No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 V200R011C10 Configuration Guide - User Access and Authentication

This document describes the working mechanisms, configuration procedures, and configuration examples of User Access and Authentication features, such as AAA, DAA, NAC, PPPoE, Policy Association, and IP session.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
HWTACACS AAA

HWTACACS AAA

Overview of HWTACACS

HWTACACS is an information exchange protocol that uses the client/server model to provide centralized validation of users who attempt to access your switch. It uses Transmission Control Protocol (TCP) and TCP port number 49 to transmit data. HWTACACS provides independent authentication, authorization, and accounting for users accessing the Internet through Point-to-Point Protocol (PPP) or Virtual Private Dial-up Network (VPDN) and for administrators. As an enhancement to TACACS (RFC 1492), it can be implemented on different servers. HWTACACS is compatible with Cisco's TACACS+. Huawei switches can function as HWTACACS clients to interwork with TACACS+ servers to implement AAA. For example, a switch running HWTACACS can communicate with a Cisco server (such as ACS). However, HWTACACS may not be compatible with Cisco proprietary attributes because different vendors define different fields and meanings for proprietary attributes.

Both HWTACACS and RADIUS have the following characteristics:
  • Client/Server model
    • HWTACACS client: generally resides on the Network Access Server (NAS) and can reside on the entire network. The client is responsible for transmitting user information to the specified HWTACACS server and then performs operations accordingly based on the server-returned information.
    • HWTACACS server: generally runs on the central computer or workstation. The server maintains user authentication and network access information, and is responsible for receiving user connection requests, authenticating users, and returning required information to clients.
  • Share key used for encrypting user information
  • Good scalability

However, HWTACACS takes advantages over RADIUS in transmission and encryption reliability, and better suitability for security control. Table 1-17 lists the differences between HWTACACS and RADIUS.

Table 1-17  Comparisons between HWTACACS and RADIUS

Item

HWTACACS

RADIUS

Data transmission

Uses TCP, which is more reliable.

Uses UDP, which is more efficient.

Encryption

Encrypts the entire body of the packet except the standard HWTACACS header.

Encrypts only the password in the packet.

Authentication and authorization

Separates authentication from authorization so that they can be implemented on different security servers.

Combines authentication and authorization.

Command line authorization

Supported. The commands that a user can use are restricted by both the command level and AAA. When a user enters a command, the command is executed only after being authorized by the HWTACACS server.

Not supported. The commands that a user can use depend on their user level. A user can only use the commands of the same level as or lower level than the user level.

Application

Security control.

Accounting.

HWTACACS Packets

An HWTACACS client and an HWTACACS server communicate using HWTACACS packets sent over TCP/IP networks. Unlike RADIUS packets with the same format, HWTACACS packets (including HWTACACS Authentication Packet, HWTACACS Authorization Packet, and HWTACACS Accounting Packet) are formatted differently. HWTACACS packets all share the same HWTACACS Packet Header.

HWTACACS Packet Header

HWTACACS defines a 12-byte header that appears in all HWTACACS packets. Figure 1-17 shows the header.

Figure 1-17  HWTACACS packet header
Table 1-18  Fields in HWTACACS packet header
Field Description
major version Major HWTACACS version number. The current version is 0xc.
minor version Minor HWTACACS version number. The current version is 0x0.
type HWTACACS packet type. Allowed values are:
  • 0x01 (authentication)
  • 0x02 (authorization)
  • 0x03 (accounting)
seq_no Sequence number of the packet in a session. The first packet in a session has the sequence number 1 and each subsequent packet increments the sequence number by 1. The value ranges from 1 to 254.
flags Encryption flag on the packet body. This field contains 8 bits, of which only the first bit has a valid value. The value 0 indicates that the packet body is encrypted, and the value 1 indicates that the packet body is not encrypted.
session_id ID of the HWTACACS session, which is the unique identifier of a session.
length Total length of the HWTACACS packet body, excluding the packet header.

HWTACACS Authentication Packet Format

HWTACACS defines three types of authentication packets:
  • Authentication Start: indicates the type of authentication to be performed, and contains the user name and authentication data. This packet is only sent as the first message in an HWTACACS authentication process.
  • Authentication Continue: indicates that the authentication process has not ended. This packet is sent by a client when the client receives an Authentication Reply packet from the server.
  • Authentication Reply: notifies the client of the current authentication status. When the server receives an Authentication Start or Authentication Continue packet from a client, the server sends this packet to the client.

The following figure shows the HWTACACS Authentication Start packet body.

