No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR500, AR510, and AR530 V200R007

This document describes the configurations of Security, including AAA, DAA,NAC, BRAS Access, ACL, Firewall, Deep Security Defense, Local Attack Defense;Attack Defense, Traffic Suppression, ARP Security, Port Security, DHCP Snooping, IPSG, URPF, PKI, SSL, HTTPS, Keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
HWTACACS Protocol

HWTACACS Protocol

HWTACACS Protocol Overview

HWTACACS is a protocol that serves as an enhancement to TACACS (RFC 1492). Similar to RADIUS, HWTACACS uses the client/server model to implement communication between NAS and HWTACACS servers.

HWTACACS is used to perform authentication, authorization, and accounting for the users accessing Internet through Point-to-Point Protocol (PPP) or Virtual Private Dial-up Network (VPDN) and management users. For example, an HWTACACS server can be configured to perform authentication, authorization, and accounting for the management users logging in to the device. Other devices function as the HWTACACS clients by sending user names and passwords to the HWTACACS server. Authorized users can then log in to the device and perform operations.

Both HWTACACS and RADIUS protocols can implement authentication, authorization, and accounting. They are similar in the following aspects:
  • Client/server model
  • Using a public key to encrypt user information
  • Good flexibility and extensibility

Compared with RADIUS, HWTACACS is more reliable in transmission and encryption, and is more suitable for security control. Table 1-9 lists the differences between HWTACACS and RADIUS.

Table 1-9  Comparisons between HWTACACS and RADIUS

HWTACACS

RADIUS

Transmits data through TCP, which is more reliable.

Transmits data through UDP, which is more efficient.

Encrypts the entire packet except for the standard HWTACACS header.

Encrypts only the password field in the packet.

Separates authentication from authorization so that authentication and authorization can be implemented on different security servers. For example, one HWTACACS server can perform authentication and another can perform authorization.

Combines authentication and authorization.

Supports command line authorization. The command line use is restricted by command level and AAA. When a user enters a command, the command is executed only after being authorized by the HWTACACS server.

Does not support command line authorization. The commands that a user can use depend on the user level. A user can only use the commands of the same level as or lower level than the user level.

Applies to security control.

Applies to accounting.

HWTACACS Packet Overview

Unlike RADIUS packets which all use the same format, HWTACACS packets use different formats. However, the HWTACACS Authentication Packet, HWTACACS Authorization Packet, and HWTACACS Accounting Packet use different formats but they all share the same HWTACACS Packet Header.

HWTACACS Packet Header

All HWTACACS packets have a 12-byte packet header, as shown in Figure 1-8.

Figure 1-8  HWTACACS packet header
Table 1-10  Fields in HWTACACS packet header
Field Description
major version Major version of the HWTACACS protocol. The current version is 0xc.
minor version Minor version of the HWTACACS protocol. The current version is 0x0.
type HWTACACS protocol packet type, including authentication (0x01), authorization (0x02), and accounting (0x03).
seq_no Packet sequence number in a session, ranging from 1 to 254.
flags Encryption flag on the packet body. Only the first bit among the 8 bits is supported. The value 0 indicates to encrypt the packet body, and the value 1 indicates not to encrypt the packet body.
session_id Session ID, which is the unique identifier of a session.
length Length of the HWTACACS packet body, excluding the packet header.
HWTACACS Authentication Packet Format
HWTACACS authentication packets include:
  • Authentication Start: When an authentication starts, the client sends this packet carrying the authentication type, user name, and authentication data to the server.
  • Authentication Continue: When receiving the Authentication Reply packet from the server, the client returns this packet if the authentication process has not ended.
  • Authentication Reply: When the server receives the Authentication Start or Authentication Continue packet from the client, the server sends this packet to the client to notify the client of the current authentication status.
The HWTACACS authentication packets have different formats.
  • Figure 1-9 shows the format of HWTACACS Authentication Start packets.

    Figure 1-9  HWTACACS Authentication Start packet format
    Table 1-11  Fields in HWTACACS Authentication Start packet
    Field Description
    action Authentication action. Only the login authentication (0x01) action is supported.
    priv_lvl User privilege level.
    authen_type Authentication type, including:
    • CHAP(0x03)
    • PAP(0x02)
    • ASCII(0x01)
    service Type of the service requesting authentication. The PPP(0x03), LOGIN(0x01), and NONE(0x00) types are available, corresponding to PPP users, administrators, and other users.
    user len Length of the user name entered by a login user.
    port len Length of the port field.
    rem_addr len rem_addr field length.
    data len Authentication data length.
    user Name of the user requesting authentication. The maximum length is 129.
    port

    Name of the user interface requesting authentication. The maximum length is 47.

