No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 V200R011C10 Configuration Guide - User Access and Authentication

This document describes the working mechanisms, configuration procedures, and configuration examples of User Access and Authentication features, such as AAA, DAA, NAC, PPPoE, Policy Association, and IP session.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring HWTACACS Authentication, Accounting, and Authorization

Example for Configuring HWTACACS Authentication, Accounting, and Authorization

Networking Requirements

For the network shown in Figure 1-32, the customer requirements are as follows:

  • The HWTACACS server will authenticate access users for Switch. If HWTACACS authentication fails, local authentication is used.
  • The HWTACACS server will authorize access users for Switch. If HWTACACS authorization fails, local authorization is used.
  • HWTACACS accounting is used by Switch for access users.
  • Real-time accounting is performed every 3 minutes.
  • The IP addresses of primary and secondary HWTACACS servers are 10.7.66.66/24 and 10.7.66.67/24, respectively. The port number for authentication, accounting, and authorization is 49.
Figure 1-32  Networking diagram of HWTACACS authentication, accounting, and authorization

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure an HWTACACS server template.
  2. Configure authentication, authorization, and accounting schemes.
  3. Apply the HWTACACS server template, authentication scheme, authorization scheme, and accounting scheme to a domain.
NOTE:
  • Ensure that the devices are routable before the configuration.
  • Ensure that the shared key in the HWTACACS server template is the same as the settings on the HWTACACS server.

  • If the HWTACACS server does not accept the user name containing the domain name, run the undo hwtacacs-server user-name domain-included command in the HWTACACS server template view to configure the device to send packets that do not contain the domain name to the HWTACACS server.

  • After the domain is set to the global default domain, and the user name of a user carries the domain name or does not carry any domain name, the user uses AAA configuration information in the global default domain.
  • After the undo hwtacacs-server user-name domain-included command is run, the device changes only the user name format in the sent packet, and the domain to which the user belongs is not affected. For example, after this command is run, the user with the user name user@huawei.com still uses AAA configuration information in the domain named huawei.com.

Procedure

  1. Enable HWTACACS.

    <HUAWEI> system-view
    [HUAWEI] sysname Switch
    [Switch] hwtacacs enable
    

  2. Configure an HWTACACS server template.

    # Create an HWTACACS server template named ht.

    [Switch] hwtacacs-server template ht

    # Set the IP addresses and port numbers for the primary HWTACACS authentication, authorization, and accounting servers.

    [Switch-hwtacacs-ht] hwtacacs-server authentication 10.7.66.66 49
    [Switch-hwtacacs-ht] hwtacacs-server authorization 10.7.66.66 49
    [Switch-hwtacacs-ht] hwtacacs-server accounting 10.7.66.66 49

    # Set the IP addresses and port numbers for the secondary HWTACACS authentication, authorization, and accounting servers.

    [Switch-hwtacacs-ht] hwtacacs-server authentication 10.7.66.67 49 secondary
    [Switch-hwtacacs-ht] hwtacacs-server authorization 10.7.66.67 49 secondary
    [Switch-hwtacacs-ht] hwtacacs-server accounting 10.7.66.67 49 secondary

    # Set the shared key for the HWTACACS server.

    [Switch-hwtacacs-ht] hwtacacs-server shared-key cipher Huawei@2012
    [Switch-hwtacacs-ht] quit

  3. Configure authentication, authorization, and accounting schemes.

    # Create an authentication scheme named l-h. Configure the authentication scheme to use HWTACACS authentication as the active authentication mode and local authentication as the backup.

    [Switch] aaa
    [Switch-aaa] authentication-scheme l-h
    [Switch-aaa-authen-l-h] authentication-mode hwtacacs local
    [Switch-aaa-authen-l-h] quit

    # Create an authorization scheme named hwtacacs. Configure the authorization scheme to use HWTACACS authorization as the active authorization mode and local authorization as the backup.

    [Switch-aaa] authorization-scheme hwtacacs
    [Switch-aaa-author-hwtacacs] authorization-mode hwtacacs local
    [Switch-aaa-author-hwtacacs] quit

    # Create an accounting scheme named hwtacacs, and configure the accounting scheme to use the HWTACACS accounting mode. Configure a policy for the device to keep users online upon accounting-start failures.