Figure 1-18  HWTACACS Authentication Start packet body
Table 1-19  Fields in HWTACACS Authentication Start packet
Field Description
action Authentication action to be performed. Only the login authentication (0x01) action is supported.
priv_lvl Privilege level of a user. The value ranges from 0 to 15.
authen_type Authentication type. Allowed values are:
  • 0x03 (CHAP authentication)
  • 0x02 (PAP authentication)
  • 0x01 (ASCII authentication)
service

Type of the service requesting authentication. The value varies by user type:

  • PPP users: PPP(0x03)
  • Administrators: LOGIN(0x01)
  • Other users: NONE(0x00)
user len Length of the user name entered by a login user.
port len Length of the port field.
rem_addr len rem_addr field length.
data len Authentication data length.
user Name of the user requesting authentication. The maximum length is 129.
port

Name of the user interface requesting authentication. The maximum length is 47.

  • For administrators, this field indicates the user terminal interface, such as console0 and vty1. For example, the authen_type of Telnet users is ASCII, service is LOGIN, and port is vtyx.
  • For other users, this field indicates the user access interface.
rem_addr IP address of the login user.
data Authentication data. Different data is encapsulated depending on the values of action and authen_type. For example, when PAP authentication is used, the value of this field is PAP plain-text password.

The following figure shows the HWTACACS Authentication Continue packet body.

Figure 1-19  HWTACACS Authentication Continue packet body
Table 1-20  Fields in HWTACACS Authentication Continue packet
Field Description
user_msg len Length of the character string entered by a login user.
data len Authentication data length.
flags Authentication continue flag. Allowed values are:
  • 0: Authentication continues.
  • 1: Authentication has ended.
user_msg Character string entered by a login user. This field carries the user login password to respond to the server_msg field in the Authentication Reply packet.
data Authentication data. Different data is encapsulated depending on the values of action and authen_type. For example, when PAP authentication is used, the value of this field is PAP plain-text password.

The following figure shows the HWTACACS Authentication Reply packet body.

Figure 1-20  HWTACACS Authentication Reply packet body
Table 1-21  Fields in HWTACACS Authentication Reply packet
Field Description
status

Current authentication status. Allowed values are:

  • PASS (0x01): Authentication succeeds.
  • FAIL (0x02): Authentication fails.
  • GETDATA (0x03): Request user information.
  • GETUSER (0x04): Request user name.
  • GETPASS (0x05): Request password.
  • RESTART (0x06): Request reauthentication.
  • ERROR (0x07): The authentication packets received by the server have errors.
  • FOLLOW (0x21): The server requests reauthentication.
flags Whether the client displays the password entered by user in plain text. The value 1 indicates that the password is not displayed in plain text.
server_msg len Length of the server_msg field.
data len Authentication data length.
server_msg Optional field. This field is sent by the server to the user to provide additional information.
data Authentication data, providing information to the client.

HWTACACS Authorization Packet Format

HWTACACS defines two types of authorization packets:
  • Authorization Request: contains a fixed set of fields that indicate how a user is authenticated or processed and a variable set of attributes that describe the information for which authorization is requested.
  • Authorization Response: contains a variable set of attributes that can limit or change the client's action.

The following figure shows the HWTACACS Authorization Request packet body.

Figure 1-21  HWTACACS Authorization Request packet body
NOTE:

The meanings of the following fields in the Authorization Request packet are the same as those in the Authentication Start packet, and are not described here: priv_lvl, authen_type, authen_service, user len, port len, rem_addr len, port, and rem_addr.

Table 1-22  Fields in HWTACACS Authorization Request packet
Field Description
authen_method

Authentication method used by the client to acquire user information. Allowed values are:

  • 0x00 (no authentication method configured)
  • 0x01 (none authentication)
  • 0x05 (local authentication)
  • 0x06 (HWTACACS authentication)
  • 0x10 (RADIUS authentication)
authen_service Type of the service requesting authentication. The value varies by user type:
  • PPP users: PPP(0x03)
  • Administrators: LOGIN(0x01)
  • Other users: NONE(0x00)
arg_cnt Number of attributes carried in the Authorization Request packet.
argN

Attribute of the Authorization Request packet, including the following:

  • cmd: first argument in the command for authorization request.
  • cmd-arg: arguments in the command for authorization request. The format is fixed as cmd-arg=command parameter. The cmd-arg=<cr> is added at the end of the command line. The total length of cmd-arg=command parameter cannot exceed 255 bytes, and each command parameter cannot be longer than 247 bytes.

The following figure shows the HWTACACS Authentication Reply packet body.

