No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR500, AR510, and AR530 V200R007

This document describes the configurations of Security, including AAA, DAA,NAC, BRAS Access, ACL, Firewall, Deep Security Defense, Local Attack Defense;Attack Defense, Traffic Suppression, ARP Security, Port Security, DHCP Snooping, IPSG, URPF, PKI, SSL, HTTPS, Keychain, separating the management plane from the service plane, security risks.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring HWTACACS Authentication, Accounting, and Authorization

Example for Configuring HWTACACS Authentication, Accounting, and Authorization

Networking Requirements

As shown in Figure 1-22, the customer requirements are as follows:

  • The HWTACACS server will authenticate access users for Router. If HWTACACS authentication fails, local authentication is used.
  • The HWTACACS server will authorize access users for Router. If HWTACACS authorization fails, local authorization is used.
  • HWTACACS accounting is used by Router for access users.
  • Real-time accounting is performed every 3 minutes.
  • The IP addresses of HWTACACS server 1 and server 2 are 10.7.66.66/24 and 10.7.66.67/24. The port number for authentication, accounting, and authorization is 49.
Figure 1-22  Networking diagram of HWTACACS authentication, accounting, and authorization

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure an HWTACACS server template.
  2. Configure authentication, authorization, and accounting schemes.
  3. Apply the HWTACACS server template, authentication scheme, authorization scheme, and accounting scheme to the domain.

Procedure

  1. Enable HWTACACS.

    <Huawei> system-view
    [Huawei] sysname Router
    [Router] hwtacacs enable
    
    NOTE:

    The HWTACACS function is enabled by default. If the HWTACACS configuration has not been modified, you do not need to run this command.

  2. Configure an HWTACACS server template.

    # Configure the HWTACACS server template ht.

    [Router] hwtacacs-server template ht

    # Configure the IP address and port number of HWTACACS authentication, authorization, and accounting server 1.

    [Router-hwtacacs-ht] hwtacacs-server authentication 10.7.66.66 49 weight 80
    [Router-hwtacacs-ht] hwtacacs-server authorization 10.7.66.66 49 weight 80
    [Router-hwtacacs-ht] hwtacacs-server accounting 10.7.66.66 49 weight 80

    # Configure the IP address and port number of HWTACACS authentication, authorization, and accounting server 2.

    [Router-hwtacacs-ht] hwtacacs-server authentication 10.7.66.67 49 weight 40
    [Router-hwtacacs-ht] hwtacacs-server authorization 10.7.66.67 49 weight 40
    [Router-hwtacacs-ht] hwtacacs-server accounting 10.7.66.67 49 weight 40

    # Configure the shared key of the HWTACACS server.

    NOTE:

    Ensure that the shared key in the HWTACACS server template are the same as the settings on the HWTACACS server.

    [Router-hwtacacs-ht] hwtacacs-server shared-key cipher Huawei@2012
    [Router-hwtacacs-ht] quit

  3. Configure the authentication scheme, authorization scheme, and accounting scheme.

    # Create an authentication scheme l-h. In the authentication scheme, the system performs HWTACACS authentication first, and performs local authentication if HWTACACS authentication fails.

    [Router] aaa
    [Router-aaa] authentication-scheme l-h
    [Router-aaa-authen-l-h] authentication-mode hwtacacs local
    [Router-aaa-authen-l-h] quit

    # Create an authorization scheme hwtacacs. In the authorization scheme, the system performs HWTACACS authorization first, and performs local authorization if HWTACACS authorization fails.

    [Router-aaa] authorization-scheme hwtacacs
    [Router-aaa-author-hwtacacs] authorization-mode hwtacacs local
    [Router-aaa-author-hwtacacs] quit

    # Create an accounting scheme hwtacacs and set HWTACACS accounting and the policy that the device is kept online when accounting fails.

    [Router-aaa] accounting-scheme hwtacacs
    [Router-aaa-accounting-hwtacacs] accounting-mode hwtacacs
    [Router-aaa-accounting-hwtacacs] accounting start-fail online

    # Set the interval of real-time accounting to 3 minutes.

    [Router-aaa-accounting-hwtacacs] accounting realtime 3
    [Router-aaa-accounting-hwtacacs] quit

  4. Configure a domain huawei, and apply the authentication scheme l-h, authorization scheme hwtacacs, accounting scheme hwtacacs, and the HWTACACS server template ht to the domain.

