No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CX11x, CX31x, CX710 (Earlier Than V6.03), and CX91x Series Switch Modules V100R001C10 Configuration Guide 12

The documents describe the configuration of various services supported by the CX11x&CX31x&CX91x series switch modules The description covers configuration examples and function configurations.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring AAA

Configuring AAA

This section describes the AAA configuration procedure.

Configuring Local Authentication and Authorization

After local authentication and authorization are configured, the device authenticates and authorizes access users based on the local user information.

Local Authentication and Authorization

In local authentication and authorization, user information including the local user name, password, and attributes is configured on the device. Local authentication and authorization feature fast processing and low operation cost, whereas the amount of information that can be stored is limited by the device hardware capacity.

Configuration Process
Configuring AAA Schemes

Context

To use local authentication and authorization, set the authentication mode in an authentication scheme to local authentication and the authorization mode in an authorization scheme to local authorization.

By default, the device performs local authentication and authorization for access users.

Procedure

  • Configuring an authentication scheme
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      aaa

      The AAA view is displayed.

    3. Run:

      authentication-scheme authentication-scheme-name

      An authentication scheme is created, and the corresponding authentication scheme view or an existing authentication scheme view is displayed.

      By default, there is an authentication scheme named default on the device. This default scheme can be modified but cannot be deleted.

    4. Run:

      authentication-mode local

      The authentication mode is set to local authentication.

      By default, local authentication is used.

    5. Run:

      commit

      The configuration is committed.

  • Configuring an authorization scheme
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      aaa

      The AAA view is displayed.

    3. Run:

      authorization-scheme authorization-scheme-name

      An authorization scheme is created, and the corresponding authorization scheme view or an existing authorization scheme view is displayed.

      By default, there is a default authorization scheme named default on the device. This default authorization scheme can be modified but cannot be deleted.

    4. Run:

      authorization-mode local [ none ]

      The authorization mode is configured.

      By default, local authorization is used.

    5. Run:

      quit

      The AAA view is displayed.

    6. (Optional) Run:

      task-group task-group-name

      A task group is created and the task group view is displayed.

      By default, no task group is configured.

    7. (Optional) Run:

      task task-name { debug | execute | read | write } *

      A task is added to a task group.

      By default, no task is added in a task group .

    8. (Optional) Run:

      include task-group task-group-name

      The right of a specified task group is added to the current task group.

      By default, the right inclusion relationship with other task groups is not added to the current task group.

      If the rights of the current task group need to include all rights of another task group or the current task group needs to inherit the rights of existing task groups, you can run the include task-group command to configure the inclusion relationship between task groups and add rights of a specified task group to the current task group.

      The rights of the current task group depend on the rights of the included task group. When the rights of the included task group are changed, the rights of the current task group are changed accordingly.

    9. (Optional) Run:

      rule command rule-name permit view view-name expression command-string

      A right rule in the current task group to configure the command-line execution rights is created.

      By default, no command-line right rule is configured in a task group.

      This command has a more refined execution result than the task command. It can authorize or forbid a command line or a batch of command lines with the same prefix in the task group.

      In the same task group, the priority of the command is higher than that of the task command. When the right configuration of the rule command command conflicts with that of the task command, the right configuration of the rule command command takes effect.

    10. (Optional) Run:

      quit

      The AAA view is displayed.

    11. (Optional) Run:

      user-group user-group-name

      A user group is created and the user group view is displayed.

      By default, no user group is created.

    12. (Optional) Run:

      task-group task-group-name

      The task group is bound to the user group.

      By default, no task group is added in the user group.

    13. (Optional) Run:

      include user-group user-group-name

      The right of a specified user group is added to the current user group.

      By default, the right inclusion relationship with other user groups is not added to the current user group.

      If the rights of the current user group need to include all rights of another user group or the current user group needs to inherit the rights of existing user groups, you can run the include user-group command to configure the inclusion relationship between user groups and add rights of a specified user group to the current user group.

      The rights of the current user group depend on the right of the included user group. When the rights of the included user group are changed, the rights of the current user group are changed accordingly.

    14. (Optional) Run:

      rule command rule-name { permit | deny } view view-name expression command-string

      A right rule is configured in the current user group to specify the execution right for command lines.

      By default, no command-line right rule is configured in a user group.

      When task authentication is performed, the matching sequence of the right rule (the rule command (user group view) command) in the user group, the right rule (the rule command (task group view) command) in the task group, and the task (the task command) in the task group is as follows: the right rule in the user group (including the configured and inherited right rules using the include user-group command) > the right rule in the task group > the task in the task group.

      When the right configuration of the user group conflicts with the right rules inherited from other user groups using the include user-group command, the right configuration of the user group takes effect.

    15. Run:

      commit

      The configuration is committed.

Configuring a Local User

Context

When local authentication and authorization are configured, configure authentication and authorization information on the device, including the user name, password, and user level.

NOTE:

After you change the rights (including the password, access type, FTP directory, and level) of a local account, the rights of users already online do not change. The change takes effect to users who go online after the change.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    aaa

    The AAA view is displayed.

  3. Run:

    local-user user-name password [ irreversible-cipher irreversible-cipher-password ]

    A local user is created and the user password is configured.

    By default, the system has no local user.

