beautypg.com

Specifying a vpn for the hwtacacs scheme – H3C Technologies H3C SecPath F1000-E User Manual

Page 215

background image

205

Step Command

Remarks

3.

Specify the shared keys for
authenticating HWTACACS

authentication, authorization,
and accounting packets.

key { accounting | authentication |
authorization } [ cipher | simple ]
key

No shared key is specified by
default.
In FIPS mode, the firewall supports
only ciphertext shared keys of at

least 8 characters comprising

case-sensitive letters, numbers, and
special characters.

NOTE:

A shared key configured on the firewall must be the same as that configured on the HWTACACS server.

Specifying a VPN for the HWTACACS scheme

After you specify a VPN for an HWTACACS scheme, all the authentication, authorization, and
accounting servers specified for the scheme belong to the VPN. However, if you also specify a VPN when

specifying a server for the scheme, the server belongs to the specific VPN.
To specify a VPN for an HWTACACS scheme:

Step Command

1.

Enter system view.

system-view

2.

Enter HWTACACS scheme view.

hwtacacs scheme hwtacacs-scheme-name

3.

Specify a VPN for the HWTACACS scheme.

vpn-instance vpn-instance-name

Setting the username format and traffic statistics units

A username is usually in the format of userid@isp-name, where isp-name represents the name of the ISP

domain to which the user belongs and is used by the firewall to determine which users belong to which

ISP domains. However, some HWTACACS servers cannot recognize usernames that contain an ISP

domain name. In this case, the firewall must remove the domain name of each username before sending
the username. You can set the username format on the firewall for this purpose.
The firewall periodically sends accounting updates to HWTACACS accounting servers to report the

traffic statistics of online users. For normal and accurate traffic statistics, make sure the unit for data flows

and that for packets on the firewall are consistent with those configured on the HWTACACS servers.
Follow these guidelines when you set the username format and the traffic statistics units for an

HWTACACS scheme:

If an HWTACACS server does not support a username with the domain name, configure the firewall
to remove the domain name before sending the username to the server.

For level switching authentication, the user-name-format keep-original and user-name-format
without-domain commands produce the same results. They make sure usernames sent to the

HWTACACS server carry no ISP domain name.

To set the username format and the traffic statistics units for an HWTACACS scheme:

Step Command

Remarks

1.

Enter system view.

system-view

N/A