No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Typical Configuration Examples

CloudEngine 16800, 12800, 12800E, 8800, 7800, 6800, and 5800 Series Switches

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Logging In to the Device Through STelnet Based on HWTACACS Authentication

Logging In to the Device Through STelnet Based on HWTACACS Authentication

Applicable Products and Versions

This example applies to CE12800, CE6800, and CE5800 series switches running V100R001C00 and later versions.

This example applies to CE7800 series switches running V100R003C00 and later versions.

This example applies to CE8800 series switches running V100R006C00 and later versions.

This example applies to CE12800E series switches running V200R002C50 and later versions.

Networking Requirements

The network administrator requires remote management and maintenance on the device and high network security for preventing the network from unauthorized access. In addition, the network administrator needs to configure STelnet login to the switch based on AAA local authentication when ensuring HWTACACS server login. In this scenario, STelnet login based on HWTACACS authentication can be configured to meet user requirements.

To ensure that the administrator can still log in to the device locally even when the HWTACACS server is not completely deployed or HWTACACS services are abnormal, STelnet login based on AAA local authentication can be configured.

In Figure 2-15, the switch and HWTACACS server are routable to each other. The IP address of the HWTACACS server is 10.7.66.66/24.

Figure 2-15 Networking diagram of logging in to the device through STelnet based on HWTACACS authentication

Precautions

When configuring STelnet login based on HWTACACS authentication, pay attention to the following points:

  • Ensure that the HWTACACS server IP address, port number, and shared key in the HWTACACS server group are configured correctly and are the same as those on the HWTACACS server.
  • Ensure that at least one user has been configured on the HWTACACS server. In this example, the user name is client001 and the password is Huawei@123.

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure the HWTACACS protocol to implement HWTACACS authentication.
  2. Log in to the device through STelnet using the user name and password configured on the HWTACACS server, ensuring login security.

Procedure

  1. Configure HWTACACS authentication.

    1. Configure an HWTACACS server template.

      <HUAWEI> system-view
      [~HUAWEI] sysname Switch
      [*HUAWEI] commit
      [~Switch] hwtacacs enable   //Enable the HWTACACS protocol.
      [*Switch] hwtacacs server template shiva   //Create an HWTACACS server template.
      [*Switch-hwtacacs-shiva] hwtacacs server 10.7.66.66 shared-key hello   //Configure the IP address and shared key of the HWTACACS server.
      [*Switch-hwtacacs-shiva] hwtacacs server user-name domain-excluded   //Configure the device to send packets without the domain name to the HWTACACS server.
      [*Switch-hwtacacs-shiva] quit
    2. Create an AAA authentication scheme auth and set the authentication method to HWTACACS.

      [*Switch] aaa
      [*Switch-aaa] authentication-scheme auth   //Create an authentication scheme.
      [*Switch-aaa-authen-auth] authentication-mode hwtacacs   //Set the authentication mode to HWTACACS.
      [*Switch-aaa-authen-auth] quit
    3. Create an AAA authorization scheme auth and set the authorization method to HWTACACS.

      [*Switch-aaa] authorization-scheme auth   //Create an authorization scheme.
      [*Switch-aaa-author-auth] authorization-mode hwtacacs if-authenticated   //Configure the authorization mode.
      [*Switch-aaa-author-auth] authorization-cmd 3 hwtacacs   //Configure command line authorization for users at a specified level.
      [*Switch-aaa-author-auth] quit
    4. # Create an AAA accounting scheme auth and set the accounting mode to HWTACACS.

      [*Switch-aaa] accounting-scheme auth   //Create an accounting scheme.
      [*Switch-aaa-accounting-auth] accounting-mode hwtacacs  //Configure the accounting mode.
      [*Switch-aaa-accounting-auth] quit
    5. Create an AAA recording scheme auth to send the records to the HWTACACS server.

      [*Switch-aaa] recording-scheme auth   //Create a recording scheme.
      [*Switch-aaa-recording-auth] recording-mode hwtacacs shiva  //Configure the HWTACACS server template associated with the recording scheme.
      [*Switch-aaa-recording-auth] quit
      [*Switch-aaa] recording-scheme auth   //Configure a recording policy for the recording scheme to record the commands that have been executed on the device.
    6. Create the domain admin123 and bind the AAA authentication scheme, authorization scheme, accounting scheme, and HWTACACS server template to the domain.

      [*Switch-aaa] domain admin123   //Create a domain.
      [*Switch-aaa-domain-admin123] authentication-scheme auth   //Configure the authentication scheme for the domain.
      [*Switch-aaa-domain-admin123] authorization-scheme auth   //Configure the authorization scheme for the domain.
      [*Switch-aaa-domain-admin123] accounting-scheme auth   //Configure the accounting scheme for the domain.
      [*Switch-aaa-domain-admin123] hwtacacs server shiva   //Configure the HWTACACS server template for the domain.
      [*Switch-aaa-domain-admin123] quit
      [*Switch-aaa] default-domain admin admin123        //Configure admin123 as the global default administrative domain.
      [*Switch-aaa] quit
      [*Switch] commit