    NOTE:

    If the value includes @, the characters before @ are the user name and the characters after @ are the domain name. If the value excludes @, the entire string is the user name. Ordinary users are authenticated in the default domain, and management users are authenticated in the default_admin domain.

    The method of entering passwords in plain text has security risks. The interaction method is recommended.

  4. (Optional) Run:

    local-user user-name service-type { all | none | [ ftp | snmp | ssh | telnet | terminal ] * }

    The access type is configured for the local user.

    By default, a local user can not use any access type.

  5. (Optional) Run:

    local-user user-name ftp-directory directory

    The FTP directory right of the local user is configured.

    By default, the FTP directory of the local user is empty.

    NOTE:

    If the access type of the local user is set to FTP, the FTP directory of the local user must be configured and the level of local user cannot be lower than management level. Otherwise, FTP user login will fail.

  6. (Optional) Run:

    local-user user-name level level

    The level of the local user is configured.

    By default, the priority of a local user is assigned by a user management module.

  7. (Optional) Run:

    local-user user-name state { active | block [ fail-times fail-times-value interval interval-value ] }

    The state of the local user is configured.

    By default, a local user is in active state.

    The device processes requests from users in different states as follows:

    • If a local user is in active state, the device accepts and processes the authentication request from the user.

    • If a local user is in blocking state, the device rejects the authentication request from the user. If fail-times-value and interval-value are configured in the local-user user-name state block command on a device and the number of a local user's unsuccessful login attempts exceeds fail-times, the device denies the local user's login request within interval.

  8. (Optional) Run:

    local-user user-name access-limit max-number

    The maximum number of connections that can be established by the local user is configured.

    By default, the number of connections established by a user is not limited.

  9. (Optional) Run:

    local-user authentication lock times failed-times period

    The maximum times of continuous authentication failures for the local user are configured.

    By default, the system does not allow a user to log in any more if the user fails to be authenticated for five times in five minutes.

    NOTE:

    If a local user is in the locked state, you need to unlock it. Two ways are available for you to choose:

    • In the AAA view, run the local-user authentication lock duration duration-time command to configure the interval at which a user will be automatically unlocked. If the locking time for a user exceeds the time set in the configuration, the user will be automatically unlocked.
    • In the user view, run the activate aaa local-user user-name command to manually unlock the specified local user.

  10. (Optional) Run the following command based on actual requirements to improve security.

    Table 12-14 Configurations for improving user security

    Operation

    Command

    Description

    Enable the security policy function for local accounts.

    local-user policy security-enhance

    By default, the security policy function for local accounts is enabled.

    After the security policy function is enabled for local accounts, the user names and passwords must meet the following requirements:
    • User name: contains at least 6 characters.
    • Password:
      • Consists of at least 8 characters.
      • Consists of numerals, uppercase letters, lowercase letters, and special characters (excluding ?).
      • Cannot be the same as the user name or user name in an inverse order.
      • Cannot be the same as any of 10 history passwords (including the current password).
      • A reset password must be changed when you log in to the device for the first time.

    Enable the device to check password complexity for local accounts.

    local-user policy password complexity-enhance

    By default, the device does not check password complexity for local accounts.

    After the device is enabled to check password complexity, the passwords must meet the following requirements:
    • Consists of numerals, uppercase letters, and special characters (excluding ?).
    • Cannot be the same as 10 history passwords.
    NOTICE:

    It is not recommended to disable password complexity check for local accounts. If the passwords are too simple, the devices and services have security risks.

    Configure the minimum length of local user passwords in plain text.

    local-user policy password min-len min-length

    By default, the minimum length of the passwords in plaintext mode is not configured.

    Configure the login prompt that requires the administrator to change the initial password upon next login.

    local-user policy password change

    By default, the administrator is not required to change the initial password upon next login.

    Configure the aging period of local user accounts.

    user-aging aging-period or local-user user-name aging aging-period

    By default, a local user does not age.

    If local user accounts have not been used for a long period of time, you can run this command to set the aging period for the local user accounts in batches. If a user account is not used within the aging period, the account automatically expires.

    The user-aging command is run for a batch operation and takes effect for all users in the system. The local-user aging command only takes effect for specified users.

    For a specified user, when the aging period for all users is set using the user-aging command:
    • If the local-user aging command is not configured, use the aging period configured using the user-aging command.
    • If the local-user aging command is configured, use the aging period configured using this command.

    Configure the expiration date for local user accounts.

    local-user user-name expire date

    By default, an account is permanently valid.

    NOTE:

    To prevent the situation where all users on the device expire, the last expired management user is permanently valid when expiration dates are configured for all management users.

    Configure the minimum length of a local user name.

    user-name minimum-length length

    By default, the minimum local user name length is not configured.

    If the command is configured, the newly created local user is subject to the limitation. Otherwise, the user cannot be created.

    Configure the time range within which local users can log in.

    local-user user-name login-period begin-time to end-time begin-day to end-day

    By default, a local user can log in any time.

    Configure the password validity period for specified users.

    local-user user-name password expire days

    By default, a user password is permanently valid.

    Configure the alarm threshold for unsuccessful login attempts of management users

    login-failed threshold-alarm upper-limit report-times lower-limit resume-times period period

    By default, if the number of login attempts is equal to 30 or exceeds 30 within five minutes, an alarm is generated. If the number of login attempts is less than 20, the alarm is cleared.

