beautypg.com

H3C Technologies H3C SecPath F1000-E User Manual

Page 214

background image

204

When the firewall receives a connection teardown request from a host or a connection teardown

command from an administrator, it sends a stop-accounting request to the accounting server. You can
enable buffering of non-responded stop-accounting requests to allow the firewall to buffer and resend a

stop-accounting request until it receives a response or the number of stop-accounting attempts reaches

the configured limit. In the latter case, the firewall discards the packet.
Follow these guidelines when you configure HWTACACS accounting servers:

An HWTACACS server can function as the primary accounting server of one scheme and
simultaneously as the secondary accounting server of another scheme.

The IP addresses of the primary and secondary accounting servers cannot be the same. Otherwise,
the configuration fails.

You can remove an accounting server only when no active TCP connection for sending accounting
packets is using it.

HWTACACS does not support accounting for FTP users.

To specify HWTACACS accounting servers and set relevant parameters for an HWTACACS scheme:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enter HWTACACS scheme

view.

hwtacacs scheme
hwtacacs-scheme-name

N/A

3.

Specify HWTACACS

accounting servers.

Specify the primary HWTACACS

accounting server:
primary accounting ip-address

[ port-number | vpn-instance

vpn-instance-name ] *

Specify the secondary HWTACACS

accounting server:

secondary accounting ip-address
[ port-number | vpn-instance

vpn-instance-name ] *

Configure at least one
command.
No accounting server is
specified by default.

4.

Enable buffering of
stop-accounting requests to

which no responses are

received.

stop-accounting-buffer enable

Optional.
Enabled by default.

5.

Set the maximum number of
stop-accounting attempts.

retry stop-accounting retry-times

Optional.
The default setting is 100.

Specifying the shared keys for authenticating HWTACACS packets

The HWTACACS client and HWTACACS server use the MD5 algorithm to encrypt packets exchanged

between them and use shared keys to authenticate the packets. They must use the same shared key for the

same type of packets.
To specify the shared keys for authenticating HWTACACS packets:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enter HWTACACS scheme
view.

hwtacacs scheme
hwtacacs-scheme-name

N/A

This manual is related to the following products:
See also other documents in the category H3C Technologies Safety: