The TACACS client and server adopt MD5 algorithm to encrypt HWTACACS messages before they are exchanged between the two parties. The two parties verify the validity of the HWTACACS messages received from each other by using the shared keys that have been set on them, and can accept and respond to the messages only when both parties have the same shared key.

Follow these steps to configure shared keys for HWTACACS messages:

To do…

Use the command…

Remarks

Enter system view

system-view

 

 

 

Create a HWTACACS scheme

hwtacacs scheme

Required

By default, no HWTACACS

and enter its view

hwtacacs-scheme-name

scheme exists.

 

 

 

 

 

Set a shared key for

key { accounting

Required

HWTACACS authentication,

authorization

authorization or accounting

By default, no such key is set.

authentication } string

messages

 

 

 

 

 

 

Configuring the Attributes of Data to be Sent to TACACS Servers

Follow these steps to configure the attributes for data to be sent to TACACS servers:

 

To do…

Use the command…

Remarks

 

Enter system view

system-view

 

 

 

 

 

Create a HWTACACS scheme

hwtacacs scheme

Required

 

By default, no HWTACACS

 

and enter its view

hwtacacs-scheme-name

 

scheme exists.

 

 

 

 

 

 

 

 

 

 

Optional

 

Set the format of the user

user-name-format

By default, the user names sent

 

names to be sent to TACACS

{ with-domain

from the device to TACACS

 

server

without-domain }

server carry ISP domain

 

 

 

names.

 

 

 

 

 

 

data-flow-format data { byte

Optional

 

 

giga-byte kilo-byte

By default, in a TACACS

 

Set the units of data flows to

mega-byte }

 

scheme, the data unit and

 

 

 

TACACS servers

data-flow-format packet

packet unit for outgoing

 

 

{ giga-packet kilo-packet

HWTACACS flows are byte

 

 

mega-packet one-packet }

and one-packet respectively.

 

 

 

 

 

 

HWTACACS scheme view

Optional

 

Set the source IP address of

nas-ipip-address

By default, no source IP

 

outgoing HWTACACS

 

address is set; the IP address

 

 

 

System view

of the corresponding outbound

 

messages

 

 

hwtacacs nas-ip ip-address

interface is used as the source

 

 

IP address.

 

 

 

 

 

 

 

2-23

Page 282
Image 282
3Com WX3000 Key accounting, Authentication string, Mega-byte, Data-flow-format packet, Mega-packet one-packet