    Set the password validity period and the period for advance warning before the password expires

    local-user policy password expire expire-days prompt prompt-days

    By default, a password does not expire.

    Quit the AAA view

    quit

    -

    Display the password security view

    security password

    -

    Display the rule management view

    rule admin

    -

    Configure the forbidden words in passwords

    forbidden word word

    By default, no forbidden words are specified for passwords.

    After a forbidden word is specified, the character strings containing this word (case-insensitive) cannot be used as passwords.

    The forbidden word command is valid only to local account passwords. After the command is executed, the new passwords or changed passwords cannot contain the specified forbidden word; otherwise, the password configuration will fail. The old passwords that contain the forbidden word still take effect. When a user logs in with such a password, the system prompts the user that the password is too simple and needs to be changed. If the user does not change the password, the password can still be used.

  11. Run:

    commit

    The configuration is committed.

  12. Run:

    return

    The user view is displayed.

  13. (Optional) Run:

    local-user change-password

    The password of the local user is changed.

    NOTE:

    To ensure device security, change the password periodically.

Configuring a Domain

Context

The created authentication and authorization schemes take effect only after being applied to a domain. When local authentication and authorization are used, non-accounting is used by default.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    aaa

    The AAA view is displayed.

  3. Run:

    domain domain-name

    A domain is created and the domain view is displayed, or an existing domain view is displayed.

    By default, the device has two domains: default and default_admin. The two domains can be modified but cannot be deleted.

    NOTE:
    • If an entered user name does not contain domain name, the user is added to the default domain for authentication; therefore, you need to run the default-domain admin admin admin domain-name command to configure domain-name as the default global domain.
    • If an entered user name contains the domain name, the domain-name parameter must be correctly specified.

  4. Run:

    authentication-scheme authentication-scheme-name

    An authentication scheme is applied to the domain.

    By default, the authentication scheme named default is applied to a domain.

  5. Run:

    authorization-scheme authorization-scheme-name

    An authorization scheme is applied to the domain.

    By default, the authorization scheme named default is applied to a domain and the default authorization mode is local authorization.

  6. (Optional) Run:

    block

    The domain state is configured to block.

    When a domain is in blocking state, users in this domain cannot log in. By default, a domain is in active state after being created.

  7. (Optional) Run:

    service-type { ftp | snmp | ssh | telnet | terminal } *

    The access type of users in a domain is configured.

    By default, a local user can use any access type.

  8. (Optional) Run:

    access-limit max-number

    The maximum number of access users for the domain is set.

    By default, the number of access users is not limited.

  9. (Optional) Run:

    adminuser-priority level

    The default user level for administrators in a specific AAA domain is configured.

    By default, no default user level is configured for administrators in an AAA domain.

  10. Run:

    quit

    Exit from the domain view.

  11. (Optional) Run:

    default-domain admin domain-name

    A global default administrative domain is configured.

    By default, the global administrative domain is default_admin.

  12. (Optional) Run:

    domain-name-delimiter delimiter

    A domain name delimiter is configured.

    The default domain name delimiter is @.

  13. (Optional) Run:

    domainname-parse-direction { left-to-right | right-to-left }

    The direction in which the domain name is parsed is configured.

    By default, a domain name is parsed from left to right.

  14. (Optional) Run:

    domain-location { after-delimiter | before-delimiter }

    The position of a domain is configured.

    By default, the domain name is placed behind the domain name delimiter.

  15. Run:

    commit

    The configuration is committed.

Checking the Configuration

Procedure

  • Run the display aaa configuration command to check the AAA summary.
  • Run the display aaa authentication-scheme [ authentication-scheme-name ] command to check the authentication scheme configuration.
  • Run the display aaa authorization-scheme [ authorization-scheme-name ] command to check the authorization scheme configuration.
  • Run the display aaa access-user [ domain domain-name | ip-address ip-address | ipv6-address ipv6-address | user-id userid | username user-name | self ] command to check the summary of all online users.
  • Run the display aaa domain [ domain-name ] command to check the domain configuration.
  • Run the display aaa local-user [ domain domain-name | locked | self | service-type service-type-name | state { active | block } | user-group user-group-name | username user-name ] command to check the brief information about local users.
  • Run the display max-onlineusers command to check the historical maximum number of online users.
  • Run the display aaa abnormal-offline-record [ brief | domain-name domain-name | time start-time end-time | username user-name ] command to check the abnormal user logoff records.

Configuring RADIUS AAA

RADIUS is often used to implement authentication, authorization, and accounting (AAA).

RADIUS Authentication, Authorization, and Accounting

RADIUS uses the client/server model and protects a network from unauthorized access. It is often used in network environments that require high security and control remote user access.

Configuration Process
Configuring AAA Schemes

Context

To use RADIUS AAA, set the authentication mode in an authentication scheme to RADIUS and the accounting mode in an accounting scheme to RADIUS.

If RADIUS authentication is configured, you can also configure local authentication as the backup. This allows local authentication or non-authentication to be implemented if RADIUS authentication fails.

Procedure

  • Configuring an authentication scheme
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      aaa

      The AAA view is displayed.

    3. Run:

      authentication-scheme authentication-scheme-name

      Create an authentication scheme and enter its view, or directly enter the view of an existing authentication scheme.

