No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR500, AR510, and AR530 V200R007

This document describes the configurations of Security, including AAA, DAA,NAC, BRAS Access, ACL, Firewall, Deep Security Defense, Local Attack Defense;Attack Defense, Traffic Suppression, ARP Security, Port Security, DHCP Snooping, IPSG, URPF, PKI, SSL, HTTPS, Keychain, separating the management plane from the service plane, security risks.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Domain-based User Management

Example for Configuring Domain-based User Management

Networking Requirements

As shown in Figure 1-23, enterprise users access the network through Router. The user names do not contain any domain name.

The enterprise requirements are as follows:
  • Common users should access the network and obtain rights after passing RADIUS authentication.
  • The administrator user should log in to the device for management after passing local authentication on Router.
that and t
Figure 1-23  Configuring domain-based user management

Configuration Roadmap

The configuration roadmap is as follows:

  1. Create a VLAN and a VLANIF interface so that Router can communicate with the RADIUS server.
  2. Configure authentication and accounting schemes for common users and apply the schemes to the default domain to authenticate common users, such as users using 802.1x authentication. The user names of common users do not carry domain names.
  3. Configure authentication and authorization schemes for the administrator user and apply the schemes to the default_admin domain to authenticate the administrator user, such as a user logging in through Telnet, SSH, or FTP. The user name of the administrator user does not carry the domain name.
NOTE:

Ensure that users have been configured on the RADIUS server. In this example, a user with the user name test1 and password 123456 has been configured on the RADIUS server.

This example provides only the configuration of Router. The configurations of the RADIUS server is not mentioned here.

Procedure

  1. Create a VLAN and configure an interface.

    # Create VLAN 11 on Router.

    <Huawei> system-view
    [Huawei] sysname Router
    [Router] vlan batch 11
    

    # Configure Eth2/0/1 connecting Router and the RADIUS server and add Eth2/0/1 to VLAN 11.

    [Router] interface ethernet 2/0/1
    [Router-Ethernet2/0/1] port link-type access
    [Router-Ethernet2/0/1] port default vlan 11
    [Router-Ethernet2/0/1] quit

    # Create VLANIF 11 and configure IP address 192.168.2.29/24 for it.

    [Router] interface vlanif 11
    [Router-Vlanif11] ip address 192.168.2.29 24
    [Router-Vlanif11] quit
    

  2. Configure RADIUS AAA for common users using 802.1x authentication.

    NOTE:

    Ensure that the shared key in the RADIUS server template are the same as the settings on the RADIUS server.

    # Create and configure a RADIUS server template rd1.

    [Router] radius-server template rd1
    [Router-radius-rd1] radius-server authentication 192.168.2.30 1812
    [Router-radius-rd1] radius-server accounting 192.168.2.30 1813
    [Router-radius-rd1] radius-server shared-key cipher Huawei@2012
    [Router-radius-rd1] radius-server retransmit 2
    [Router-radius-rd1] quit

    # Create authentication and accounting schemes abc in which the authentication and accounting modes are both RADIUS.

    [Router] aaa
    [Router-aaa] authentication-scheme abc
    [Router-aaa-authen-abc] authentication-mode radius
    [Router-aaa-authen-abc] quit
    [Router-aaa] accounting-scheme abc
    [Router-aaa-accounting-abc] accounting-mode radius
    [Router-aaa-accounting-abc] quit

    # Test the connection between Router and the RADIUS server. The test user test1 with password 123456 has been configured on the RADIUS server.

    [Router-aaa] test-aaa test1 123456 radius-template rd1

    # Bind authentication and accounting schemes abc, and RADIUS server template rd1 to the default domain.

    [Router-aaa] domain default
    [Router-aaa-domain-default] authentication-scheme abc
    [Router-aaa-domain-default] accounting-scheme abc
    [Router-aaa-domain-default] radius-server rd1
    [Router-aaa-domain-default] quit
    [Router-aaa] quit

    # Enable 802.1x authentication on an interface.

    [Router] dot1x enable
    [Router] vlan batch 10
    [Router] interface ethernet 2/0/0
    [Router-Ethernet2/0/0] port link-type access
    [Router-Ethernet2/0/0] port default vlan 10 
    [Router-Ethernet2/0/0] dot1x enable
    [Router-Ethernet2/0/0] quit

    # Set the global default domain for common users to default. After common users enter their user names in the format of user@default, the device performs AAA authentication on these users in the default domain. If a user name does not contain a domain name or the domain name does not exist, the device authenticates the common user in the default common domain.

    [Router] domain default

  3. Configure local authentication and authorization for the administrator user test.

    # Configure the device to use AAA for the Telnet user that logs in through the VTY user interface.

    [Router] telnet server enable
    [Router] user-interface vty 0 14
    [Router-ui-vty0-14] authentication-mode aaa 
    [Router-ui-vty0-14] quit
    

    # Configure a local user named test with password admin@12345 and user level 3.

    [Router] aaa
    [Router-aaa] local-user test password irreversible-cipher admin@12345 privilege level 3

    # Configure the access type of the user test as Telnet.

    [Router-aaa] local-user test service-type telnet

    # Configure local account locking, and set the retry count to 5 minutes, consecutive authentication failure count to 3, and local account locking duration to 5 minutes.