Figure 1-22  HWTACACS Authorization Response packet body
NOTE:

Meanings of the following fields are the same as those in the HWTACACS Authentication Reply packet, and are not described here: server_msg len, data len, and server_msg.

Table 1-23  Fields in HWTACACS Authorization Response packet
Field Description
status

Authorization status. Allowed values are:

  • 0x01 (authorization is successful)
  • 0x02 (the attributes in Authorization Request packets are modified by the TACACS server)
  • 0x10 (authorization fails)
  • 0x11 (an error occurs on the authorization server)
  • 0x21 (an authorization server is re-specified)
arg_cnt

Number of attributes carried in an Authorization Response packet.

argN Authorization attribute delivered by the HWTACACS authorization server.

HWTACACS Accounting Packet Format

HWTACACS defines two types of accounting packets:
  • Accounting Request: contains information used to provide accounting for a service provided to a user.
  • Accounting Response: After receiving and recording an Accounting Request packet, the server returns this packet, indicating that accounting has been completed, and the record has been securely committed.

The following figure shows the HWTACACS Accounting Request packet body.

Figure 1-23  HWTACACS Accounting Request packet body
NOTE:

Meanings of the following fields in the Accounting Request packet are the same as those in the Authorization Request packet, and are not described here: authen_method, priv_lvl, authen_type, user len, port len, rem_addr len, port, and rem_addr.

Table 1-24  Fields in HWTACACS Accounting Request packet
Field Description
flags Accounting type. Allowed values are:
  • 0x02 (start accounting)
  • 0x04 (stop accounting)
  • 0x08 (interim accounting)
authen_service Type of the service requesting authentication, which varies by user type:
  • PPP users: PPP(0x03)
  • Administrators: LOGIN(0x01)
  • Other users: NONE(0x00)
arg_cnt Number of attributes carried in the Accounting Request packet.
argN Attribute of the Accounting Request packet.

The following figure shows the HWTACACS Accounting Response packet body.

Figure 1-24  HWTACACS Accounting Response packet body
Table 1-25  Fields in HWTACACS Accounting Response packet
Field Description
server_msg len Length of the server_msg field.
data len Length of the data field.
status Accounting status. Allowed values are:
  • 0x01 (accounting is successful)
  • 0x02 (accounting fails)
  • 0x03 (no response)
  • 0x21 (the server requests reaccounting)
server_msg Information sent by the accounting server to the client.
data Information sent by the accounting server to the administrator.

HWTACACS Authentication, Authorization, and Accounting Process

This section describes how HWTACACS performs authentication, authorization, and accounting for Telnet users. Figure 1-25 shows the message exchange process.
Figure 1-25  HWTACACS message interaction

The following describes the HWTACACS message exchange process shown in Figure 1-25:
  1. A Telnet user sends a request packet.
  2. After receiving the request packet, the HWTACACS client sends an Authentication Start packet to the HWTACACS server.
  3. The HWTACACS server sends an Authentication Response packet to request the user name.
  4. After receiving the Authentication Response packet, the HWTACACS client sends a packet to query the user name.
  5. The user enters the user name.
  6. The HWTACACS client sends an Authentication Continue packet containing the user name to the HWTACACS server.
  7. The HWTACACS server sends an Authentication Response packet to request the password.
  8. After receiving the Authentication Response packet, the HWTACACS client queries the password.
  9. The user enters the password.
  10. The HWTACACS client sends an Authentication Continue packet containing the password to the HWTACACS server.
  11. The HWTACACS server sends an Authentication Response packet, indicating that the user has been authenticated.
  12. The HWTACACS client sends an Authorization Request packet to the HWTACACS server.
  13. The HWTACACS server sends an Authorization Response packet, indicating that the user has been authorized.
  14. The HWTACACS client receives the Authorization Response packet and displays the login page.
  15. The HWTACACS client sends an Accounting Request (start) packet to the HWTACACS server.
  16. The HWTACACS server sends an Accounting Response packet.
  17. The user requests to go offline.
  18. The HWTACACS client sends an Accounting Request (stop) packet to the HWTACACS server.
  19. The HWTACACS server sends an Accounting Response packet.
NOTE:

HWTACACS and TACACS+ protocols of other vendors can implement authentication, authorization, and accounting. HWTACACS is compatible with other TACACS+ protocols because their authentication procedures and implementations are the same.

HWTACACS Attributes

HWTACACS uses different attributes to define authorization and accounting to be performed. The attributes are carried by the argN field. This section describes HWTACACS attributes in detail.

Overview of HWTACACS Attributes

Table 1-26 describes the HWTACACS attributes supported by the device. The device can only parse the attributes included in the table.