      By default, there is an authentication scheme named default on the device. The default authentication scheme can only be modified, but cannot be deleted.

    4. Run:

      authentication-mode radius

      RADIUS authentication is configured.

      By default, local authentication is used.

      To use local authentication as the backup authentication mode, run the authentication-mode radius local command to configure local authentication.

      NOTE:

      If multiple authentication modes are configured in an authentication scheme, these authentication modes are used according to the sequence in which they were configured. The device uses the authentication mode that was configured later only when it does not receive any response in the current authentication. The device stops the authentication if the current authentication fails.

    5. Run:

      commit

      The configuration is committed.

  • Configuring an accounting scheme
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      aaa

      The AAA view is displayed.

    3. Run:

      accounting-scheme accounting-scheme-name

      An accounting scheme is created and the accounting scheme view is displayed.

      There is a default accounting scheme named default on the device. The default accounting scheme can only be modified, but cannot be deleted.

    4. Run:

      accounting-mode radius

      The accounting mode is configured.

      By default, the accounting mode is none.

    5. Run:

      commit

      The configuration is committed.

Configuring a RADIUS Server Group

Context

In a RADIUS server group, you must specify the IP address, port number, and shared key of a specified RADIUS server. Other settings such as the RADIUS user name format, traffic unit, and number of times RADIUS request packets are retransmitted have default values and can be changed based on network requirements.

The RADIUS server group settings such as the RADIUS user name format and shared key must be the same as those on the RADIUS server.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    radius enable

    The RADIUS service is enabled.

    By default, the RADIUS service is disabled.

  3. (Optional) Run:

    radius server { dead-count dead-count | dead-interval dead-interval | dead-time dead-time } *

    The interval at which a RADIUS server alternates between Up and Down is set.

    By default, the value of dead-count is 10, the value of dead-interval is 5 seconds, and the value of dead-time is 3 minutes. That is, the number of times a RADIUS server does not respond consecutively is 10, the interval between the first packet with no response and the number dead-count packet is 5 seconds, and the time before attempting to communicate with RADIUS server again is 3 minutes.

  4. Run:

    radius server group group-name

    The RADIUS server group is created and the RADIUS server group view is displayed.

  5. Run:

    radius server authentication ipv4-address port [ vpn-instance vpn-instance-name | source { interface-type interface-number | ip-address ip-address } | { shared-key key-string | shared-key-cipher cipher-string } ] * or radius server authentication ipv6-address port [ shared-key key-string | shared-key-cipher cipher-string ]

    The primary RADIUS authentication server is configured.

    By default, no primary RADIUS authentication server is configured.

  6. (Optional) Run:

    radius server authentication ipv4-address port [ vpn-instance vpn-instance-name | source { interface-type interface-number | ip-address ip-address } | { shared-key key-string | shared-key-cipher cipher-string } ] * secondary or radius server authentication ipv6-address port [ shared-key key-string | shared-key-cipher cipher-string ] secondary

    The secondary RADIUS authentication server is configured.

    By default, no secondary RADIUS authentication server is configured.

  7. Run:

    radius server accounting ipv4-address port [ vpn-instance vpn-instance-name | source { interface-type interface-number | ip-address ip-address } | { shared-key key-string | shared-key-cipher cipher-string }] * or radius server accounting ipv6-address port [ shared-key key-string | shared-key-cipher cipher-string ]

    The primary RADIUS accounting server is configured.

    By default, no primary RADIUS accounting server is configured.

  8. (Optional) Run:

    radius server accounting ipv4-address port [ vpn-instance vpn-instance-name | source { interface-type interface-number | ip-address ip-address } | { shared-key key-string | shared-key-cipher cipher-string } ] * secondary or radius server accounting ipv6-address port [ shared-key key-string | shared-key-cipher cipher-string ] secondary

    The secondary RADIUS accounting server is configured.

    By default, no secondary RADIUS accounting server is configured.

  9. (Optional) Run:

    radius server { shared-key key-string | shared-key-cipher cipher-string }

    The RADIUS shared key is set.

    By default, the shared key for the radius server is not configured.

  10. (Optional) Run:

    radius server user-name domain-excluded or radius server user-name original

    The device is configured not to encapsulate the domain name in the user name in RADIUS packets to be sent to a RADIUS server.

    By default, the device encapsulates the domain name in the user name when sending RADIUS packets to a RADIUS server.

  11. (Optional) Run:

    radius server { retransmit retry-times | timeout time-value } *

    The number of times that RADIUS request packets are retransmitted and timeout interval are set.

    By default, the number of retransmission times is 3 and the timeout interval is 5 seconds.

  12. (Optional) Run:

    radius server nas-ip-address ip-address

    The NAS IP address is configured for the RADIUS server group.

    By default, no NAS IP address is configured for a RADIUS server group. That is, the IP address of the interface that sends packets are used as the NAS IP address.

  13. (Optional) Run:

    radius server source interface interface-type interface-number

    The source interface used by the device to send RADIUS packets is specified.

    By default, the source interface used by the device to send RADIUS packets is not specified.

  14. (Optional) Run:

    mode load-balance

    The mode of RADIUS server group is configured.

    By default, the mode of RADIUS server group is pri-secondary.

  15. (Optional) Disabling RADIUS attributes
    1. Run:

      radius server attribute translate

      RADIUS attribute translation is enabled.

