No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Using HWTACACS to Perform Authentication, Authorization, and Accounting

Using HWTACACS to Perform Authentication, Authorization, and Accounting

HWTACACS Authentication, Authorization, and Accounting

Similar to RADIUS, HWTACACS uses the client/server model to implement AAA for access users by communicating with the HWTACACS server.

HWTACACS protects a network from unauthorized access and supports command-line authorization. HWTACACS is more reliable in transmission and encryption than RADIUS, and is more suitable for security control.

Configuration Procedure

Configuring an HWTACACS Server

If HWTACACS authentication and authorization are used, users' authentication, authorization, and accounting information needs to be configured on the HWTACACS server.

If a user wants to establish a connection with the access device through a network to obtain rights to access other networks and network resources, the access device transparently transmits the user's authentication, authorization, and accounting information to the HWTACACS server. The HWTACACS server determines whether the user can pass authentication based on the configured information. If the user passes the authentication, the RADIUS server sends an Access-Accept packet containing the user's authorization information to the access device. The access device then allows the user to access the network and grants rights to the user based on information in the Access-Accept packet.

Configuring AAA Schemes

Context

To use HWTACACS authentication, authorization, and accounting, set the authentication mode in the authentication scheme, authorization mode in the authorization scheme, and accounting mode in the accounting scheme to HWTACACS.

When configuring HWTACACS authentication, you can configure local authentication or non-authentication as the backup. This allows local authentication to be implemented if HWTACACS authentication fails. When configuring HWTACACS authorization, you can configure local authorization or non-authorization as the backup.

NOTE:

If non-authentication is configured using the authentication-mode command, users can pass the authentication using any user name or password. To protect the device and improve network security, you are advised to enable authentication to allow only authenticated users to access the device or network.

Procedure

  • Configure an authentication scheme.
    1. Run system-view

      The system view is displayed.

    2. Run aaa

      The AAA view is displayed.

    3. Run authentication-scheme scheme-name

      An authentication scheme is created and the authentication scheme view is displayed, or the view of an existing authentication scheme is displayed.

      By default, two authentication schemes named default and radius are available on the device. These two authentication schemes can be modified but not deleted.

    4. Run authentication-mode hwtacacs

      The HWTACACS authentication mode is specified.

      By default, local authentication is used.

      To use local authentication as the backup, run the authentication-mode hwtacacs [ local ] command.

    5. (Optional) Run authentication-super { hwtacacs | super } * [ none ]

      The authentication mode for upgrading user levels is specified.

      The default mode is super (local authentication).

    6. Run quit

      The AAA view is displayed.

    7. (Optional) Configure the account locking function.

      1. Run remote-aaa-user authen-fail retry-interval retry-interval retry-time retry-time block-time block-time

        The remote AAA authentication account locking function is enabled, and the authentication retry interval, maximum number of consecutive authentication failures, and account locking period are configured.

        By default, the remote AAA account locking function is enabled, the authentication retry interval is 300 minutes, the maximum number of consecutive authentication failures is 30, and the account locking period is 30 minutes.

      2. Run aaa-quiet administrator except-list { ipv4-address | ipv6-address } &<1-32>

        A user is configured to access the network using a specified IP address if the user account is locked.

        By default, a user cannot access the network if the user account is locked.

        You can run the display aaa-quiet administrator except-list command to query the specified IP addresses.

      3. Run remote-user authen-fail unblock { all | username username }

        A remote AAA authentication account that has failed authentication is unlocked.

    8. (Optional) Run security-name enable

      The security string function is enabled.

      By default, the security string function is enabled.

    9. (Optional) Run domainname-parse-direction { left-to-right | right-to-left }

      The direction in which the user name and domain name are parsed is specified.

      By default, a domain name is parsed from left to right.

    10. Run quit

      The system view is displayed.

    11. (Optional) Run aaa-authen-bypass enable time time-value

      The bypass authentication duration is set.

      By default, the bypass authentication function is disabled.

  • Configure an authorization scheme.
    1. Run system-view

      The system view is displayed.

    2. Run aaa

      The AAA view is displayed.

    3. Run authorization-scheme authorization-scheme-name

      An authorization scheme is created and the authorization scheme view is displayed, or the view of an existing authorization scheme is displayed.