Table 1-26  HWTACACS attributes for common use

Attribute Name

Description

acl

Authorization ACL ID.

addr

A network address.

autocmd

An auto-command to run after a user logs in to the device.

bytes_in

Number of input bytes transmitted during this connection. K, M, and G represent KByte, MByte, and GByte. No unit is displayed if byte is used.

bytes_out

Number of output bytes transmitted during this connection. K, M, and G represent KByte, MByte, and GByte. No unit is displayed if byte is used.

callback-line

The line number to use for a callback, such as a mobile number.

cmd

Command name for a shell command that is to be run. The maximum length is 251 characters. The complete command is encapsulated when the command is recorded and the first keyword is encapsulated when the command is authorized.

cmd-arg

Parameter in the command line to be authorized. The cmd-arg=<cr> is added at the end of the command line.

disc_cause

Cause for a connection to be taken offline. Only Accounting-Stop packets carry this attribute. Disconnection causes include:
  • 1 (a user requests to go offline)
  • 2 (data forwarding is interrupted)
  • 3 (service is interrupted)
  • 4 (idle timeout)
  • 5 (session timeout)
  • 7 (the administrator requests to go offline)
  • 9 (the NAS is faulty)
  • 10 (the NAS requests to go offline)
  • 12 (the port is suspended)
  • 17 (user information is incorrect)
  • 18 (a host requests to go offline)

disc_cause_ext

Extension of the disc-cause attribute to support vendor-specific causes for a connection to be taken offline. Only Accounting-Stop packets carry this attribute. Extended disconnection causes include:
  • 1022 (unknown reason)
  • 1020 (the EXEC terminal tears down the connection)
  • 1022 (an online Telnet user forcibly disconnects this user)
  • 1023 (the user cannot be switched to the SLIP/PPP client due to no remote IP address)
  • 1042 (PPP PAP authentication fails)
  • 1045 (PPP receives a Terminate packet from the remote end)
  • 1046 (the upper-layer device requests the device to tear down the PPP connection)
  • 1063 (PPP handshake fails)
  • 1100 (session times out)

dnaverage

Average downstream rate, in bit/s.

dnpeak

Peak downstream rate, in bit/s.

dns-servers

IP address of the primary DNS server.

elapsed_time

Online duration of a user, in seconds.

ftpdir

Initial directory of an FTP user.

gw-password

Password for the gateway during the L2TP tunnel authentication. The value is a string of 1 to 248 characters. If the value contains more than 248 characters, only the first 248 characters are valid.

idletime

Period after which an idle session is terminated. If a user does not perform any operation within this period, the system disconnects the user.

l2tp-hello-interval

Interval for sending L2TP Hello packets. This attribute is currently not supported.

l2tp-hidden-avp

Attribute value pair (AVP) of L2TP. This attribute is currently not supported.

l2tp-nosession-timeout

Number of seconds that a tunnel remains active with no sessions before timeout or shutdown. This attribute is currently not supported.

l2tp-group-num

L2TP group number. Other L2TP attributes take effect only if this attribute is delivered. Otherwise, other L2TP attributes are ignored.

l2tp-tos-reflect

TOS of L2TP. The device does not support this attribute.

l2tp-tunnel-authen

Whether an L2TP tunnel is authenticated:

  • 0: not authenticated
  • 1: authenticated

l2tp-udp-checksum

Whether L2TP should perform UDP checksums for data packets.

nocallback-verify

No callback authentication is required.

nohangup

Whether the device automatically disconnects a user who has executed the autocmd command. This attribute is valid only after the autocmd attribute is configured. The value can be true or false:

  • true: The user is not disconnected.
  • false: The user is disconnected.

paks_in

Number of packets received by the device.

paks_out

Number of packets sent by the device.

priv-lvl

User level.

protocol

A protocol that is a subset of a service. It is valid only for PPP and connection services. Legal values matching service types are as follows:
  • Connection service type: pad, telnet
  • PPP service type: ip, vpdn
  • Other service types: This attribute is not used.

task_id

Task ID. The task IDs recorded when a task starts and ends must be the same.

timezone

Time zone for all timestamps included in this packet.

tunnel-id

User name used to authenticate a tunnel in establishment. The value is a string of 1 to 29 characters. If the value contains more than 29 characters, only the first 29 characters are valid.

tunnel-type

Tunnel type. The device supports only L2TP tunnels. For L2TP tunnels, the value is 3.

service

Service type, which can be accounting or authorization.

source-ip

Local IP address of a tunnel.

upaverage

Average upstream rate, in bit/s.

uppeak

Peak upstream rate, in bit/s.