      By default, RADIUS attribute translation is disabled.

    2. Run either of the following commands to disable RADIUS attributes:

      • Run the radius attribute disable attribute-name { receive | send } * command to disable basic RADIUS attributes for request or response packets.
      • Run the radius attribute disable attribute-name { access-accept | access-request | account [ start ] } * command to disable basic RADIUS attributes for Access-Accept, Access-Request, or accounting packets.
      • Run the radius attribute disable attribute-name { bin string | integer integer | ip ip-address | string string } receive command to disable RADIUS attributes with specified data types and carried in response packets.

      By default, no RADIUS attribute is disabled.

  16. Run:

    quit

    Return to the system view.

  17. (Optional) Run:

    radius server authorization ip-address [ vpn-instance vpn-instance-name ] { ack-reserved-interval interval | { shared-key key-string | shared-key-cipher cipher-string } } * or radius server authorization ipv6-address { ack-reserved-interval interval | { shared-key key-string | shared-key-cipher cipher-string } } *

    A RADIUS authorization server is configured.

    By default, no RADIUS authorization server is configured.

  18. Run:

    commit

    The configuration is committed.

Configuring a Domain

Context

The created authentication scheme, accounting scheme, and RADIUS server group take effect only after being applied to a domain.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    aaa

    The AAA view is displayed.

  3. Run:

    domain domain-name

    A domain is created and the domain view is displayed, or an existing domain view is displayed.

    By default, the device has two domains: default and default_admin. The two domains can be modified but cannot be deleted.

    NOTE:
    • If an entered user name does not contain domain name, the user is added to the default domain for authentication; therefore, you need to run the default-domain admin admin domain-name command to configure domain-name as the default global domain.
    • If an entered user name contains the domain name, the domain-name parameter must be correctly specified.

  4. Run:

    authentication-scheme authentication-scheme-name

    An authentication scheme is applied to the domain.

    By default, the authentication scheme named default is applied to a domain.

  5. (Optional) Run:

    accounting-scheme accounting-scheme-name

    An accounting scheme is applied to the domain.

    By default, the accounting scheme named default is applied to a domain. In this default accounting scheme, non-accounting is used and the real-time accounting function is disabled.

  6. Run:

    radius server group group-name

    A RADIUS server group is configured for the domain.

    By default, no RADIUS server group is applied to a domain.

  7. (Optional) Run:

    block

    The domain state is configured to block.

    When a domain is in blocking state, users in this domain cannot log in. By default, a domain is in active state after being created.

  8. (Optional) Run:

    access-limit max-number

    The maximum number of access users for the domain is set.

    By default, the number of access users is not limited.

  9. (Optional) Run:

    adminuser-priority level

    The default user level for administrators in a specific AAA domain is configured.

    By default, no default user level is configured for administrators in an AAA domain.

  10. Run:

    quit

    Exit from the domain view.

  11. (Optional) Run:

    default-domain admin domain-name

    A global default administrative domain is configured.

    By default, the global administrative domain is default_admin.

  12. (Optional) Run:

    domain-name-delimiter delimiter

    A domain name delimiter is configured.

    The default domain name delimiter is @.

  13. (Optional) Run:

    domainname-parse-direction { left-to-right | right-to-left }

    The direction in which the domain name is parsed is configured.

    By default, a domain name is parsed from left to right.

  14. (Optional) Run:

    domain-location { after-delimiter | before-delimiter }

    The position of a domain is configured.

    By default, the domain name is placed behind the domain name delimiter.

  15. Run:

    commit

    The configuration is committed.

Checking the Configuration

Procedure

  • Run the display aaa configuration command to check the AAA summary.
  • Run the display aaa authentication-scheme [ authentication-scheme-name ] command to check the authentication scheme configuration.
  • Run the display aaa accounting-scheme [ accounting-scheme-name ] command to check the accounting scheme configuration.
  • Run the display radius server configuration [ group group-name ] command to check the RADIUS server group configuration.
  • Run the display radius server authorization configuration command to check the RADIUS authorization server configuration.
  • Run the display aaa domain [ domain-name ] command to check the domain configuration.
  • Run the display radius attribute [ name attribute-name | type { huawei | standard } attribute-id ] to check the RADIUS attributes supported by the device.
  • Run the display radius attribute packet-count to check the count of attributes in RADIUS packets.

Configuring HWTACACS AAA

Compared with RADIUS, HWTACACS is more reliable in transmission and encryption, and is more suitable for security control.

HWTACACS Authentication, Authorization, and Accounting

Similar to RADIUS, HWTACACS uses the client/server model to implement AAA for access users by communicating with the HWTACACS server.

HWTACACS protects a network from unauthorized access and supports command-line authorization. Compared with RADIUS, HWTACACS is more suitable for security control.

Configuration Process
Configuring AAA Schemes

Context

To use HWTACACS authentication, authorization, and accounting, set the authentication mode in an authentication scheme to HWTACACS, the authorization mode in an authorization scheme to HWTACACS, and the accounting mode in an accounting scheme to HWTACACS.

When HWTACACS authentication is used, you can configure local authentication as a backup. This allows local authentication or non-authentication to be implemented if HWTACACS authentication fails. When HWTACACS authorization is used, you can configure local authorization or non-authorization as a backup.