    • For management users, this field indicates the user terminal interface, for example, console0 and vty1. For example, the authen_type of Telnet users is ASCII, service is LOGIN, and port is vtyx.
    • For other users, this field indicates the user access interface.
    rem_addr IP address of the login user.
    data Authentication data. Different data is encapsulated depending on the values of action and authen_type. For example, when PAP authentication is used, the value of this field is PAP plain-text password.
  • Figure 1-10 shows the format of HWTACACS Authentication Continue packets.

    Figure 1-10  HWTACACS Authentication Continue packet format
    Table 1-12  Fields in HWTACACS Authentication Continue packet
    Field Description
    user_msg len Length of the character string entered by a login user.
    data len Authentication data length.
    flags Authentication continue flag. The value 0 indicates that the authentication continues, and the value 1 indicates that the authentication has ended.
    user_msg Character string entered by the login user. This field carries the user login password to respond to the server_msg field in the Authentication Response packet.
    data Authentication data. Different data is encapsulated depending on the values of action and authen_type. For example, when PAP authentication is used, the value of this field is PAP cipher-text password.
  • Figure 1-11 shows the format of HWTACACS Authentication Reply packets.

    Figure 1-11  HWTACACS Authentication Reply packet format
    Table 1-13  Fields in HWTACACS Authentication Reply packet
    Field Description
    status

    Authentication status, including:

    • PASS (0x01): Authentication is successful.
    • FAIL (0x02): Authentication is fail.
    • GETDATA (0x03): Request user information.
    • GETUSER (0x04): Request user name.
    • GETPASS (0x05): Request password.
    • RESTART (0x06): Request reauthentication.
    • ERROR (0x07): An error occurs when the server receives authentication packets.
    • FOLLOW (0x21): The server requests reauthentication.
    flags Whether the client displays the password entered by user in plain text. The value 1 indicates that the password is not displayed in plain text.
    server_msg len Length of the server_msg field.
    data len Authentication data length.
    server_msg Optional field. This field is sent by the server to the user to provide additional information.
    data Authentication data, providing information to client.
HWTACACS Authorization Packet Format
HWTACACS authorization packets include:
  • Authorization Request: HWTACACS separates authentication from authorization. Therefore, a user can be authenticated by HWTACACS, and authorized using another protocol. If a user is authorized by HWTACACS, the client sends an Authorization Request packet carrying authorization information to the server.
  • Authorization Response: After receiving the Authorization Request packet, the server sends this packet carrying the authorization result to the client.
The HWTACACS authorization packets have different formats.
  • Figure 1-12 shows the format of HWTACACS Authorization Request packets.

    Figure 1-12  HWTACACS Authorization Request packet format
    NOTE:

    The meanings of the priv_lvl, authen_type, authen_service, user len, port len, rem_addr len, port, and rem_addr fields in the Authorization Request packet are the same as those in the Authentication Start packet and are not provided here.

    Table 1-14  Fields in HWTACACS Authorization Request packet
    Field Description
    authen_method

    Authentication method, including

    • No authentication method configured (0x00)
    • None authentication (0x01)
    • Local authentication (0x05)
    • HWTACACS authentication (0x06)
    • RADIUS authentication (0x10)
    authen_service Type of the service requesting authentication. The PPP(0x03), LOGIN(0x01), and NONE(0x00) types are available, corresponding to PPP users, administrators, and other users.
    arg_cnt Number of attributes carried in Authorization Request packet.
    argN Attribute of the Authorization Request packet. including:
    • cmd: the first keyword of the command line to be authorized.
    • cmd-arg: parameter in the command line to be authorized. The cmd-arg=<cr> is added at the end of the command line.
  • Figure 1-13 shows the format of HWTACACS Authentication Response packets.

    NOTE:

    The meanings of the server_msg len, data len, and server_msg fields are the same as those in HWTACACS Authentication Response packet and are not provided here.