HWTACACS Attributes Available in Packets

Depending on usage scenarios, HWTACACS authorization packets can also be classified into EXEC authorization packets, command line authorization packets, and access user authorization packets. Different authorization packets carry different attributes. For details, see Table 1-27. The following describes the use of HWTACACS authorization packets for different usage scenarios:
  • EXEC authorization packets: Used by the HWTACACS server to control rights of the management users logging in through Telnet, console port, SSH, and FTP.
  • Command line authorization packets: Used by the device to authorize each command line executed by the user. Only authorized command lines can be executed.
  • Access user authorization packets: Used by the HWTACACS server to control the rights of NAC users such as 802.1X and Portal users.
Depending on connection types, HWTACACS accounting packets can also be classified into network accounting packets, connection accounting packets, EXEC accounting packets, system accounting packets, and command accounting packets. Different accounting packets carry different attributes. For details, see Table 1-28. The following describes the use of HWTACACS accounting packets for different connection types:
  • Network accounting packets: Used when networks are accessed by PPP users. For example, when a PPP user connects to a network, the server sends an accounting start packet; when the user is using network services, the server periodically sends interim accounting packets; when the user goes offline, the server sends an accounting stop packet.
  • Connection accounting packets: Used when users log in to the server through Telnet or FTP clients. When a user connects to the device, the user can run commands to access a remote server and obtain files from the server. The device sends an accounting start packet when the user connects to the remote server, and an accounting stop packet when the user disconnects from the remote server.
  • EXEC accounting packets: Used when users log in to the device through Telnet or FTP. When a user connects to a network, the server sends an accounting start packet; when the user is using network services, the server periodically sends interim accounting packets; when the user goes offline, the server sends an accounting stop packet.
  • System accounting packets: Used during fault diagnosis. The server records system-level events to help administrators monitor the device and locate network faults.
  • Command accounting packets: When an administrator runs any command on the device, the device sends the command to the HWTACACS server through a command accounting stop packet so that the server can record the operations performed by the administrator.
NOTE:
  • Y: The packet supports this attribute.
  • N: The packet does not support this attribute.
Table 1-27  HWTACACS attributes available in authorization packets

Attribute

Command Line Authorization Packet

EXEC Authorization Response Packet

Access User Authorization Response Packet

acl

N

Y

N

addr

N

N

Y

addr-pool

N

N

Y

autocmd

N

Y

N

callback-line

N

Y

Y

cmd

Y

N

N

cmd-arg

Y

N

N

dnaverage

N

N

Y

dnpeak

N

N

Y

dns-servers

N

N

Y

ftpdir

N

Y

N

gw-password

N

N

Y

idletime

N

Y

N

ip-addresses

N

N

Y

l2tp-group-num

N

N

Y

l2tp-tunnel-authen

N

N

Y

nocallback-verify

N

Y

N

nohangup

N

Y

N

priv-lvl

N

Y

N

source-ip

N

N

Y

tunnel-type

N

N

Y

tunnel-id

N

N

Y

upaverage

N

N

Y

Table 1-28  HWTACACS attributes available in accounting packets

Attribute

Network Accounting Start Packet

Network Accounting Stop Packet

Network Interim Accounting Packet

Connection Accounting Start Packet

Connection Accounting Stop Packet

EXEC Accounting Start Packet

EXEC Accounting Stop Packet

EXEC Interim Accounting Packet

System Accounting Stop Packet

Command Line Accounting Stop Packet

addr

Y

Y

Y

Y

Y

N

N

N

N

N

bytes_in

N

Y

Y

N

Y

N

Y

Y

N

N

bytes_out

N

Y

Y

N

Y

N

Y

Y

N

N

cmd

N

N

N

Y

Y

N

N

N

N

Y

disc_cause

N

Y

N

N

N

N

Y

Y

N

N

disc_cause_ext

N

Y

N

N

N

N

Y

Y

N

N

elapsed_time

N

Y

Y

N

Y

N

Y

Y

Y

N

paks_in

N

Y

Y

N

Y

N

Y

Y

N

N

paks_out

N

Y

Y

N

Y

N

Y

Y

N

N

priv-lvl

N

N

N

N

N

N

N

N

N

Y

protocol

Y

Y

Y

Y

Y

N

N

N

N

N

service

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

task_id

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

timezone

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

tunnel-id

N

N

N

N

N

N

N

N

N

N

tunnel-type

Y

N

N

N

N

N

N

N

N

N

Translation
Download
Updated: 2019-10-21

Document ID: EDOC1000178117

Views: 119143

Downloads: 55

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next