No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S1720GFR, S2700, S5700, and S6720 V200R010C00 Web-based Configuration Guide

This document describes the configuration and maintenance of device through the web network management system. The web network management system provides the functions of viewing device information and managing the entire system, interfaces, services, ACL, QoS, routes, security, and tools.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
AAA

AAA

Authentication, Authorization, and Accounting (AAA) is used to manage network security. It provides a uniform framework to configure authentication, authorization, and accounting security functions.

Generally, AAA uses the client/server model. In this model, the client runs on the resource side that is managed through AAA, whereas the server collects and keeps all user information. This model features good extensibility and facilitates concentrated management over user information.

AAA Scheme

You can add, modify, and delete an authentication scheme, authorization scheme, or accounting scheme.

Context

Authentication, Authorization, and Accounting are three independent service processes.

  • In the authentication process, a device authenticates the user name, password, or user information of an access request or a service request. The device, however, neither delivers authorization information to the user nor triggers the accounting process. In AAA, a device can adopt only authentication.
  • In the authorization process, a device sends authorization requests to the authorization server. After users pass authorization, the device sends authorization information to users. If the authorization scheme is none, users do not need to be authorized. In this case, users passing authentication have the default authority granted by the system.
  • In the accounting process, a device sends accounting-start packets, accounting-update packets, or accounting-stop packets to the accounting server. In AAA, an accounting scheme is optional.

Procedure

  • Create an authentication scheme.

    NOTE:

    You can create an authentication scheme, authorization scheme, or accounting scheme. Here the authentication scheme is used as an example.

    1. Choose Security > AAA > AAA Scheme in the navigation tree to open the AAA Scheme page.
    2. Click Create to open the Create Authentication Scheme page, as shown in Figure 2-195.

      Figure 2-195  Create Authentication Scheme

      Table 2-116 describes the parameters on the Create Authentication Scheme page.

      Table 2-116  Create Authentication Scheme

      Item

      Description

      Authentication scheme name

      Indicates the name of an authentication scheme. This parameter is mandatory.

      Mode

      Indicates the authentication mode. There are four authentication modes for you to select.

      NOTE:
      • The options are none, hwtacacs, radius, and local.
      • You can use the combination of authentication modes. If the authentication mode is none, you cannot configure an authentication scheme.
      • You cannot set the same authentication modes; otherwise, you cannot create an authentication scheme.

    3. Set parameters.
    4. Click OK.
  • Modify an authentication scheme.

    NOTE:

    You can modify an authentication scheme, authorization scheme, or accounting scheme. Here the authentication scheme is used as an example.

    1. Choose Security > AAA > AAA Scheme in the navigation tree to open the AAA Scheme page.
    2. Click to open the Modify Authentication Scheme page, as shown in Figure 2-196.

      Figure 2-196  Modify Authentication Scheme

      NOTE:
      • Table 2-116 describes the parameters on the Modify Authentication Scheme page.
      • The authentication scheme name cannot be changed.

    3. Set the authentication type as required.
    4. Click OK.
  • Delete an authentication scheme.
    1. Choose Security > AAA > AAA Scheme in the navigation tree to open the AAA Scheme page.
    2. Select a record that you want to delete and click Delete. The system asks you whether to delete the record.

      NOTE:
      • To select a record, click the check box of the record.
      • To delete records in batches, click the check boxes of the records.

    3. Click OK.

Service Scheme

Access users must obtain authorization information before going online. Authorization information about users can be managed by configuring a service scheme.

Context

A service scheme is a set of authorization information about users. After a service scheme is created, you can set attributes of users in the service scheme view.

Procedure

  • Create a service scheme.
    1. Choose Security > AAA > Service Scheme in the navigation tree to open the Service Scheme page.
    2. Click Create to open the Create Service Scheme page, as shown in Figure 2-197.

      Figure 2-197  Create Service Scheme

      Table 2-117 describes the parameters on the Create Service Scheme page.

      Table 2-117  Create Service Scheme

      Parameter

      Description

      Service scheme name

      Indicates the name of a new service scheme. This parameter is mandatory.

      Administrator level

      Indicates the administrator level for a user to log in to the switch.

      Primary DNS IP

      Indicates the IP address of the primary DNS server, for example, 10.10.10.1.

      Secondary DNS IP

      Indicates the IP address of the secondary DNS server, for example, 10.10.10.2.

      NOTE:
      Before configuring the IP address of the secondary DNS server, you must configure an IP address for the primary DNS server.