    Figure 1-13  HWTACACS Authorization Response packet format
    Table 1-15  Fields in HWTACACS Authorization Response packet
    Field Description
    status

    Authorization status, including:

    • Authorization is successful (0x01)
    • The attributes in Authorization Request packets are modified by the TACACS server (0x02)
    • Authorization is fail (0x10)
    • An error occurs on the authorization server (0x11)
    • An authorization server is respecified (0x21)
    arg_cnt

    Number of attributes carried in Authorization Response packet.

    argN Authorization attribute delivered by the HWTACACS authorization server.
HWTACACS Accounting Packet Format
HWTACACS accounting packets include:
The HWTACACS accounting packets have different formats.
  • Figure 1-14 shows the format of HWTACACS Accounting Request packets.

    Figure 1-14  HWTACACS Accounting Request packet format
    NOTE:

    The meanings of the authen_method, priv_lvl, authen_type, user len, port len, rem_addr len, port, and rem_addr fields in the Accounting Request packet are the same as those in the Authorization Request packet and are not provided here.

    Table 1-16  Fields in HWTACACS Accounting Request packet
    Field Description
    flags Accounting type:
    • Start accounting (0x02)
    • Stop accounting (0x04)
    • Interim accounting (0x08)
    authen_service Type of the service requesting authentication. The PPP(0x03), LOGIN(0x01), and NONE(0x00) types are available, corresponding to PPP users, administrators, and other users.
    arg_cnt Number of attributes carried in Accounting Request packet.
    argN Attribute of the Accounting Request packet.
  • Figure 1-15 shows the format of HWTACACS Accounting Response packets.

    Figure 1-15  HWTACACS Accounting Response packet format
    Table 1-17  Fields in HWTACACS Accounting Request packet
    Field Description
    server_msg len Length of the server_msg field.
    data len Length of the data field.
    status Accounting status:
    • Accounting is successful (0x01)
    • Accounting is fail (0x02)
    • No response (0x03)
    server_msg Information sent by the accounting server to the client.
    data Information sent by the accounting server to the administrator.

HWTACACS Interaction Process

This section describes how HWTACACS performs authentication, authorization, and accounting for Telnet users. Figure 1-16 shows the message exchange process.
Figure 1-16  HWTACACS message interaction

The HWTACACS message exchange process is as follows:
  1. A Telnet user sends a request packet.
  2. The HWTACACS client sends an Authentication Start packet to the HWTACACS server after receiving the request packet.
  3. The HWTACACS server sends an Authentication Reply packet to request the user name.
  4. The HWTACACS client sends a packet to query the user name after receiving the Authentication Reply packet.
  5. The user enters the user name.
  6. The HWTACACS client sends an Authentication Continue packet containing the user name to the HWTACACS server.
  7. The HWTACACS server sends an Authentication Reply packet to request the password.
  8. The HWTACACS client queries the password after receiving the Authentication Reply packet.
  9. The user enters the password.
  10. The HWTACACS client sends an Authentication Continue packet containing the password to the HWTACACS server.
  11. The HWTACACS server sends an Authentication Reply packet, indicating that the user has been authenticated.
  12. The HWTACACS client sends an Authorization Request packet to the HWTACACS server.
  13. The HWTACACS server sends an Authorization Response packet, indicating that the user is authorized.
  14. The HWTACACS client receives the Authorization Response packet and displays the login page.
  15. The HWTACACS client sends an Accounting Request (start) packet to the HWTACACS server.
  16. The HWTACACS server sends an Accounting Response packet.
  17. The user requests to go offline.
  18. The HWTACACS client sends an Accounting Request (stop) packet to the HWTACACS server.
  19. The HWTACACS server sends an Accounting Response packet.
NOTE:

HWTACACS protocol and TACACS+ protocol of other vendors can implement authentication, authorization, and accounting. The HWTACACS protocol is completely compatible with other TACACS+ protocol because their authentication procedures and implementations are the same.

HWTACACS Attributes

In the HWTACACS authorization or accounting packets, the argN field carries the information exchanged between a server and a client.

HWTACACS Attributes

Table 1-18 describes the HWTACACS attributes supported by the device. The device cannot parse the attributes not included in the table.

