No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S600-E V200R010C00 Configuration Guide - User Access and Authentication

This document describes the working mechanisms, configuration procedures, and configuration examples of User Access and Authentication features, such as AAA, NAC, and Policy Association.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring AAA Schemes

Configuring AAA Schemes

Context

To use HWTACACS authentication, authorization, and accounting, set the authentication mode in the authentication scheme, authorization mode in the authorization scheme, and accounting mode in the accounting scheme to HWTACACS.

When configuring HWTACACS authentication, you can configure local authentication or non-authentication as the backup. This allows local authentication to be implemented if HWTACACS authentication fails. When configuring HWTACACS authorization, you can configure local authorization or non-authorization as the backup.

NOTE:

If non-authentication is configured using the authentication-mode command, users can pass the authentication using any user name or password. To protect the device and improve network security, you are advised to enable authentication to allow only authenticated users to access the device or network.

Procedure

  • Configure an authentication scheme.
    1. Run system-view

      The system view is displayed.

    2. Run aaa

      The AAA view is displayed.

    3. Run authentication-scheme scheme-name

      An authentication scheme is created and the authentication scheme view is displayed, or the view of an existing authentication scheme is displayed.

      By default, two authentication schemes named default and radius are available on the device. These two authentication schemes can be modified but not deleted.

    4. Run authentication-mode hwtacacs

      The HWTACACS authentication mode is specified.

      By default, local authentication is used.

      To use local authentication as the backup, run the authentication-mode hwtacacs [ local ] command.

    5. (Optional) Run authentication-super { hwtacacs | radius | super } * [ none ]

      The authentication mode for upgrading user levels is specified.

      The default mode is super (local authentication).

    6. Run quit

      The AAA view is displayed.

    7. (Optional) Configure the account locking function.

      1. Run remote-aaa-user authen-fail retry-interval retry-interval retry-time retry-time block-time block-time

        The remote AAA authentication account locking function is enabled, and the authentication retry interval, maximum number of consecutive authentication failures, and account locking period are configured.

        By default, the remote AAA account locking function is enabled, the authentication retry interval is 300 minutes, the maximum number of consecutive authentication failures is 30, and the account locking period is 30 minutes.

      2. Run remote-user authen-fail unblock { all | username username }

        A remote AAA authentication account that has failed authentication is unlocked.

    8. (Optional) Run domainname-parse-direction { left-to-right | right-to-left }

      The direction in which the user name and domain name are parsed is specified.

      By default, a domain name is parsed from left to right.

    9. Run quit

      The system view is displayed.

    10. (Optional) Run aaa-authen-bypass enable time time-value

      The bypass authentication duration is set.

      By default, the bypass authentication function is disabled.

  • Configure an authorization scheme.
    1. Run system-view

      The system view is displayed.

    2. Run aaa

      The AAA view is displayed.

    3. Run authorization-scheme authorization-scheme-name

      An authorization scheme is created and the authorization scheme view is displayed, or the view of an existing authorization scheme is displayed.

      By default, an authorization scheme named default is available on the device. The default authorization scheme can be modified but not deleted.

    4. Run authorization-mode hwtacacs [ local ] [ none ]

      The authorization mode is specified.

      By default, local authorization is used.

      If HWTACACS authorization is configured, you must configure an HWTACACS server template and apply the template to the corresponding user domain.

    5. (Optional) Run authorization-cmd privilege-level hwtacacs [ local ] [ none ]

      Command-line authorization is enabled for users at a certain level.

      By default, command-line authorization is disabled for users at a certain level.

      If command-line authorization is enabled, you must configure an HWTACACS server template and apply the template to the corresponding user domain.

    6. Run quit

      The AAA view is displayed.

    7. Run quit

      The system view is displayed.

    8. (Optional) Run aaa-author-bypass enable time time-value

      The bypass authorization duration is set.

      By default, the bypass authorization is disabled.

    9. (Optional) Run aaa-author-cmd-bypass enable time time-value

      The bypass command-line authorization duration is set.

      By default, the bypass command-line authorization is disabled.

  • Configure an accounting scheme.
    1. Run system-view

      The system view is displayed.

    2. Run aaa

      The AAA view is displayed.

    3. Run accounting-scheme accounting-scheme-name

      An accounting scheme is created and the accounting scheme view is displayed, or the view of an existing accounting scheme is displayed.

      By default, the accounting scheme named default is available on the device. The default accounting scheme can be modified but not deleted.

    4. Run accounting-mode hwtacacs

      The hwtacacs accounting mode is specified.

      The default accounting mode is none.

    5. (Optional) Run accounting start-fail { offline | online }

      A policy for accounting-start failures is configured.

      By default, users cannot go online if accounting-start fails.

    6. (Optional) Run accounting realtime interval

      Real-time accounting is enabled and the accounting interval is set.

      By default, real-time accounting is disabled. The device performs accounting for users based on their online duration.

    7. (Optional) Run accounting interim-fail [ max-times times ] { offline | online }

      The maximum number of real-time accounting failures is set, and a policy is specified for the device if the maximum number of real-time accounting attempts fail.

      The default maximum number of real-time accounting failures is 3. The device will keep the users online if three real-time accounting attempts fail.

Translation
Download
Updated: 2019-08-21

Document ID: EDOC1000141885

Views: 54837

Downloads: 10

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next