    3. Set parameters.
    4. Click OK.
  • Modify a service scheme.
    1. Choose Security > AAA > Service Scheme in the navigation tree to open the Service Scheme page.
    2. Click to open the Modify Service Scheme page, as shown in Figure 2-198.

      Figure 2-198  Modify Service Scheme

      NOTE:
      • Table 2-117 describes the parameters on the Modify Service Scheme page.
      • The service scheme name cannot be modified.

    3. Set parameters.
    4. Click OK.
  • Delete a service scheme.
    1. Choose Security > AAA > Service Scheme in the navigation tree to open the Service Scheme page.
    2. Select a record that you want to delete and click Delete. The system asks you whether to delete the record.

      NOTE:
      • To select a record, click the check box of the record.
      • To delete records in batches, click the check boxes of the records.

    3. Click OK.

RADIUS

You can create, modify, and delete the RADIUS server template, authentication/accounting server, and authorization server. Before configuring a RADIUS authentication/ accounting server, you must create a RADIUS server template. A RADIUS server builds a unique database to store user names and passwords for authentication and accounting. The RADIUS authorization server receives authorization information sent by users and sends authorization information to users after users pass authorization.

Context

When a user logs in to a network device such as a switch or a network access server (NAS), the user name and password are sent to the network device. After the RADIUS client (an NAS server) on the network receives the user name and password, it sends an authentication request to the RADIUS server. If the request is valid, the RADIUS server completes authentication and sends the required authorization information to the RADIUS client. If the request is invalid, the RADIUS server sends the authorization failure information to the RADIUS client.
NOTE:

Most RADIUS configurations have default values. You can perform configurations according to networking requirements. You can modify the RADIUS configuration only when the RADIUS server template is not in use.

The RADIUS authorization server is mainly used to authorize users when users select services dynamically.

Procedure

  • Create a RADIUS server template.
    1. Choose Security > AAA > RADIUS in the navigation tree to open the RADIUS page.
    2. Click Create, and the Create RADIUS Template page is displayed, as shown in Figure 2-199.

      Figure 2-199  Create RADIUS Template

      Table 2-118 describes the parameters on the page.

      Table 2-118  Create a RADIUS Server Template

      Parameter

      Description

      Template name

      Indicates the name of a new RADIUS server template. This parameter is mandatory.

      Key

      When sending authentication packets, the switch and the RADIUS server encrypt important data such as the password to ensure the security of data transmission over the network. To ensure the validity of the authenticator and the authenticated end, the switch and the RADIUS server must be configured with the same key.

      The value is a string. By default, the shared key of a RADIUS server is huawei.

      Confirm key

      Indicates the confirmed shared key. The format is the same as that of the shared key.

    3. Set parameters.
    4. Click OK.
  • Modify a RADIUS server template.
    1. Choose Security > AAA > RADIUS in the navigation tree to open the RADIUS page.
    2. Click , and the Modify RADIUS Template page is displayed, as shown in Figure 2-200.

      Figure 2-200  Modify RADIUS Template

      NOTE:
      • Table 2-118 describes the parameters on the page.
      • The template name cannot be modified.

    3. Set parameters.
    4. Click OK.
  • Delete a RADIUS server template.
    1. Choose Security > AAA > RADIUS in the navigation tree to open the RADIUS page.
    2. Select a record that you want to delete and click Delete. The system asks you whether to delete the record.

      NOTE:
      • To select a record, click the check box of the record.
      • To delete records in batches, click the check boxes of the records.

    3. Click OK.
  • Create a RADIUS authentication/accounting server.
    1. Choose Security > AAA > RADIUS in the navigation tree to open the RADIUS page.
    2. Click Create, and the Create RADIUS Authentication/Accounting Server page is displayed, as shown in Figure 2-201.

      Figure 2-201  Create RADIUS Authentication/Accounting Server

      Table 2-119 describes the parameters on the page.

      Table 2-119  Create RADIUS Authentication/Accounting Server

      Parameter

      Description

      Server type

      Indicates the server type.

      Template name

      Indicates the RADIUS server template name. This parameter is mandatory.

      IP address

      Indicates the IP address of the server, for example, 10.10.10.1. This parameter is mandatory.

      Port

      Indicates the UDP port number of the server. This parameter is mandatory.

      Weight

      Indicates the weight of the server. The default value is 80.

    3. Set parameters.

      NOTE:

      The device supports more than one server. To add servers, click Add and set parameters.