    [Router-aaa] local-aaa-user wrong-password retry-interval 5 retry-time 3 block-time 5

    # Configure the authentication scheme auth in which local authentication is used.

    [Router-aaa] authentication-scheme auth
    [Router-aaa-authen-auth] authentication-mode local
    [Router-aaa-authen-auth] quit

    # Configure the authorization scheme autho in which local authorization is used.

    [Router-aaa] authorization-scheme autho
    [Router-aaa-author-autho] authorization-mode local
    [Router-aaa-author-autho] quit

    # Configure the default_admin domain, and apply the authentication scheme auth and authorization scheme autho to the domain.

    [Router-aaa] domain default_admin
    [Router-aaa-domain-default_admin] authentication-scheme auth
    [Router-aaa-domain-default_admin] authorization-scheme autho
    [Router-aaa-domain-default_admin] quit
    [Router-aaa] quit
    

    # Set the global default domain for administrative users to default_admin. After administrative users enter their user names in the format of user@default_admin, the device performs AAA authentication on these users in the default_admin domain. If a user name does not contain a domain name or the domain name does not exist, the device authenticates the administrative user in the default administrative domain.

    [Router] domain default_admin admin
    [Router] quit
    

  4. Verify the configuration.

    # Run the display dot1x interface command on Router. You can see 802.1x authentication.

    # When common users go online and enter the user name test1 and password 123456 on the 802.1x client, run the display access-user domain and display access-user user-id commands. You can view the domain that users belong to and the access type.

    <Router> display access-user domain default
     ------------------------------------------------------------------------------
     UserID Username                       IP address                   MAC
     ------------------------------------------------------------------------------
     16040  test1                          -                         00e0-4c97-31f6
     ------------------------------------------------------------------------------
    
    <Router> display access-user user-id 16040
    Basic:
      User id                         : 16040
      User name                       : test1
      Domain-name                     : default
      User MAC                        : 00e0-4c97-31f6
      User IP address                 : -
      User access time                : 2009/02/15 19:10:52
      User accounting session ID      : Huawei255255000000000f910d2016040
      Option82 information            : -
      User access type                : 802.1x
    
    AAA:
      User authentication type        : 802.1x authentication
      Current authentication method   : RADIUS
      Current authorization method    : -
      Current accounting method       : RADIUS

    # When the user logs in through Telnet and enters the user name test and password admin@12345, run the display access-user domain and display access-user user-id commands. You can view the domain that the user belongs to and the access type.

    <Router> display access-user domain default_admin
     ------------------------------------------------------------------------------
     UserID Username                       IP address                   MAC
     ------------------------------------------------------------------------------
     16009  test                           10.135.18.217                -
     ------------------------------------------------------------------------------
    
    <Router> display access-user user-id 16009
    Basic:
      User id                         : 16009
      User name                       : test
      Domain-name                     : default_admin
      User MAC                        : -
      User IP address                 : 10.135.18.217
      User access time                : 2009/02/15 05:10:52
      User accounting session ID      : Huawei255255000000000f910d2016009
      Option82 information            : -
      User access type                : Telnet
    
    AAA:
      User authentication type        : Administrator authentication
      Current authentication method   : Local
      Current authorization method    : Local
      Current accounting method       : None

Configuration Files

Router configuration file

#
sysname Router
#
vlan batch 10 to 11
#
dot1x enable                                                                    
#  
radius-server template rd1
 radius-server shared-key cipher %^%#BS'$!w:u7H.lu:/&W9A5=pUt%^%#
 radius-server authentication 192.168.2.30 1812 weight 80
 radius-server accounting 192.168.2.30 1813 weight 80
 radius-server retransmit 2
#
aaa
 authentication-scheme abc
  authentication-mode radius
 authentication-scheme auth
 authorization-scheme autho
 accounting-scheme abc
  accounting-mode radius
 domain default
  authentication-scheme abc
  accounting-scheme abc
  radius-server rd1
 domain default_admin
  authentication-scheme auth
  authorization-scheme autho
 local-user test password irreversible-cipher %^%#Zda2Q#=Vi"Js-5<QxfDR>_F1PBZ2/p.XNFxCHr~wGK^!_F4)%^%#
 local-user test privilege level 3
 local-user test service-type telnet
#
interface Vlanif11
 ip address 192.168.2.29 255.255.255.0
#
interface Ethernet2/0/0
 port link-type access
 port default vlan 10
 dot1x enable
# 
interface Ethernet2/0/1
 port link-type access
 port default vlan 11
#
 telnet server enable
#
user-interface vty 0 14
 authentication-mode aaa
# 
return
Translation
Download
Updated: 2019-05-25

Document ID: EDOC1000097287

Views: 13410

Downloads: 40

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next