Configuring Data Center Network Management (HWTACACS Authentication)
Networking Requirements
A data center network of an enterprise is complex. To ensure security and stability of the network, the enterprise needs to monitor the network in real time and restrict login rights of the administrator. A network management system can meet the preceding requirements.
As shown in Figure 2-39, the IP addresses have been configured for the network devices and there is a reachable route between the HWTACACS server and NMS. Users are allowed to log in to the device only after passing the HWTACACS authentication. The NMS monitors the entire network, and receives the traps and logs from each host.
Configuration Roadmap
- Configure the HWTACACS protocol to implement HWTACACS authentication. To log in to the device through STelnet, users are authenticated by using the user name and password configured on the HWTACACS server, ensuring user security.
- Configure STelnet. The STelnet protocol implements secure remote logins on insecure networks, which ensures data integrity and reliability and guarantees secure data transmission.
- Configure the SNMP function. The authentication and encryption methods of SNMPv3 are used to ensure the security of connection between the device and NMS. The NMS can centrally manage all network devices.
- Configure the device to send logs and traps to the NMS through SNMP.
The following configurations are performed on SwitchA. The configurations on other devices are the same as the configurations on SwitchA.
Ensure that the HWTACACS server IP address, port number, and shared key in the HWTACACS server group are configured correctly and are the same as those on the HWTACACS server.
Ensure that at least one user has been configured on the HWTACACS server. In this example, the user name is admin@admin123 and the password is huawei@1234.
If multiple users are configured on the HWTACACS server, you are advised to run the ssh authentication-type default password command to use the preset password authentication mode for local users to simplify the configuration.
Procedure
- Configure HWTACACS.
- Configure STelnet.
- Configure the SNMP function.
- Configure the device to send logs and traps to the NMS through SNMP.
[~SwitchA] info-center source default channel 5 log state on [~SwitchA] commit
Verifying the Configuration
The configuration is successful if the following conditions are met:
- You can successfully log in to the device through STelnet by using the user name and password configured on the HWTACACS server.
- When you perform operations on the device through SNMP, the NMS can receive the logs and traps.
Configuration File
# sysname SwitchA # info-center source default channel 5 log state on # hwtacacs enable # hwtacacs server template ht hwtacacs server authentication 10.7.66.66 hwtacacs server shared-key cipher %^%#ysFK('!^0Wz][c#{!F(O]=t6.;g.'>E49.;k#gd<%^%# //The ciphertext format provided here is for example only. The format may vary depending on the system software version. # aaa # authentication-scheme auth authentication-mode hwtacacs # domain admin123 authentication-scheme auth hwtacacs server ht # snmp-agent snmp-agent local-engineid 800007DB03306B20792201 # snmp-agent sys-info version v3 snmp-agent group v3 admingroup privacy write-view iso-view notify-view iso-view snmp-agent target-host host-name nms trap address udp-domain 10.7.60.66 params securityname adminuser v3 privacy # snmp-agent mib-view included iso-view iso snmp-agent usm-user v3 adminuser snmp-agent usm-user v3 adminuser group admingroup snmp-agent usm-user v3 adminuser authentication-mode sha cipher %^%#/d6nQ7mD^%v]l%(F!H_0Z=2L>3&cJ.G]Yt=:YdN0%^%# //The ciphertext format provided here is for example only. The format may vary depending on the system software version. snmp-agent usm-user v3 adminuser privacy-mode aes128 cipher %^%#\v7aU_Bx6QYP[SP)*B'ARgceMAS<D<BxG7AMhv(;%^%# //The ciphertext format provided here is for example only. The format may vary depending on the system software version. # stelnet server enable ssh user admin@admin123 ssh user admin@admin123 authentication-type password ssh user admin@admin123 service-type stelnet ssh authorization-type default aaa //This command is supported since V100R005C10 # user-interface vty 0 4 authentication-mode aaa user privilege level 3 protocol inbound ssh # return