No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR500, AR510, and AR530 V200R007

This document describes the configurations of Security, including AAA, DAA,NAC, BRAS Access, ACL, Firewall, Deep Security Defense, Local Attack Defense;Attack Defense, Traffic Suppression, ARP Security, Port Security, DHCP Snooping, IPSG, URPF, PKI, SSL, HTTPS, Keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring AAA Schemes

Configuring AAA Schemes

Context

To use HWTACACS authentication, authorization, and accounting, set the authentication mode in an authentication scheme to HWTACACS, the authorization mode in an authorization scheme to HWTACACS, and the accounting mode in an accounting scheme to HWTACACS.

When HWTACACS authentication is used, you can configure local authentication or non-authentication as a backup. This allows local authentication or non-authentication to be implemented if HWTACACS authentication fails. When HWTACACS authorization is used, you can configure local authorization or non-authorization as a backup.

NOTE:

By default, the same default authentication and accounting schemes are bound to the default and default_admin domains. If the default schemes are modified, user authentication or accounting may fail in a domain. Confirm the action before you modify the default schemes.

If non-authentication is configured using the authentication-mode command, users can pass the authentication using any user name or password. To protect the device and improve network security, you are advised to enable authentication, allowing only authenticated users to access the device or network.

Procedure

  • Configuring an authentication scheme
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      aaa

      The AAA view is displayed.

    3. Run:

      authentication-scheme authentication-scheme-name

      An authentication scheme is created, and the corresponding authentication scheme view or an existing authentication scheme view is displayed.

      By default, there is an authentication scheme named default on the device. This default scheme can be modified but cannot be deleted.

    4. Run:

      authentication-mode hwtacacs

      HWTACACS authentication is configured.

      By default, local authentication is used.

      To use local authentication as the backup authentication mode, run the authentication-mode hwtacacs local command to configure local authentication.

      NOTE:

      If multiple authentication modes are configured in an authentication scheme, the authentication modes are used according to the sequence in which they were configured. The device uses the authentication mode that was configured later only when it does not receive any response from the current authentication. The device stops the authentication if the current authentication fails.

    5. Run:

      quit

      Return to the AAA view.

    6. (Optional) Run:

      domainname-parse-direction { left-to-right | right-to-left }

      The direction in which the user name and domain name are parsed is configured.

    7. Run:

      quit

      Return to the system view.

    8. (Optional) Run:

      aaa-authen-bypass enable time time-value

      The bypass authentication duration is set.

      By default, no bypass authentication duration is set.

  • Configuring an authorization scheme
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      aaa

      The AAA view is displayed.

    3. Run:

      authorization-scheme authorization-scheme-name

      An authorization scheme is created, and the corresponding authorization scheme view or an existing authorization scheme view is displayed.

      By default, there is a default authorization scheme named default on the device. This default authorization scheme can be modified but cannot be deleted.

    4. Run:

      authorization-mode { hwtacacs | local }* [ none ]

      The authorization mode is configured.

      By default, local authorization is used.

      If HWTACACS authorization is configured, you must configure an HWTACACS server template and apply the template to the corresponding user domain.

      NOTE:

      If multiple authorization modes are configured in an authorization scheme, the authorization modes are used in the sequence in which they were configured. The device uses the authorization mode that was configured later only after the current authorization fails.

    5. (Optional) Run:

      authorization-cmd privilege-level hwtacacs [ local ] [ none ]

      Command line authorization is enabled for users at a certain level.

      By default, command line authorization is disabled for users at a certain level.

      If command line authorization is enabled, you must configure an HWTACACS server template and apply the template to the corresponding user domain.

    6. Run:

      quit

      Return to the AAA view.

    7. Run:

      quit

      Return to the system view.

    8. Run:

      quit

      Return to the system view.

    9. (Optional) Run:

      aaa-author-bypass enable time time-value

      The bypass authorization duration is set.

      By default, no bypass authorization duration is set.

    10. (Optional) Run:

      aaa-author-cmd-bypass enable time time-value

      The command-line bypass authorization duration is set.

      By default, no command-line bypass authorization duration is set.

  • Configuring an accounting scheme
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      aaa

      The AAA view is displayed.

    3. Run:

      accounting-scheme accounting-scheme-name

      An accounting scheme is created, and the corresponding accounting scheme view or an existing accounting scheme view is displayed.

      There is a default accounting scheme named default on the device. This default accounting scheme can be modified but cannot be deleted.

    4. Run:

      accounting-mode hwtacacs

      The hwtacacs accounting mode in an accounting scheme is configured.

      By default, the accounting mode is none.

    5. (Optional) Run:

      accounting start-fail { online | offline }

      A policy for accounting-start failures is configured.

      By default, users cannot go online if accounting-start fails.

    6. (Optional) Run:

      accounting realtime interval

      Real-time accounting is enabled and the interval for real-time accounting is set.

      By default, real-time accounting is disabled.

    7. (Optional) Run:

      accounting interim-fail [ max-times times ] { online | offline }

      The maximum number of real-time accounting failures is set and a policy used after the number of real-time accounting failures exceeds the maximum is configured.

      After real-time accounting is enabled, the maximum number of real-time accounting requests is 3 and the device keeps paid users online after a real-time accounting failure by default.

Translation
Download
Updated: 2019-05-25

Document ID: EDOC1000097287

Views: 13774

Downloads: 40

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next