      By default, an authorization scheme named default is available on the device. The default authorization scheme can be modified but not deleted.

    4. Run authorization-mode hwtacacs [ local ] [ none ]

      The authorization mode is specified.

      By default, local authorization is used.

      If HWTACACS authorization is configured, you must configure an HWTACACS server template and apply the template to the corresponding user domain.

    5. (Optional) Run authorization-cmd privilege-level hwtacacs [ local ] [ none ]

      Command-line authorization is enabled for users at a certain level.

      By default, command-line authorization is disabled for users at a certain level.

      If command-line authorization is enabled, you must configure an HWTACACS server template and apply the template to the corresponding user domain.

    6. Run quit

      The AAA view is displayed.

    7. Run quit

      The system view is displayed.

    8. (Optional) Run aaa-author-bypass enable time time-value

      The bypass authorization duration is set.

      By default, the bypass authorization is disabled.

    9. (Optional) Run aaa-author-cmd-bypass enable time time-value

      The bypass command-line authorization duration is set.

      By default, the bypass command-line authorization is disabled.

  • Configure an accounting scheme.
    1. Run system-view

      The system view is displayed.

    2. Run aaa

      The AAA view is displayed.

    3. Run accounting-scheme accounting-scheme-name

      An accounting scheme is created and the accounting scheme view is displayed, or the view of an existing accounting scheme is displayed.

      By default, the accounting scheme named default is available on the device. The default accounting scheme can be modified but not deleted.

    4. Run accounting-mode hwtacacs

      The hwtacacs accounting mode is specified.

      The default accounting mode is none.

    5. (Optional) Run accounting start-fail { offline | online }

      A policy for accounting-start failures is configured.

      By default, users cannot go online if accounting-start fails.

    6. (Optional) Run accounting realtime interval

      Real-time accounting is enabled and the accounting interval is set.

      By default, real-time accounting is disabled. The device performs accounting for users based on their online duration.

    7. (Optional) Run accounting interim-fail [ max-times times ] { offline | online }

      The maximum number of real-time accounting failures is set, and a policy is specified for the device if the maximum number of real-time accounting attempts fail.

      The default maximum number of real-time accounting failures is 3. The device will keep the users online if three real-time accounting attempts fail.

Configuring an HWTACACS Server Template

Context

When configuring an HWTACACS server template, you must specify the IP address, port number, and shared key of a specified HWTACACS server. Other settings, such as the HWTACACS user name format and traffic unit, have default values and can be modified based on network requirements.

The HWTACACS server template settings such as the HWTACACS user name format and shared key must be the same as those on the HWTACACS server.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run hwtacacs enable

    HWTACACS is enabled.

    By default, HWTACACS is enabled.

  3. Run hwtacacs-server template template-name

    An HWTACACS server template is created and the HWTACACS server template view is displayed.

    By default, no HWTACACS server template is configured on the device.

  4. Configure HWTACACS authentication, authorization, and accounting servers.

    Configuration

    Command

    Description

    Configure an HWTACACS authentication server.

    • Configure an IPv4 server: hwtacacs-server authentication ipv4-address [ port ] [ public-net | vpn-instance vpn-instance-name ] [ secondary | third ] [ shared-key cipher key-string ]
    • Configure an IPv6 server: hwtacacs-server authentication ipv6-address [ port ] [ public-net ] [ secondary | third ] [ shared-key cipher key-string ]

    By default, no HWTACACS authentication server is configured.

    Configure an HWTACACS authorization server.

    • Configure an IPv4 server: hwtacacs-server authorization ipv4-address [ port ] [ public-net | vpn-instance vpn-instance-name ] [ secondary | third ] [ shared-key cipher key-string ]
    • Configure an IPv6 server: hwtacacs-server authorization ipv6-address [ port ] [ public-net ] [ secondary | third ] [ shared-key cipher key-string ]

    By default, no HWTACACS authorization server is configured.

    Configure an HWTACACS accounting server.

    • Configure an IPv4 server: hwtacacs-server accounting ipv4-address [ port ] [ public-net | vpn-instance vpn-instance-name ] [ secondary | third ] [ shared-key cipher key-string ]
    • Configure an IPv6 server: hwtacacs-server accounting ipv6-address [ port ] [ public-net ] [ secondary | third ] [ shared-key cipher key-string ]

    By default, no HWTACACS accounting server is configured.

