Typical networking configuration case of H3C S3600 hwtacacs

Networking and description

In this case, the S3600 switch is used to deploy hwtacacs and link with IMC TAM to achieve the effect of security management equipment.

IMC version is PLAT 7.3 E0506P03

The S3600 version information is as follows:

H3C Comware Platform Software

Comware Software, Version 5.20, Release 2112

Copyright (c) 2004-2017 New H3C Technologies Co., Ltd. All rights reserved.

H3C S3600V2-28TP-EI uptime is 0 week, 4 days, 21 hours, 25 minutes

H3C S3600V2-28TP-EI with 1 Processor

256M    bytes SDRAM

2M      bytes Nor Flash Memory

128M    bytes Nand Flash Memory

Config Register points to Nand Flash

Hardware Version is Ver.A

CPLD Version is 001

BootRom Version is 133

[SubSlot 0] 24FE+4SFP+2Combo GE Hardware Version is Ver.A

Configuration steps

The key points of IMC TAM deployment are as follows:

  • Authorization scenario conditions:

Equipment area management, equipment type management, authorization period policy management

  • Authorization command configuration:

Shell profile configuration, command set configuration

  • Equipment management:

Configure shared key, bound device area, bound device type

  • Add user name and password

Switch deployment hwtacacs

Configure keys

Configure "authorization scenario conditions"

Add device area management

Set area name

Set device management type


Set "authorization period policy management"

Add, set "authorization period policy name", "effective time" and "expiration time"

Set "authorization command configuration" - "shell profile configuration"

Set "shell profile name" - "authorization level"

Set command set configuration

Set command set name and default authorization method

Configure device management

Add device, set "shared key", "confirm shared key", bind "device area", "device type"

Configure authorization management

Bind "device area" - "device type" - "authorization period" - "shell profile" - "authorization command set"

Configure "user device grouping", set "group name" - "authorization policy"

Set device user management - all device users

Set "account name" - "login password" - "login password confirmation" - "device user group" - "user's authorization policy"

The configuration of S3600 hwtacacs is as follows:

hwtacacs scheme shebeiguanli

 primary authentication

 primary authorization

 primary accounting

 key authentication  nnhwtacacs

 key authorization  nnhwtacacs

 key accounting  nnhwtacacs

 user-name-format without-domain

 domain tamdm

 authentication login hwtacacs-scheme shebeiguanli local

 authorization login hwtacacs-scheme shebeiguanli local

 accounting login hwtacacs-scheme shebeiguanli local

 authorization command hwtacacs-scheme shebeiguanli local

 accounting optional


local-user admin

 service-type  terminal ssh


user-interface vty 0 15

authentication-mode scheme

command accounting

command authorization


domain default enable tamdm

To view the hwtacacs status:

dis hwtacacs

HWTACACS scheme name : shebeiguanli

 Primary Authen Server:

   IP:                               Port: 49     State: Active

   VPN instance   : Not configured

   Encryption Key : Not configured

 Primary Author Server:

   IP:                               Port: 49     State: Active

   VPN instance   : Not configured

   Encryption Key : Not configured

 Primary Account Server:

   IP:                               Port: 49     State: Active

   VPN instance   : Not configured

   Encryption Key : Not configured

 NAS IP address                                 :

 Authentication key                             : ******

 Authorization key                              : ******

 Accounting key                                 : ******

 VPN instance                                   : Not configured

 Quiet interval(min)                            : 5

 Realtime accounting interval(min)              : 12

 Response timeout interval(sec)                 : 5

 Retransmission times of stop-accounting packet : 100

 Username format                                : without-domain

 Data flow unit                                 : Byte

 Packet unit                                    : one


 Total 1 HWTACACS scheme(s).

To view the status of a domain:

dis domain tamdm

  Domain: tamdm

  State: Active

  Access-limit: Disabled

  Accounting method: Optional

  Default authentication scheme      : local

  Default authorization scheme       : local

  Default accounting scheme          : local

  Login authentication scheme        : hwtacacs:shebeiguanli, local

  Login authorization scheme         : hwtacacs:shebeiguanli, local

  Login accounting scheme            : hwtacacs:shebeiguanli, local

  Command authorization scheme       : hwtacacs:shebeiguanli, local

  Domain User Template:

  Idle-cut : Disabled

  Self-service : Disabled

  Authorization attributes:

So far, the typical networking configuration case of S3600 hwtacacs has been completed!

Reference link:

Technology: typical networking configuration case of S3600 hwtacacs https://mp.weixin.qq.com/s/5L2BCko8rUf8jNUFmEzYmw

Tags: shell VPN ssh

Posted on Sun, 28 Jun 2020 23:03:25 -0400 by MartinGr