NOTE:

By default, the same default authentication, authorization, and accounting schemes are bound to the default and default_admin domains. If the default schemes are modified, user authentication, authorization, or accounting may fail in a domain. Confirm the action before you modify the default schemes.

Procedure

  • Configuring an authentication scheme
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      aaa

      The AAA view is displayed.

    3. Run:

      authentication-scheme authentication-scheme-name

      An authentication scheme is created, and the corresponding authentication scheme view or an existing authentication scheme view is displayed.

      By default, there is an authentication scheme named default on the device. This default scheme can be modified but cannot be deleted.

    4. Run:

      authentication-mode hwtacacs

      HWTACACS authentication is configured.

      By default, local authentication is used.

      To use local authentication as the backup authentication mode, run the authentication-mode hwtacacs local command to configure local authentication.

      NOTE:

      If multiple authentication modes are configured in an authentication scheme, these authentication modes are used according to the sequence in which they were configured. The device uses the authentication mode that was configured later only when it does not receive any response in the current authentication. The device stops the authentication if the current authentication fails.

    5. Run:

      commit

      The configuration is committed.

  • Configuring an authorization scheme
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      aaa

      The AAA view is displayed.

    3. Run:

      authorization-scheme authorization-scheme-name

      An authorization scheme is created, and the corresponding authorization scheme view or an existing authorization scheme view is displayed.

      By default, there is a default authorization scheme named default on the device. This default authorization scheme can be modified but cannot be deleted.

    4. Run:

      authorization-mode { hwtacacs | if-authenticated | local } * [ none ]

      The authorization mode is configured.

      By default, local authorization is used.

      If HWTACACS authorization is configured, you must configure an HWTACACS server template and apply the template to the corresponding user domain.

      NOTE:

      If multiple authorization modes are configured in an authorization scheme, authorization modes are used in the sequence in which they were configured. The device uses the authorization mode that was configured later only after the current authorization fails.

    5. (Optional) Run:

      authorization-cmd [ privilege-level ] { local | hwtacacs } *

      Command line authorization is enabled for users at a certain level.

      By default, command line authorization is disabled for users at a certain level.

      If command line authorization is enabled, you must configure an HWTACACS server template and apply the template to the corresponding user domain.

    6. Run:

      quit

      The AAA view is displayed.

    7. (Optional) Run:

      task-group task-group-name

      A task group is created and the task group view is displayed.

      By default, no task group is created.

    8. (Optional) Run:

      task task-name { debug | execute | read | write } *

      A task is added to a task group.

      By default, no task is added to a task group.

    9. (Optional) Run:

      include task-group task-group-name

      The right of a specified task group to the current task group is added.

      By default, the right inclusion relationship with other task groups is not added to the current task group.

      If the rights of the current task group need to include all rights of another task group or the current task group needs to inherit the rights of existing task groups, you can run the include task-group command to configure the inclusion relationship between task groups and add rights of a specified task group to the current task group.

      The rights of the current task group depend on the rights of the included task group. When the rights of the included task group are changed, the rights of the current task group are changed accordingly.

    10. (Optional) Run:

      rule command rule-name permit view view-name expression command-string

      A right rule in the current task group to configure the command-line execution rights is created.

      By default, no command-line right rule is configured in a task group.

      This command has a more refined execution result than the task command. It can authorize or forbid a command line or a batch of command lines with the same prefix in the task group.

      In the same task group, the priority of the command is higher than that of the task command. When the right configuration of the rule command command conflicts with that of the task command, the right configuration of the rule command command takes effect.

    11. (Optional) Run:

      quit

      The AAA view is displayed.

    12. (Optional) Run:

      user-group user-group-name

      A user group is created and the user group view is displayed.

      By default, no user group is created.

    13. (Optional) Run:

      task-group task-group-name

      A task group is added to the list of task groups that are associated with a user group.

      By default, no task group is bound to a user group.

    14. (Optional) Run:

      include user-group user-group-name

      The rights of a specified user group is added to the current user group.

      By default, the right inclusion relationship with other user groups is not added to the current user group.

      If the rights of the current user group need to include all rights of another user group or the current user group needs to inherit the rights of existing user groups, you can run the include user-group command to configure the inclusion relationship between user groups and add rights of a specified user group to the current user group.

      The rights of the current user group depend on the right of the included user group. When the rights of the included user group are changed, the rights of the current user group are changed accordingly.

    15. (Optional) Run:

      rule command rule-name { permit | deny } view view-name expression command-string

      A right rule is added in the current user group to configure the command-line execution rights.

      By default, no command-line right rule is configured in a user group.

      When task authentication is performed, the matching sequence of the right rule (the rule command (user group view) command) in the user group, the right rule (the rule command (task group view) command) in the task group, and the task (the task command) in the task group is as follows: the right rule in the user group (including the configured and inherited right rules using the include user-group command) > the right rule in the task group > the task in the task group.

      When the right configuration of the user group conflicts with the right rules inherited from other user groups using the include user-group command, the right configuration of the user group takes effect.

    16. Run:

      commit

      The configuration is committed.

  • Configuring an accounting scheme
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      aaa

      The AAA view is displayed.

    3. Run:

      accounting-scheme accounting-scheme-name

      An accounting scheme is created, and the corresponding accounting scheme view or an existing accounting scheme view is displayed.