  5. Set parameters for interconnection between the device and an HWTACACS server.

    Procedure

    Command

    Description

    Set the shared key for the HWTACACS server.

    System view

    Return to the system view.

    quit

    -

    Set the shared key for the HWTACACS server.

    hwtacacs-server shared-key cipher key-string

    By default, no shared key is set for an HWTACACS server.

    Enter the HWTACACS server template view.

    hwtacacs-server template template-name

    -

    HWTACACS server template view

    hwtacacs-server shared-key cipher key-string

    By default, no shared key is set for an HWTACACS server.

    (Optional) Configure the format of the user name in the packet sent by the device to the HWTACACS server.

    • Configure the user name to contain the domain name: hwtacacs-server user-name domain-included
    • Configure the original user name: hwtacacs-server user-name original
    • Configure the user name not to contain the domain name: undo hwtacacs-server user-name domain-included

    By default, the device does not change the user name entered by the user when sending packets to the HWTACACS server.

    (Optional) Set the HWTACACS traffic unit.

    hwtacacs-server traffic-unit { byte | kbyte | mbyte | gbyte }

    The default HWTACACS traffic unit on the device is bytes.

    (Optional) Set the source IP address for communication between the device and HWTACACS server.

    hwtacacs-server source-ip { ip-address | source-loopback interface- number }

    or hwtacacs-server source-ipv6 { ipv6-address | source-loopback interface-number }

    By default, the device uses the IP address of the actual outbound interface as the source IP address encapsulated in HWTACACS packets.

  6. (Optional) Set the response timeout interval and activation interval for the HWTACACS server.

    Procedure

    Command

    Description

    Set the response timeout interval for the HWTACACS server.

    hwtacacs-server timer response-timeout interval

    The default response timeout interval for an HWTACACS server is 5 seconds.

    If the device does not receive a response packet from an HWTACACS server within the response timeout interval, it considers that the HWTACACS server is unreachable and then tries other authentication and authorization methods.

    Set the interval for the primary HWTACACS server to restore to the active state.

    hwtacacs-server timer quiet interval

    The default interval for the primary HWTACACS server to restore to the active state is 5 minutes.

  7. Run quit

    The system view is displayed.

  8. (Optional) Run hwtacacs-server accounting-stop-packet resend { disable | enable number }

    Retransmission of accounting-stop packets is enabled and the number of packets that can be retransmitted each time is specified.

    By default, retransmission of accounting-stop packets is enabled, and 100 account-stop packets can be retransmitted each time.

  9. Run return

    The user view is displayed.

  10. (Optional) Run hwtacacs-user change-password hwtacacs-server template-name

    The password saved on the HWTACACS server is changed.

    NOTE:

    To ensure device security, you are advised to frequently change the password.

  11. (Optional) Run test-aaa user-name user-password hwtacacs-template template-name [ accounting [ start | realtime | stop ] ]

    Connectivity between the device and authentication or accounting server is tested. If the user passes the HWTACACS authentication or accounting, the device is properly connected to the authentication or accounting server.

(Optional) Configuring a Recording Scheme

Context

Improper operations by a network administrator may sometimes cause a network failure. After HWTACACS authentication and authorization are configured, the server can record administrator's operations. These records can be used to locate the problem if a network failure occurs.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run aaa

    The AAA view is displayed.

  3. Run recording-scheme recording-scheme-name

    A recording scheme is created and the recording scheme view is displayed.

    By default, no recording scheme is configured on the device.

  4. Run recording-mode hwtacacs template-name

    The recording scheme is associated with the HWTACACS server template.

    By default, a recording scheme is not associated with any HWTACACS server template.

  5. Run quit

    The AAA view is displayed.

  6. Run cmd recording-scheme recording-scheme-name

    A policy is configured to record the commands that have been executed on the device.

    By default, the commands used on the device are not recorded.

  7. Run outbound recording-scheme recording-scheme-name

    A policy is configured to record connection information.

    By default, connection information is not recorded.