      When multiple servers are available, the device uses the server with the highest weight to perform authentication and accounting. If the servers have the same weights, the device uses the server configured first to perform authentication and accounting.

    4. Click OK.
  • Modify a RADIUS authentication/accounting server.
    1. Choose Security > AAA > RADIUS in the navigation tree to open the RADIUS page.
    2. Click , and the Modify RADIUS Authentication/Accounting Server page is displayed, as shown in Figure 2-202.

      Figure 2-202  Modify RADIUS Authentication/Accounting Server

      NOTE:

      Table 2-119 describes the parameters on the page.

    3. Set parameters.
    4. Click OK.
  • Delete a RADIUS authentication/accounting server.
    1. Choose Security > AAA > RADIUS in the navigation tree to open the RADIUS page.
    2. Select a record that you want to delete and click Delete. The system asks you whether to delete the record.
    3. Click OK.
  • Create a RADIUS authorization server.
    1. Choose Security > AAA > RADIUS in the navigation tree to open the RADIUS page.
    2. Click Create, and the Create RADIUS Authorization Server page is displayed, as shown in Figure 2-203.

      Figure 2-203  Create RADIUS Authorization Server

      Table 2-120 describes the parameters on the page.

      Table 2-120  Create RADIUS Authorization Server

      Parameter

      Description

      Server IP

      Indicates the IP address of the authorization server, for example, 10.10.10.1. This parameter is mandatory.

      RADIUS template

      Indicates the RADIUS server template name. This parameter is optional.

      Key

      This parameter is mandatory.

      By default, no shared key is configured on a RADIUS authorization server.

      ACK reserve interval

      Indicates the duration in which an authorization acknowledgment packet is reserved. This parameter is optional.

    3. Set parameters.
    4. Click OK.
  • Modify a RADIUS authorization server.
    1. Choose Security > AAA > RADIUS in the navigation tree to open the RADIUS page.
    2. Click , and the Modify RADIUS Authorization Server page is displayed, as shown in Figure 2-204.

      Figure 2-204  Modify RADIUS Authorization Server

      NOTE:
      • Table 2-120 describes the parameters on the page.
      • The IP address of the authorization server cannot be changed.

    3. Set parameters.
    4. Click OK.
  • Delete a RADIUS authorization server.
    1. Choose Security > AAA > RADIUS in the navigation tree to open the RADIUS page.
    2. Select a record that you want to delete and click Delete. The system asks you whether to delete the record.
    3. Click OK.

Domain

The switch manages users based on domains. You can configure the default authorization scheme, RADIUS template, authentication scheme, and accounting scheme in a domain.

Context

If no AAA schemes are applied to a new domain, the default authentication scheme and accounting scheme are adopted. By default, the new domain is not bound to any authorization scheme.

Procedure

  • Create a domain.
    1. Choose Security > AAA > Domain in the navigation tree to open the Domain page.
    2. Click Create to open the Create Domain page, as shown in Figure 2-205.

      Figure 2-205  Create Domain

      Table 2-121 describes the parameters on the Create Domain page.

      Table 2-121  Create Domain

      Parameter

      Description

      Domain name

      Indicates the name of a new RADIUS server template. This parameter is mandatory.

      Authentication scheme

      Indicates the authentication scheme of the system.

      Authorization scheme

      Indicates the authorization scheme of the system.

      Accounting scheme

      Indicates the accounting scheme of the system.

      Service scheme

      Indicates the service scheme of the system.

      RADIUS template

      Indicates the RADIUS server of the system.

    3. Set parameters.
    4. Click OK.
  • Modify a domain.
    1. Choose Security > AAA > Domain in the navigation tree to open the Domain page.
    2. Click to open the Modify Domain page, as shown in Figure 2-206.

      Figure 2-206  Modify Domain

      NOTE:
      • Table 2-121 describes the parameters on the Modify Domain page.
      • The domain name cannot be modified.

    3. Set parameters.
    4. Click OK.
  • Delete a domain.
    1. Choose Security > AAA > Domain in the navigation tree to open the Domain page.
    2. Select a record that you want to delete and click Delete. The system asks you whether to delete the record.

      NOTE:
      • To select a record, click the check box of the record.
      • To delete records in batches, click the check boxes of the records.

    3. Click OK.

User Management

You can create a local database to maintain user information and manage users on the local switch.

Context

You need to create a local user account and configure attributes of the local user so that the switch can authenticate and authorize the local user that logs in according to the local user information.

