS authentication server is specified.
Note that:
l The IP addresses of the primary and secondary authentication servers cannot be the same. Otherwise, the configuration fails.
l The HWTACACS service port configured on the device and that of the HWTACACS server must be consistent.
l If the server to be specified resides on an MPLS VPN, you also need to specify that VPN with the secondary accounting command to ensure normal communication with the server. The VPN specified here takes precedence over the VPN specified for the RADIUS scheme.
l If you configure the command for more than one time, the last configuration takes effect.
l You can remove an authentication server only when no active TCP connection for sending authentication packets is using it.
Related commands: display hwtacacs, hwtacacs scheme, vpn-instance (HWTACACS scheme view).
Examples
# Specify the secondary authentication server 10.163.155.13 with TCP port number 49.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] secondary authentication 10.163.155.13 49
Syntax
secondary authorization ip-address [ port-number | vpn-instance vpn-instance-name ] *]
undo secondary authorization
View
HWTACACS scheme view
Default Level
2: System level
Parameters
ip-address: IP address of the secondary HWTACACS authorization server, a valid unicast address in dotted decimal notation. The default is 0.0.0.0.
port-number: Port number of the secondary HWTACACS authorization server. It ranges from 1 to 65535 and defaults to 49.
vpn-instance vpn-instance-name: Name of the VPN instance of the secondary HWTACACS authorization server, a string of 1 to 31 case-sensitive characters.
Description
Use the secondary authorization command to specify the secondary HWTACACS authorization server.
Use the undo secondary authorization command to remove the configuration.
By default, no secondary HWTACACS authorization server is specified.
Note that:
l The IP addresses of the primary and secondary authorization servers cannot be the same. Otherwise, the configuration fails.
l The HWTACACS service port configured on the device and that of the HWTACACS server must be consistent.
l If the server to be specified resides on an MPLS VPN, you also need to specify that VPN with the secondary authorization command to ensure normal communication with the server. The VPN specified here takes precedence over the VPN specified for the RADIUS scheme.
l If you configure the command for more than one time, the last configuration takes effect.
l You can remove an authorization server only when no active TCP connection for sending authorization packets is using it.
Related commands: display hwtacacs, hwtacacs scheme, vpn-instance (HWTACACS scheme view).
Examples
# Configure the secondary authorization server 10.163.155.13 with TCP port number 49.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] secondary authorization 10.163.155.13 49
Syntax
stop-accounting-buffer enable
undo stop-accounting-buffer enable
View
HWTACACS scheme view
Default Level
2: System level
Parameters
None
Description
Use the stop-accounting-buffer enable command to enable the device to buffer stop-accounting requests getting no responses.
Use the undo stop-accounting-buffer enable command to disable the device from buffering stop-accounting requests getting no responses.
By default, the device is enabled to buffer stop-accounting requests getting no responses.
Since stop-accounting requests affect the charge to users, a NAS must make its best effort to send every stop-accounting request to the HWTACACS accounting servers. For each stop-accounting request getting no response in the specified period of time, the NAS buffers and resends the packet until it receives a response or the number of transmission retries reaches the configured limit. In the latter case, the NAS discards the packet.
Related commands: reset stop-accounting-buffer, hwtacacs scheme, display stop-accounting-buffer.
Examples
# In HWTACACS scheme hwt1, enable the device to buffer the stop-accounting requests getting no responses.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] stop-accounting-buffer enable
Syntax
timer quiet minutes
undo timer quiet
View
HWTACACS scheme view
Default Level
2: System level
Parameters
minutes: Primary server quiet period, in minutes. It ranges from 1 to 255 and defaults to 5.
Description
Use the timer quiet command to set the quiet timer for the primary server, that is, the duration that the status of the primary server stays blocked before resuming the active state.
Use the undo timer quiet command to restore the default.
Related commands: display hwtacacs.