      There is a default accounting scheme named default on the device. This default accounting scheme can be modified but cannot be deleted.

    4. Run:

      accounting-mode hwtacacs

      The hwtacacs accounting mode in an accounting scheme is configured.

      By default, the accounting mode is none.

    5. Run:

      commit

      The configuration is committed.

Configuring an HWTACACS Server Template

Context

In an HWTACACS server template, you must specify the IP address, port number, and shared key of a specified HWTACACS server. Other settings such as the HWTACACS user name format and traffic unit have default values and can be changed based on network requirements.

The HWTACACS server template settings such as the HWTACACS user name format and shared key must be the same as those on the HWTACACS server.

The device supports the following methods to configure HWTACACS server:
  • When the authentication, authorization, and accounting functions are provided by one server, configure only one HWTACACS server.
  • When the authentication, authorization, and accounting functions are provided by different servers, configure the HWTACACS authentication, authorization, and accounting servers separately.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    hwtacacs enable

    HWTACACS is enabled.

    By default, HWTACACS is disabled.

  3. Run:

    hwtacacs server template template-name

    An HWTACACS server template is created and the HWTACACS server template view is displayed.

  4. You can use either of the following methods to configure the primary/secondary HWTACACS server.

    NOTE:

    The priority of the HWTACACS common server is higher than that of the HWTACACS authentication/accounting/authorization server. If you configure the common server as the master server, configurations of the other servers (authentication, accounting, and authorization servers) cannot take effect.

    • Run the following command to configure the HWTACACS common server.

      1. Run:

        hwtacacs server ip-address [ port ] [ { vpn-instance vpn-instance-name | public-net } | shared-key { key-string | cipher cipher-string } | mux-mode ] * or hwtacacs server ipv6-address [ port ] [ shared-key { key-string | cipher cipher-string } | mux-mode ] *

        The primary HWTACACS common server is configured.

        By default, no primary HWTACACS common server is configured.

      2. (Optional) Run:

        hwtacacs server ip-address [ port ] [ { vpn-instance vpn-instance-name | public-net } | shared-key { key-string | cipher cipher-string } | mux-mode ] * secondary or hwtacacs server ipv6-address [ port ] [ shared-key { key-string | cipher cipher-string } | mux-mode ] * secondary

        The secondary HWTACACS common server is configured.

        By default, no secondary HWTACACS common server is configured.

    • Configure the HWTACACS authentication server, HWTACACS authorization server, and HWTACACS accounting server.

      1. Run:

        hwtacacs server authentication ip-address [ port ] [ { vpn-instance vpn-instance-name | public-net } | shared-key { key-string | cipher cipher-string } | mux-mode ]* or hwtacacs server authentication ipv6-address [ port ] [ shared-key { key-string | cipher cipher-string } | mux-mode ] *

        The primary HWTACACS authentication server is configured.

        By default, no primary HWTACACS authentication server is configured.

      2. (Optional) Run:

        hwtacacs server authentication ip-address [ port ] [ { vpn-instance vpn-instance-name | public-net } | shared-key { key-string | cipher cipher-string } | mux-mode ]* secondary or hwtacacs server authentication ipv6-address [ port ] [ shared-key { key-string | cipher cipher-string } | mux-mode ] * secondary

        The secondary HWTACACS authentication server is configured.

        By default, no secondary HWTACACS authentication server is configured.

      3. Run:

        hwtacacs server authorization ip-address [ port ] [ { vpn-instance vpn-instance-name | public-net } | shared-key { key-string | cipher cipher-string } | mux-mode ]* or hwtacacs server authorization ipv6-address [ port ] [ shared-key { key-string | cipher cipher-string } | mux-mode ] *

        The primary HWTACACS authorization server is configured.

        By default, no primary HWTACACS authorization server is configured.

      4. (Optional) Run:

        hwtacacs server authorizatio ip-address [ port ] [ { vpn-instance vpn-instance-name | public-net } | shared-key { key-string | cipher cipher-string } | mux-mode ]* secondary or hwtacacs server authorization ipv6-address [ port ] [ shared-key { key-string | cipher cipher-string } | mux-mode ] * secondary

        The secondary HWTACACS authorization server is configured.

        By default, no secondary HWTACACS authorization server is configured.

      5. Run:

        hwtacacs server accounting ip-address [ port ] [ { vpn-instance vpn-instance-name | public-net } | shared-key { key-string | cipher cipher-string } | mux-mode ] * or hwtacacs server accounting ipv6-address [ port ] [ shared-key { key-string | cipher cipher-string } | mux-mode ] *

        The primary HWTACACS accounting server is configured.

        By default, no primary HWTACACS accounting server is configured.

      6. (Optional) Run:

        hwtacacs server accounting ip-address [ port ] [ { vpn-instance vpn-instance-name | public-net } | shared-key { key-string | cipher cipher-string } | mux-mode ] * secondary or hwtacacs server accounting ipv6-address [ port ] [ shared-key { key-string | cipher cipher-string } | mux-mode ] * secondary

        The secondary HWTACACS accounting server is configured.

        By default, no secondary HWTACACS accounting server is configured.

  5. (Optional) Run:

    hwtacacs server user-name domain-excluded

    The device is configured not to encapsulate the domain name in the user name in HWTACACS packets to be sent to an HWTACACS server.