By default, a local user named admin exists in the system. The user password is admin@huawei.com, and access type is HTTP.
NOTE:

A simple password brings security risks. It is recommended that you change the password to a complicated one after logging in to the web network management system using the default account. A password should consist of at least 8 characters, and contain at least two types of the following: lowercase letters, uppercase letters, numerals, special characters (such as ! $ # %). The password cannot contain spaces and single quotation marks ('). In addition, the password cannot be the same as the user name or the mirror user name.

Security risks exist if the user access type is set to Telnet, FTP or HTTP. You are advised to configure the required access modes only.

If the password configured in local user creation or modification is the same as the default password, security risk exists.

Procedure

  • Create a user.
    1. Choose Security > AAA > User Management in the navigation tree to open the User Management page.
    2. Click Create to open the Create User page, as shown in Figure 2-207.

      Figure 2-207  Create User

      Table 2-122 describes the parameters on the Create User page.

      Table 2-122  Create User/Modify User

      Parameter

      Description

      User name

      Indicates a new user name. This parameter is mandatory.

      Encryption type

      Indicates the password encryption type.

      NOTE:

      When you modify user information, you can change the password encryption type from reversible to irreversible, but cannot from irreversible to reversible.

      Password

      Indicates the password.

      Confirm password

      Confirms the password. It must be the same as the password.

      User level

      Indicates the user level. The value ranges from 0 to 15.

      NOTE:
      • Only users of level 3 or higher have the management rights.
      • You can create a user account at the same or lower level.

      FTP directory

      Indicates the FTP directory, for example, flash:/.

      NOTE:

      If the access type of a local user is set to FTP, this parameter is mandatory; otherwise, FTP users cannot log in.

      User state

      Indicates the user status, including:
      • Active
      • Block

      By default, the value is Active.

      NOTE:
      • If a local user is in Active state, a switch accepts and processes the authentication request of the user.
      • If a local user is in Block state, the authentication request from this user is denied.

      Access type

      Indicates the access type. After you specify the access type of a user, only the users using the specified access type can log in. This parameter is mandatory.

      The steps are as follows:

      Select the access type in the right list box and click . The selected access type is displayed in the right list box.

      NOTE:
      • You can hold shift or ctrl to select multiple access types or click to select all the access types.
      • Access types are associated with password encryption types:
        • Irreversible: FTP, HTTP, SSH, Telnet, Terminal, and x25-pad
        • Reversible: 8021X, PPP, and Web

      Forced logout

      Indicates whether a user is forcibly disconnected from the network.

      NOTE:

      This parameter is only displayed on the user modification page.

    3. Set parameters.
    4. Click OK.
  • Modify a user.
    1. Choose Security > AAA > User Management in the navigation tree to open the User Management page.
    2. Click to open the Modify User page, as shown in Figure 2-208.

      Figure 2-208  Modify User

      NOTE:
      • Table 2-122 describes the parameters on the Modify User page.
      • The user name cannot be modified.

    3. Set parameters.
    4. Click OK.

      NOTE:

      When changing your password, enter the old password in Confirm Old Password, as shown in Figure 2-209.

      Figure 2-209  Confirm Old Password

  • Delete a user.
    1. Choose Security > AAA > User Management in the navigation tree to open the User Management page.
    2. Select a record that you want to delete and click Delete. The system asks you whether to delete the record.

      NOTE:
      • The current user cannot be deleted.
      • You can delete a user account at the same or lower level but not your own account.
      • To select a record, click the check box of the record.
      • To delete records in batches, click the check boxes of the records.

    3. Click OK.

Change Mode

NAC supports the common configuration mode and unified configuration mode. With the NAC function, the device can control user access to the network.

Context

NAC only provides a user authentication solution. To implement this solution, the AAA function must also be configured.

NOTE:

The device supports NAC. NAC controls a user's network access permission that involves personal communication information collection or storage. Huawei will not collect or save user communication information independently. You must use the features in compliance with applicable laws and regulations. Ensure that your customers' privacy is protected when you are collecting or saving communication information.

Procedure

  1. Config Next Start Mode: Choose Security > AAA > Change Mode in the navigation tree to open the Change Mode page, as shown in Figure 2-210.
  2. Click Traditional or Unified.

    Figure 2-210  Change Mode

  3. Click Apply to complete the configuration.

    NOTE:

    After the common mode and unified mode are switched, you must save configuration and restart the device to make each function in the new configuration mode take effect. By default, the unified NAC configuration mode is used.

Translation
Download
Updated: 2019-08-21

Document ID: EDOC1000114003

Views: 47151

Downloads: 1043

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next