    [Switch-aaa] accounting-scheme hwtacacs
    [Switch-aaa-accounting-hwtacacs] accounting-mode hwtacacs
    [Switch-aaa-accounting-hwtacacs] accounting start-fail online

    # Set the real-time accounting interval to 3 minutes.

    [Switch-aaa-accounting-hwtacacs] accounting realtime 3
    [Switch-aaa-accounting-hwtacacs] quit

  4. Create a domain named huawei, and apply the authentication scheme l-h, authorization scheme hwtacacs, accounting scheme hwtacacs, and the HWTACACS server template ht to the domain.

    [Switch-aaa] domain huawei
    [Switch-aaa-domain-huawei] authentication-scheme l-h
    [Switch-aaa-domain-huawei] authorization-scheme hwtacacs
    [Switch-aaa-domain-huawei] accounting-scheme hwtacacs
    [Switch-aaa-domain-huawei] hwtacacs-server ht
    [Switch-aaa-domain-huawei] quit
    [Switch-aaa] quit
    

  5. Configure local authentication.

    [Switch] aaa
    [Switch-aaa] local-user user1 password irreversible-cipher Huawei@123
    [Switch-aaa] local-user user1 service-type http
    [Switch-aaa] local-user user1 privilege level 15
    [Switch-aaa] quit
    

  6. Configure the global default domain for administrations.

    [Switch] domain huawei admin

  7. Verify the configuration.

    # Run the display hwtacacs-server template command on Switch to verify the HWTACACS server template configuration.

    [Switch] display hwtacacs-server template ht
      ---------------------------------------------------------------------------   
      HWTACACS-server template name   : ht                                          
      Primary-authentication-server   : 10.7.66.66:49:-                            
      Primary-authorization-server    : 10.7.66.66:49:-                            
      Primary-accounting-server       : 10.7.66.66:49:-                            
      Secondary-authentication-server : 10.7.66.67:49:-                            
      Secondary-authorization-server  : 10.7.66.67:49:-                            
      Secondary-accounting-server     : 10.7.66.67:49:-                            
      Current-authentication-server   : 10.7.66.66:49:-                            
      Current-authorization-server    : 10.7.66.66:49:-                            
      Current-accounting-server       : 10.7.66.66:49:-                            
      Source-IP-address               : 0.0.0.0                                     
      Shared-key                      : **************** 
      Quiet-interval(min)             : 5                                           
      Response-timeout-Interval(sec)  : 5                                           
      Domain-included                 : Yes                                         
      Traffic-unit                    : B                                           
      ---------------------------------------------------------------------------   

    # Run the display domain command on Switch to verify the domain configuration.

    [Switch] display domain name huawei
    
      Domain-name                     : huawei
      Domain-state                    : Active
      Authentication-scheme-name      : l-h
      Accounting-scheme-name          : hwtacacs
      Authorization-scheme-name       : hwtacacs
      Service-scheme-name             : -
      RADIUS-server-template          : default
      HWTACACS-server-template        : ht
      User-group                      : -
      Push-url-address                : -
      Flow-statistic                  : -
      Tariff-level                    : -
    

Configuration Files

Switch configuration file

#
sysname Switch
#
domain huawei admin
#
hwtacacs-server template ht
 hwtacacs-server authentication 10.7.66.66
 hwtacacs-server authentication 10.7.66.67 secondary
 hwtacacs-server authorization 10.7.66.66
 hwtacacs-server authorization 10.7.66.67 secondary
 hwtacacs-server accounting 10.7.66.66
 hwtacacs-server accounting 10.7.66.67 secondary
 hwtacacs-server shared-key cipher %^%#VznDEFI11##ZC>1@:=xUO^!OP~*<c1$FoD*zXPGJ%^%#
#
aaa
 authentication-scheme l-h
  authentication-mode hwtacacs local
 authorization-scheme hwtacacs
  authorization-mode hwtacacs local
 accounting-scheme hwtacacs
  accounting-mode hwtacacs
  accounting realtime 3
  accounting start-fail online 
 domain huawei
  authentication-scheme l-h
  accounting-scheme hwtacacs
  authorization-scheme hwtacacs
  hwtacacs-server ht
 local-user user1 password irreversible-cipher $1a$+:!j;\;$Z!$&%}p%ctzj"W`GM;APoC=XPLB=L-vJG3-'3Dhyci;$
 local-user user1 privilege level 15                                                       
 local-user user1 service-type http
#
return 
Translation
Download
Updated: 2019-10-21

Document ID: EDOC1000178117

Views: 119442

Downloads: 55

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next