    By default, the device encapsulates the domain name in the user name when sending HWTACACS packets to an HWTACACS server.

  6. (Optional) Run:

    hwtacacs server source-ip ip-address

    The HWTACACS source IP address is set.

    By default, the HWTACACS source IP address is 0.0.0.0. The device uses the IP address of the actual outbound interface as the source IP address in HWTACACS packets.

    After you set the source IP address of HWTACACS packets on the device, this IP address is used by the device to communicate with the HWTACACS server. The HWTACACS server also uses a specified IP address to communicate with the device.

  7. (Optional) Run:

    hwtacacs server shared-key { cipher cipher-string | key-string }

    The HWTACACS shared key is configured.

    By default, no HWTACACS shared key is configured.

  8. (Optional) Run:

    hwtacacs server timer response-timeout interval

    The response timeout interval for the HWTACACS server is set.

    By default, the response timeout interval for an HWTACACS server is 5 seconds.

    If the device does not receive the response from the HWTACACS server within the timeout period, the HWTACACS server is faulty. The device then uses other authentication and authorization methods.

  9. (Optional) Run:

    hwtacacs server timer quiet interval

    The interval for the primary HWTACACS server to return to the active state is set.

    By default, the interval for the primary HWTACACS server to return to the active state is 5 minutes.

  10. Run:

    commit

    The configuration is committed.

  11. Run:

    return

    The user view is displayed.

  12. (Optional) Run:

    hwtacacs-user change-password hwtacacs server template-name

    The password saved on the HWTACACS server is changed.

    NOTE:

    To ensure device security, change the password periodically.

Configuring a Domain

Context

The created authentication scheme, authorization scheme, accounting scheme, and HWTACACS server template take effect only after being applied to a domain.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    aaa

    The AAA view is displayed.

  3. Run:

    domain domain-name

    A domain is created and the domain view is displayed, or an existing domain view is displayed.

    By default, the device has two domains: default and default_admin. The two domains can be modified but cannot be deleted.

    NOTE:
    • If an entered user name does not contain domain name, the user is added to the default domain for authentication; therefore, you need to run the default-domain admin admin admin domain-name command to configure domain-name as the default global domain.
    • If an entered user name contains the domain name, the domain-name parameter must be correctly specified.

  4. Run:

    authentication-scheme authentication-scheme-name

    An authentication scheme is applied to the domain.

    By default, the default authentication scheme is used for a domain. In the default authentication scheme:
    • Local authentication is used.
    • The offline policy is used for authentication failures.

  5. (Optional) Run:

    authorization-scheme authorization-scheme-name

    An authorization scheme is applied to the domain.

    By default, the authorization scheme named default is applied to a domain and the default authorization mode is local authorization.

  6. (Optional) Run:

    accounting-scheme accounting-scheme-name

    An accounting scheme is applied to the domain.

    By default, the accounting scheme named default is applied to a domain. In this default accounting scheme, non-accounting is used and the real-time accounting function is disabled.

  7. Run:

    hwtacacs server template-name

    An HWTACACS server template is applied to the domain.

    By default, no HWTACACS server template is applied to a domain.

  8. (Optional) Run:

    block

    The domain state is configured to block.

    When a domain is in blocking state, users in this domain cannot log in. By default, a domain is in active state after being created.

  9. (Optional) Run:

    access-limit max-number

    The maximum number of access users for the domain is set.

    By default, the number of access users is not limited.

  10. (Optional) Run:

    adminuser-priority level

    The default user level for administrators in a specific AAA domain is configured.

    By default, no default user level is configured for administrators in an AAA domain.

  11. Run:

    quit

    Exit from the domain view.

  12. (Optional) Run:

    default-domain admin domain-name

    A global default administrative domain is configured.

    By default, the global administrative domain is default_admin.

  13. (Optional) Run:

    domain-name-delimiter delimiter

    A domain name delimiter is configured.

    The default domain name delimiter is @.

  14. (Optional) Run:

    domainname-parse-direction { left-to-right | right-to-left }

    The direction in which the domain name is parsed is configured.

    By default, a domain name is parsed from left to right.

  15. (Optional) Run:

    domain-location { after-delimiter | before-delimiter }

    The position of a domain is configured.

    By default, the domain name is placed behind the domain name delimiter.

  16. Run:

    commit

    The configuration is committed.

Checking the Configuration

Procedure

  • Run the display aaa configuration command to check the AAA summary.
  • Run the display aaa authentication-scheme [ authentication-scheme-name ] command to check the authentication scheme configuration.
  • Run the display aaa authentication-scheme [ authorization-scheme-name ] command to check the authorization scheme configuration.
  • Run the display aaa authorization-scheme [ accounting-scheme-name ] command to check the accounting scheme configuration.
  • Run the display hwtacacs server template [ template-name [ verbose ] | template-name [ { authentication | authorization | accounting | common } [ ip-address [ vpn-instance vpn-instance-name ] | ipv6–address ] [ statistics ] ] ] command to check the HWTACACS server template configuration.
  • Run the display aaa domain [ domain-name ] command to check the domain configuration.
Translation
Download
Updated: 2019-08-09

Document ID: EDOC1000041694

Views: 58849

Downloads: 3621

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next