Table 1-18  Common HWTACACS attributes

Attribute Name

Description

acl

Authorization ACL ID.

addr

User IP address.

autocmd

Commands the system to automatically execute after a user logs in.

bytes_in

Number of bytes received by the device. K, M, and G indicate KByte, MByte, and GByte. No unit is displayed if Byte is used

bytes_out

Number of bytes sent by the device. K, M, and G indicate KByte, MByte, and GByte. No unit is displayed if byte is used.

callback-line

Information sent from the authentication server and to be displayed to a user, such as a mobile number.

cmd

Commands executed by the system shell. The maximum length is 251 characters. The complete command is encapsulated when the command is recorded and the first keyword is encapsulated when the command is authorized.

cmd-arg

Parameter in the command line to be authorized. The cmd-arg=<cr> is added at the end of the command line.

disc_cause

Reason for disconnection. Only accounting stop packets carry this attribute. The reasons include:
  • A user requests to go offline (1)
  • Data forwarding is interrupted (2)
  • Service is interrupted (3)
  • Idle cut (4)
  • Session timeout (5)
  • The administrator requests to go offline (7)
  • The NAS is faulty (9)
  • The NAS requests to go offline (10)
  • The port is suspended (12)
  • User information is incorrect (17)
  • A host requests to go offline (18)

disc_cause_ext

Extended reason for disconnection. Only accounting stop packets carry this attribute. The extended reasons include:
  • Unknown reason (1022)
  • The EXEC terminal tears down the connection (1020)
  • An online Telnet user forcibly disconnects this user (1022)
  • The user cannot be switched to the SLIP/PPP client due to no remote IP address (1023)
  • PPP PAP authentication fails (1042)
  • PPP receives a Terminate packet from the remote end (1045)
  • The upper-layer device requests the device to tear down the PPP connection (1046)
  • PPP handshake fails (1063)
  • Session times out (1100)

dnaverage

Downstream average rate, in bit/s.

dnpeak

Downstream peak rate, in bit/s.

dns-servers

IP address of the primary DNS server.

elapsed_time

Online duration, in seconds.

ftpdir

Initial directory of an FTP user.

gw-password

Tunnel password. The value is a string of 1 to 29 characters. If the value contains more than 29 characters, only the first 29 characters are valid.

ideltime

Idle session timeout period. If a user does not perform any operation within this period, the system disconnects the user.

l2tp-hello-interval

Interval for sending L2TP Hello packets. The device does not support this attribute.

l2tp-hidden-avp

The attribute value pair (AVP) of L2TP. The device does not support this attribute.

l2tp-nosession-timeout

If no session exists within this period, the L2TP tunnel is torn down. The device does not support this attribute.

l2tp-group-num

L2TP group number. Other L2TP attributes take effect only after this attribute is delivered. If this attribute is not delivered, other L2TP attributes are ignored.

l2tp-tos-reflect

TOS of L2TP. The device does not support this attribute.

l2tp-tunnel-authen

Whether the L2TP tunnel is authenticated. The value 0 indicates no authentication, and the value 1 indicates authentication.

l2tp-udp-checksum

UPD packet checksum.

nocallback-verify

No authentication is required for callback.

nohangup

Whether the device automatically disconnects a user. The value is true or false. This attribute is valid only after the autocmd attribute is configured. It decides whether to disconnect a user who has executed the autocmd command. The value true indicates not to disconnect and the value false indicates to disconnect.

paks_in

Number of packets received by the device.

paks_out

Number of packets sent by the device.

priv-lvl

User level.

protocol

Protocol type. It belongs to service type, and is only valid for PPP and Connection services. The device supports four protocol types: pad, telnet, ip, and vpdn.
  • When the service type is connection, the protocol type can be pad or telnet.
  • When the service type is ppp, the protocol type can be ip or vpdn.
  • For other service types, this attribute is not used.

task_id

Task ID. The task IDs recorded when a task starts and ends must be the same.

timezone

Local time zone.

tunnel-id

Local user name of the tunnel. The value is a string of 1 to 29 characters. If the value contains more than 29 characters, only the first 29 characters are valid.

tunnel-type

Tunnel type. The device only supports the L2TP tunnel. The value of tunnel-type is 3.

service

Service type, accounting or authorization.

source-ip

Local IP address of the tunnel.

upaverage

Upstream average rate, in bit/s.

uppeak

Upstream peak rate, in bit/s.

