94
{ In FIPS mode, the key is a string of 15 to 373 characters.
• simple string: Sets a plaintext shared key. The string argument is case sensitive.
{ In non-FIPS mode, the key is a string of 1 to 255 characters.
{ In FIPS mode, the key is a string of 15 to 255 characters. The string must contain digits,
uppercase letters, lowercase letters, and special characters.
single-connection: The device and the secondary HWTACACS authorization server use the same TCP
connection to exchange all authorization packets for all users. If you do not specify this keyword, the
device establishes a new TCP connection each time it exchanges authorization packets with the
secondary authorization server for a user. If the HWTACACS server supports the single-connection
method, HP recommends that you specify this keyword to reduce TCP connections for improving system
performance.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary HWTACACS
authorization server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If
the server is on the public network, do not specify this option.
Usage guidelines
Make sure that the port number and shared key settings of the secondary HWTACACS authorization
server are the same as those configured on the server.
You can configure up to 16 secondary HWTACACS authorization servers for an HWTACACS scheme.
If the primary server fails, the device tries to communicate with a secondary server in active state. The
device connects to the secondary servers in the order they are configured.
If you do not specify any parameters for the undo secondary authorization command, the command
removes all secondary authorization servers.
Two authorization servers specified for a scheme, primary or secondary, cannot have identical IP address,
port number, and VPN settings.
If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance
vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified
for the HWTACACS scheme.
You can remove an authorization server only when it is not used for user authorization. Removing an
authorization server affects only authorization processes that occur after the remove operation.
For security purposes, all shared keys, including shared keys configured in plain text, are saved in
ciphertext.
Examples
# Specify a secondary authorization server with IP address 10.163.155.13, TCP port number 49, and
plaintext shared key 123456TESTautr&! for HWTACACS scheme hwt1.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] secondary authorization 10.163.155.13 49 key simple
123456TESTautr&!
Related commands
• display hwtacacs scheme
• key (HWTACACS scheme view)
• primary authorization
• vpn-instance (HWTACACS scheme view)
To Next Page
Loading...
Need help?
General