  2. Configure local AAA authentication.

    1. Generate a local key pair on the SSH server.
      [~Switch] dsa local-key-pair create   //Generate a local DSA host key pair and a server key pair.
      Info: The key name will be: Switch_Host_DSA 
      Info: The key modulus can be any one of the following : 2048. 
      Info: Key pair generation will take a short while. Info: Generating keys... 
      Info: Succeeded in creating the DSA host keys. 
      [*Switch] commit
    2. Configure the VTY user interface.
      [~Switch] user-interface vty 0 4   //Enter the user interface views of VTY 0 to VTY 4.
      [~Switch-ui-vty0-4] user privilege level 3   //Set the user level to 3 for VTY 0 to VTY 4.
      [*Switch-ui-vty0-4] authentication-mode aaa   //Set the authentication mode to AAA authentication for VTY 0 to VTY 4.
      [*Switch-ui-vty0-4] protocol inbound ssh   //Configure VTY 0 to VTY 4 to support SSH.
      [*Switch-ui-vty0-4] quit
    3. Create an SSH user named client002.
      [*Switch] aaa
      [*Switch-aaa] domain adminabc
      [*Switch-aaa-adminabc] quit
      [*Switch-aaa] local-user client002@adminabc password irreversible-cipher Huawei@123   //Configure the local user name and password.
      [*Switch-aaa] local-user client002@adminabc level 3   //Set the local user level to 3.
      [*Switch-aaa] local-user client002@adminabc service-type ssh   //Set the service type of the local user to SSH.
      [*Switch-aaa] quit

  3. Configure STelnet login.

    1. Configure password authentication as the default authentication mode for SSH users.
      [*Switch] ssh authentication-type default password    //Configure password authentication as the default authentication mode for SSH users.
    2. Enable the STelnet service on the SSH server.
      [*Switch] stelnet server enable 
      [*Switch] commit

Verifying the Configuration

After the preceding configurations are complete, enter the user name client001 in the format of user name@admin123 and password Huawei@123 on the PC for authentication on the domain admin123. The login to the switch is successful.

Configuration Files

Switch configuration file (in versions excluding V200R002C50 and V200R003C00)

#
sysname Switch
#
hwtacacs enable
#
hwtacacs server template shiva
 hwtacacs server 10.7.66.66 shared-key cipher %^%#sFV!Arl}ZJJ9sOVpi(:=hP^.~@zCJ8v[dNM7kET6%^%#
 hwtacacs server user-name domain-excluded
# 
aaa
 default-domain admin admin123
 local-user client002@adminabc password irreversible-cipher $1c$+@;Z>3JE9%$BH8mKd;11&g>)o&[}pU0v%\S/>{8e'PzsV;;!`wD$  
 local-user client002@adminabc service-type ssh
 local-user client002@adminabc level 3
 #
 authentication-scheme auth
  authentication-mode hwtacacs
 #
 authorization-scheme default                                                                                                       
 #                                                                                                                                  
 authorization-scheme auth                                                                                                          
  authorization-mode hwtacacs if-authenticated                                                                                      
  authorization-cmd 3 hwtacacs                                                                                                      
 #                                                                                                                                  
 accounting-scheme default                                                                                                          
 #                                                                                                                                  
 accounting-scheme auth                                                                                                             
  accounting-mode hwtacacs
 # 
 domain admin123
  authentication-scheme auth
  authorization-scheme auth                                                                                                         
  accounting-scheme auth
  hwtacacs server shiva
 #
 domain adminabc                                                                                                                    
 #                                                                                                                                  
 recording-scheme auth                                                                                                              
  recording-mode hwtacacs shiva                                                                                                     
 #                                                                                                                                  
 cmd recording-scheme auth                                                                                                          
#        
stelnet server enable
#
user-interface vty 0 4
 authentication-mode aaa
 user privilege level 3
 protocol inbound ssh
#
return
Switch configuration file (in V200R002C50 and V200R003C00)
#
sysname Switch
#
hwtacacs enable
#
hwtacacs server template shiva
 hwtacacs server 10.7.66.66 shared-key cipher %^%#sFV!Arl}ZJJ9sOVpi(:=hP^.~@zCJ8v[dNM7kET6%^%#
 hwtacacs server user-name domain-excluded
# 
aaa
 default-domain admin admin123
 local-user client002@adminabc password irreversible-cipher $1c$+@;Z>3JE9%$BH8mKd;11&g>)o&[}pU0v%\S/>{8e'PzsV;;!`wD$  
 local-user client002@adminabc service-type ssh
 local-user client002@adminabc level 3
 #
 authentication-scheme auth
  authentication-mode hwtacacs
 #
 authorization-scheme default                                                                                                       
 #                                                                                                                                  
 authorization-scheme auth                                                                                                          
  authorization-mode hwtacacs if-authenticated                                                                                      
  authorization-cmd 3 hwtacacs                                                                                                      
 #                                                                                                                                  
 accounting-scheme default                                                                                                          
 #                                                                                                                                  
 accounting-scheme auth                                                                                                             
  accounting-mode hwtacacs                                                                                                          
 #                       
 domain admin123
  authentication-scheme auth
  authorization-scheme auth                                                                                                         
  accounting-scheme auth
  hwtacacs server shiva
 #
 domain adminabc                                                                                                                    
 #                                                                                                                                  
 recording-scheme auth                                                                                                              
  recording-mode hwtacacs shiva                                                                                                     
 #                                                                                                                                  
 cmd recording-scheme auth                                                                                                          
#        
stelnet ipv4 server enable
stelnet ipv6 server enable
#
user-interface vty 0 4
 authentication-mode aaa
 user privilege level 3
 protocol inbound ssh
#
return
Download
Updated: 2020-01-07

Document ID: EDOC1000039339

Views: 189652

Downloads: 8274

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next