Configuring Data Center Network Management (HWTACACS Authentication)

CloudEngine 16800, 12800, 9800, 8800, 7800, 6800, and 5800 Series Switches Typical Configuration Examples (V100 and V200)

Rate and give feedback:

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

Applicable Products and Versions

This example applies to all models and versions.

For details about the mapping between software versions and switch models, see the Hardware Query Tool.

Networking Requirements

A data center network of an enterprise is complex. To ensure security and stability of the network, the enterprise needs to monitor the network in real time and restrict login rights of the administrator. A network management system can meet the preceding requirements.

As shown in Figure 2-39, the IP addresses have been configured for the network devices and there is a reachable route between the HWTACACS server and NMS. Users are allowed to log in to the device only after passing the HWTACACS authentication. The NMS monitors the entire network, and receives the traps and logs from each host.

Figure 2-39 Configuring data center network management (HWTACACS authentication)

Configuration Roadmap

The configuration roadmap is as follows:

Configure the HWTACACS protocol to implement HWTACACS authentication. To log in to the device through STelnet, users are authenticated by using the user name and password configured on the HWTACACS server, ensuring user security.
Configure STelnet. The STelnet protocol implements secure remote logins on insecure networks, which ensures data integrity and reliability and guarantees secure data transmission.
Configure the SNMP function. The authentication and encryption methods of SNMPv3 are used to ensure the security of connection between the device and NMS. The NMS can centrally manage all network devices.
Configure the device to send logs and traps to the NMS through SNMP.

The following configurations are performed on SwitchA. The configurations on other devices are the same as the configurations on SwitchA.

Ensure that the HWTACACS server IP address, port number, and shared key in the HWTACACS server group are configured correctly and are the same as those on the HWTACACS server.

Ensure that at least one user has been configured on the HWTACACS server. In this example, the user name is admin@admin123 and the password is huawei@1234.

If multiple users are configured on the HWTACACS server, you are advised to run the ssh authentication-type default password command to use the preset password authentication mode for local users to simplify the configuration.

Procedure

Configure HWTACACS.

Configure an HWTACACS server template.

<HUAWEI> system-view
[~HUAWEI] sysname SwitchA
[~HUAWEI] commit
[~SwitchA] hwtacacs enable
[~SwitchA] hwtacacs server template ht
[~SwitchA-hwtacacs-ht] hwtacacs server authentication 10.7.66.66 49        //Configure the IP address and port number of the HWTACACS server.
[~SwitchA-hwtacacs-ht] hwtacacs server shared-key cipher hello              //Configure the shared key for the HWTACACS server.
[~SwitchA-hwtacacs-ht] quit

Create an AAA scheme auth and set the authentication method to HWTACACS.

[~SwitchA] aaa
[~SwitchA-aaa] authentication-scheme auth
[~SwitchA-aaa-authen-auth] authentication-mode hwtacacs
[~SwitchA-aaa-authen-auth] quit

Create the domain admin123 and bind the AAA scheme auth and HWTACACS server group ht to the domain.

[~SwitchA-aaa] domain admin123
[~SwitchA-aaa-domain-admin123] authentication-scheme auth
[~SwitchA-aaa-domain-admin123] hwtacacs server ht
[~SwitchA-aaa-domain-admin123] quit
[~SwitchA-aaa] quit
[~SwitchA] commit

Configure STelnet.

Configure the device to support STelnet.

[~SwitchA] rsa local-key-pair create
The key name will be: SwitchA_Host                                
The range of public key size is (512 ~ 2048).                                   
NOTE: If the key modulus is greater than 512,                                   
      it will take a few minutes.                                               
Input the bits in the modulus [default = 2048] : 2048  //For device security purposes, you are advised to use the default value. In versions from V200R001C00 to V200R019C00, only 2048 bits are supported, and you do not need to enter the value. In V200R019C10 and later versions, 2048 bits and 3072 bits are supported. The value defaults to 3072 bits.
[~SwitchA] stelnet server enable

Configure the SSH user login interface.