    [Router-aaa] domain huawei
    [Router-aaa-domain-huawei] authentication-scheme l-h
    [Router-aaa-domain-huawei] authorization-scheme hwtacacs
    [Router-aaa-domain-huawei] accounting-scheme hwtacacs
    [Router-aaa-domain-huawei] hwtacacs-server ht
    [Router-aaa-domain-huawei] quit
    [Router-aaa] quit
    [Router] quit

  5. Configure AAA local authentication.

    [Huawei] aaa
    [Huawei-aaa] local-user user1 password irreversible-cipher Huawei@123
    [Huawei-aaa] local-user user1 service-type http
    [Huawei-aaa] local-user user1 privilege level 15
    [Huawei-aaa] quit
    

  6. Verify the configuration.

    # Run the display hwtacacs-server template command on Router, and you can see that the configuration of the HWTACACS server template meets the requirements.

    <Router> display hwtacacs-server template ht
      ---------------------------------------------------------------------------   
      HWTACACS-server template name   : ht                                          
      Authentication Server 1         : 10.7.66.66:49 Weight:80 Vrf:- Status:UP     
      Authentication Server 2         : 10.7.66.67:49 Weight:40 Vrf:- Status:UP     
      Authorization  Server 1         : 10.7.66.66:49 Weight:80 Vrf:- Status:UP     
      Authorization  Server 2         : 10.7.66.67:49 Weight:40 Vrf:- Status:UP     
      Accounting     Server 1         : 10.7.66.66:49 Weight:80 Vrf:- Status:UP     
      Accounting     Server 2         : 10.7.66.67:49 Weight:40 Vrf:- Status:UP     
      Current-authentication-server   : 10.7.66.66:49 Weight:80 Vrf:- Status:UP     
      Current-authorization-server    : 10.7.66.66:49 Weight:80 Vrf:- Status:UP     
      Current-accounting-server       : 10.7.66.66:49 Weight:80 Vrf:- Status:UP     
      Source-IP-address               : 0.0.0.0                                     
      Source-IPv6-address             : ::                                          
      Shared-key                      : ****************
      Quiet-interval(min)             : 5                                           
      Response-timeout-Interval(sec)  : 5                                           
      Domain-included                 : Yes                                         
      Traffic-unit                    : B                                           
      ---------------------------------------------------------------------------   

    # Run the display domain command on Router, and you can see that the configuration of the domain meets the requirements.

    <Router> display domain name huawei  
                                                                                    
      Domain-name                     : huawei                                      
      Domain-state                    : Active                                      
      Authentication-scheme-name      : l-h                                         
      Accounting-scheme-name          : hwtacacs                                    
      Authorization-scheme-name       : hwtacacs                                    
      Service-scheme-name             : -                                           
      RADIUS-server-template          : -                                       
      HWTACACS-server-template        : ht                                          
      User-group                      : -  
      Push-url-address                : -
      Flow-statistic                  : -      
      Tariff-level                    : -      
                                                                                    

Configuration Files

Router configuration file

#
sysname Router
#
hwtacacs-server template ht
 hwtacacs-server authentication 10.7.66.66 weight 80
 hwtacacs-server authentication 10.7.66.67 weight 40
 hwtacacs-server authorization 10.7.66.66 weight 80
 hwtacacs-server authorization 10.7.66.67 weight 40
 hwtacacs-server accounting 10.7.66.66 weight 80
 hwtacacs-server accounting 10.7.66.67 weight 40
 hwtacacs-server shared-key cipher %^%#0%i9M.C!T$8iTn7Ig-4V8GTgK[gwp3b6;k=caxl-%^%#
#
aaa
 authentication-scheme l-h
  authentication-mode hwtacacs local
 authorization-scheme hwtacacs
  authorization-mode hwtacacs local
 accounting-scheme hwtacacs
  accounting-mode hwtacacs
  accounting realtime 3
  accounting start-fail online 
 domain huawei
  authentication-scheme l-h
  accounting-scheme hwtacacs
  authorization-scheme hwtacacs
  hwtacacs-server ht
 local-user user1 password irreversible-cipher %^%#iv-e(@1]P90{2*&tcll)JN*KQ9c`"Ob^#"Al|p7EHK>qVzB%(7On,d&6iweF%^%#
 local-user user1 privilege level 15                                                       
 local-user user1 service-type http
#
return 
Translation
Download
Updated: 2019-05-25

Document ID: EDOC1000097287

Views: 12209

Downloads: 38

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next