HWTACACS Attributes Available in Packets
Depending on packet types, HWTACACS authorization packets are classified into Authorization Request packets and Authorization Response packets. Depending on use scenarios, HWTACACS authorization packets are classified into EXEC user authorization packets, command line authorization packets, and access user authorization packets. Different authorization packets carry different attributes. For details, see Table 1-19.
  • EXEC authorization: The HWTACACS server controls rights of the management users logging in through Telnet, terminal, SSH, and FTP.
  • Command line authorization: The device authorizes each command line executed by user. Only authorized command lines can be executed.
  • Access user authorization: The HWTACACS server controls the rights of NAC users such as 802.1x users.
Depending on packet types, HWTACACS accounting packets are classified into Accounting Request packets and Accounting Response packets. Depending on connection types, HWTACACS accounting packets are classified into network accounting packets, connection accounting packets, EXEC accounting packets, system accounting packets, and command accounting packets. Different accounting packets carry different attributes. For details, see Table 1-20.
  • Network accounting: applicable to the networks where PPP users access. For example, when a PPP user connects to a network, the server sends an accounting start packet; when the user is using network services, the server periodically sends interim accounting packets; when the user goes offline, the server sends an accounting stop packet.
  • Connection accounting: applicable to the scenarios where users log in to the server through Telnet or FTP clients. When a user connects to the device, the user can run commands to access a remote server and obtain files from the server. The device sends an accounting start packet when the user connects to the remote server and an accounting stop packet when the user disconnects from the remote server.
  • EXEC accounting: applicable to the scenarios where users log in to the device through Telnet or FTP. When a user connects to a network, the server sends an accounting start packet; when the user is using network services, the server periodically sends interim accounting packets; when the user goes offline, the server sends an accounting stop packet.
  • System accounting: applicable to the fault diagnosis scenarios. The server records the system-level events to help administrators monitor the device and locate network faults.
  • Command accounting: When an administrator runs any command on the device, the device sends the command to the HWTACACS server through a command accounting stop packet so that the server can record the operations performed by the administrator.
NOTE:
  • Y: The packet supports this attribute.
  • N: The packet does not support this attribute.
Table 1-19  HWTACACS attributes available in authorization packets

Attribute

Command Line Authorization Packet

EXEC Authorization Response Packet

Access User Authorization Response Packet

acl

N

Y

N

addr

N

N

Y

addr-pool

N

N

Y

autocmd

N

Y

N

callback-line

N

Y

Y

cmd

Y

N

N

cmd-arg

Y

N

N

dnaverage

N

N

Y

dnpeak

N

N

Y

dns-servers

N

N

Y

ftpdir

N

Y

N

gw-password

N

N

Y

idletime

N

Y

N

ip-addresses

N

N

Y

l2tp-group-num

N

N

Y

l2tp-tunnel-authen

N

N

Y

nocallback-verify

N

Y

N

nohangup

N

Y

N

priv-lvl

N

Y

N

source-ip

N

N

Y

tunnel-type

N

N

Y

tunnel-id

N

N

Y

upaverage

N

N

Y

Table 1-20  HWTACACS attributes available in accounting packets

Attribute

Network Accounting Start Packet

Network Accounting Stop Packet

Network Interim Accounting Packet

Connection Accounting Start Packet

Connection Accounting Stop Packet

EXEC Accounting Start Packet

EXEC Accounting Stop Packet

EXEC Interim Accounting Packet

System Accounting Stop Packet

Command Line Accounting Stop Packet

addr

Y

Y

Y

Y

Y

N

N

N

N

N

bytes_in

N

Y

Y

N

Y

N

Y

Y

N

N

bytes_out

N

Y

Y

N

Y

N

Y

Y

N

N

cmd

N

N

N

Y

Y

N

N

N

N

Y

disc_cause

N

Y

N

N

N

N

Y

Y

N

N

disc_cause_ext

N

Y

N

N

N

N

Y

Y

N

N

elapsed_time

N

Y

Y

N

Y

N

Y

Y

Y

N

paks_in

N

Y

Y

N

Y

N

Y

Y

N

N

paks_out

N

Y

Y

N

Y

N

Y

Y

N

N

priv-lvl

N

N

N

N

N

N

N

N

N

Y

protocol

Y

Y

Y

Y

Y

N

N

N

N

N

service

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

task_id

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

timezone

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

tunnel-id

N

N

N

N

N

N

N

N

N

N

tunnel-type

Y

N

N

N

N

N

N

N

N

N

Translation
Download
Updated: 2019-05-25

Document ID: EDOC1000097287

Views: 14802

Downloads: 40

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next