Examples
# Set the quiet timer for the primary server to 10 minutes.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] timer quiet 10
Syntax
timer realtime-accounting minutes
undo timer realtime-accounting
View
HWTACACS scheme view
Default Level
2: System level
Parameters
minutes: Real-time accounting interval in minutes, zero or a multiple of 3 in the range 3 to 60. The default is 12. A value of zero means “Do not send online user accounting information to the HWTACACS server.”
Description
Use the timer realtime-accounting command to set the real-time accounting interval.
Use the undo timer realtime-accounting command to restore the default.
Note that:
l For real-time accounting, a NAS must transmit the accounting information of online users to the HWTACACS accounting server periodically. This command is for setting the interval.
l The setting of the real-time accounting interval somewhat depends on the performance of the NAS and the HWTACACS server: a shorter interval requires higher performance. You are therefore recommended to adopt a longer interval when there are a large number of users (more than 1000, inclusive). The following table lists the recommended ratios of the interval to the number of users.
Table 1-2 Recommended ratios of the accounting interval to the number of users
|
Number of users |
Real-time accounting interval (minute) |
|
1 to 99 |
3 |
|
100 to 499 |
6 |
|
500 to 999 |
12 |
|
1000 or more |
15 or more |
Examples
# Set the real-time accounting interval to 51 minutes for HWTACACS scheme hwt1.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] timer realtime-accounting 51
Syntax
timer response-timeout seconds
undo timer response-timeout
View
HWTACACS scheme view
Default Level
2: System level
Parameters
seconds: HWTACACS server response timeout period in seconds. It ranges from 1 to 300 and defaults to 5.
Description
Use the timer response-timeout command to set the HWTACACS server response timeout timer.
Use the undo timer command to restore the default.
As HWTACACS is based on TCP, the timeout of the server response timeout timer and/or the TCP timeout timer will cause the device to be disconnected from the HWTACACS server.
Related commands: display hwtacacs.
Examples
# Set the HWTACACS server response timeout timer to 30 seconds for HWTACACS scheme hwt1.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] timer response-timeout 30
Syntax
user-name-format { keep-original | with-domain | without-domain }
View
HWTACACS scheme view
Default Level
2: System level
Parameters
keep-original: Sends the username to the HWTACACS server as it is input.
with-domain: Includes the ISP domain name in the username sent to the HWTACACS server.
without-domain: Excludes the ISP domain name from the username sent to the HWTACACS server.
Description
Use the user-name-format command to specify the format of the username to be sent to a HWTACACS server.
By default, the ISP domain name is included in the username.
Note that:
l A username is generally in the format of userid@isp-name, of which isp-name is used by the device to determine the ISP domain to which a user belongs. Some earlier HWTACACS servers, however, cannot recognize a username including an ISP domain name. Before sending a username including a domain name to such a HWTACACS server, the device must remove the domain name. This command is thus provided for you to decide whether to include a domain name in a username to be sent to a HWTACACS server.
l If a HWTACACS scheme defines that the username is sent without the ISP domain name, do not apply the HWTACACS scheme to more than one ISP domain, thus avoiding the confused situation where the HWTACACS server regards two users in different ISP domains but with the same userid as one.
Related commands: hwtacacs scheme.
Examples
# Specify the device to remove the ISP domain name in the username sent to the HWTACACS servers for the HWTACACS scheme hwt1.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] user-name-format without-domain
Syntax
vpn-instance vpn-instance-name
undo vpn-instance
View
HWTACACS scheme view
Default Level
2: System level
Parameters
vpn-instance-name: Name of a VPN instance, a string of 1 to 31 case-sensitive characters.
Description
Use the vpn-instance command to specify a VPN instance for the HWTACACS scheme.
Use the undo vpn-instance command to remove the configuration.
Note that:
l The VPN instance specified here takes effect for all servers in the HWTACACS scheme. But the VPN instance specified for a specific server takes precedence over the one specified here.
Related commands: hwtacacs scheme, display hwtacacs scheme.
Examples
# Specify VPN instance test for HWTACACS scheme hwt1.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] vpn-instance test