[~SwitchA] user-interface vty 0 4
[~SwitchA-ui-vty0-4] authentication-mode aaa
[~SwitchA-ui-vty0-4] protocol inbound ssh
[~SwitchA-ui-vty0-4] user privilege level 3
[~SwitchA-ui-vty0-4] quit

Configure the SSH user admin@admin123.

[~SwitchA] ssh user admin@admin123 authentication-type password
[~SwitchA] ssh user admin@admin123 service-type stelnet
[~SwitchA] commit

Configure the SNMP function.

Connect the SNMP agent to the NMS.

[~SwitchA] snmp-agent sys-info version v3
[~SwitchA] snmp-agent mib-view included iso-view iso
[~SwitchA] snmp-agent group v3 admingroup privacy write-view iso-view notify-view iso-view
[~SwitchA] snmp-agent usm-user v3 adminuser admingroup authentication-mode sha Admin@1234 privacy-mode aes128 Helloworld@6789   //Authentication methods include MD5 and SHA. SHA has higher security and MD5 has higher speed. In this example, SHA is used as an example. Encryption methods include 3DES168, AES128, AES192, AES256, and DES56. ASE has a higher security. In this example, AES128 is used.

Configure the trap host.

[~SwitchA] snmp-agent target-host host-name nms trap address udp-domain 10.7.60.66 params securityname adminuser v3 privacy  //The security level of trap host must be the same as or higher than the user security level. In this example, the level is set to privacy (authentication and encryption).
[~SwitchA] commit

Configure the device to send logs and traps to the NMS through SNMP.

[~SwitchA] info-center source default channel 5 log state on
[~SwitchA] commit

Verifying the Configuration

The configuration is successful if the following conditions are met:

You can successfully log in to the device through STelnet by using the user name and password configured on the HWTACACS server.
When you perform operations on the device through SNMP, the NMS can receive the logs and traps.

Configuration File

Configuration file of SwitchA

#
sysname SwitchA
#
info-center source default channel 5 log state on
#
hwtacacs enable
#
hwtacacs server template ht
 hwtacacs server authentication 10.7.66.66
 hwtacacs server shared-key cipher %^%#ysFK('!^0Wz][c#{!F(O]=t6.;g.'>E49.;k#gd<%^%#  //The ciphertext format provided here is for example only. The format may vary depending on the system software version. 
#
aaa
 #
 authentication-scheme auth
  authentication-mode hwtacacs
 #
 domain admin123
  authentication-scheme auth
  hwtacacs server ht
#
snmp-agent
snmp-agent local-engineid 800007DB03306B20792201
#
snmp-agent sys-info version v3
snmp-agent group v3 admingroup privacy write-view iso-view notify-view iso-view
snmp-agent target-host host-name nms trap address udp-domain 10.7.60.66 params securityname adminuser v3 privacy
#
snmp-agent mib-view included iso-view iso
snmp-agent usm-user v3 adminuser
snmp-agent usm-user v3 adminuser group admingroup
snmp-agent usm-user v3 adminuser authentication-mode sha cipher %^%#/d6nQ7mD^%v]l%(F!H_0Z=2L>3&cJ.G]Yt=:YdN0%^%#  //The ciphertext format provided here is for example only. The format may vary depending on the system software version. 
snmp-agent usm-user v3 adminuser privacy-mode aes128 cipher %^%#\v7aU_Bx6QYP[SP)*B'ARgceMAS<D<BxG7AMhv(;%^%#  //The ciphertext format provided here is for example only. The format may vary depending on the system software version. 
#
stelnet server enable
ssh user admin@admin123
ssh user admin@admin123 authentication-type password
ssh user admin@admin123 service-type stelnet
ssh authorization-type default aaa  //This command is supported since V100R005C10
#
user-interface vty 0 4
 authentication-mode aaa
 user privilege level 3
 protocol inbound ssh
#
return

Translation

Español Français 日本語 Русский 简体中文

Download

Updated: 2021-10-21

Document ID: EDOC1000039339

Downloads: 10364

Average rating:

This Document Applies to these Products

Related Version

Digital Signature File

Digital Signature Authentication Mode