  8. Run system recording-scheme recording-scheme-name

    A policy is configured to record system events.

    By default, system events are not recorded.

(Optional) Configuring a Service Scheme

Context

Users must obtain authorization information before going online. You can configure a service scheme to manage authorization information about users.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run aaa

    The AAA view is displayed.

  3. Run service-scheme service-scheme-name

    A service scheme is created and the service scheme view is displayed.

    By default, no service scheme is configured on the device.

  4. Run admin-user privilege level level

    The user is configured as the administrator and the administrator level for login is specified.

    The value range of level is from 0 to 15. By default, the user level is not specified.

  5. Configure server information.

    Step

    Command

    Remarks

    Configure a DHCP server group. dhcp-server group group-name

    By default, no DHCP server group is configured in a service scheme.

    Configure the IP address of the primary DNS server. dns ip-address

    By default, no primary DNS server is configured in a service scheme.

    Configure the IP address of the secondary DNS server. dns ip-address secondary

    By default, no secondary DNS server is configured in a service scheme.

  6. Configure resources delivered by the server in an Efficient VPN scenario.

    Step

    Command

    Remarks

    Configure the primary WINS server. wins ip-address

    By default, no primary WINS server is configured in a service scheme.

    Configure the secondary WINS server. wins ip-address secondary

    By default, no secondary WINS server is configured in a service scheme.

    Configure the URL and version number in the service scheme. auto-update url url-string version version-number

    By default, no URL or version number is configured in a service scheme.

    Configure the default DNS domain name in the service scheme. dns-name domain-name

    By default, no default DNS domain name is configured in a service scheme.

    Configure the local subnet information to be sent to the remote end. route set acl acl-number

    By default, no local subnet information is sent to the remote end.

    Configure the IP address of the interface bound to the IPSec tunnel to be sent to the remote end. route set interface

    By default, no IP address of the interface bound to the IPSec tunnel is sent to the remote end.

  7. Run ip-pool pool-name [ move-to new-position ]

    An IP address pool is bound to the service scheme or an existing IP address pool is moved.

    By default, no IP address pool is bound to a service scheme.

    NOTE:

    Ensure that the IP address pool has been configured before running this command.

  8. Run qos-profile profile-name

    A QoS profile is bound to the service scheme.

    By default, no QoS profile is bound to a service scheme.

    NOTE:

    Ensure that the QoS profile has been configured before running this command.

  9. Run idle-cut idle-time flow-value [ inbound | outbound ]

    The idle-cut function is enabled for domain users and the idle-cut parameters are set.

    By default, the idle-cut function is disabled for domain users.

    NOTE:

    The idle-cut function takes effect only after the idle time and traffic threshold are configured. To configure the traffic threshold, run the idle-cut idle-time flow-value command. To configure the idle time, use the value of idle-time configured on the device or the value (carried in RADIUS attribute 28 Idle-Timeout) authorized by the RADIUS server. If both values exist, the value authorized by the RADIUS server has a higher priority.

    You can only run the idle-cut command in the service scheme view and the local-user idle-cut command in the AAA view to enable the idle-cut function for common users (PPPoE and Portal users). The configuration implemented in the service scheme view has a higher priority. If you need to perform idle-cut for administrators, run the local-user idle-timeout command in the AAA view during the local authentication, and use RADIUS attribute 28 (Idle-Timeout) during the RADIUS authentication.

Applying AAA Schemes to a Domain

Context

The created authentication scheme, authorization scheme, accounting scheme, and HWTACACS server template are in effect only when they are applied to a domain.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run aaa

    The AAA view is displayed.

  3. Run domain domain-name [ domain-index domain-index ]

    A domain is created and the domain view is displayed, or the view of an existing domain is displayed.

    The device has two default domains:
    • default: Used by common access users
    • default_admin: Used by administrators
    NOTE:
    • If a user enters a user name that does not contain a domain name, the user is authenticated in the default domain. In this case, you need to run the domain domain-name [ admin ] command and set domain-name to configure a global default domain on the device.
    • If a user enters a user name that contains a domain name during authentication, the user must enter the correct value of domain-name.

  4. Apply AAA schemes to the domain.

    Procedure

    Command

    Description

    Apply an authentication scheme to the domain.

    authentication-scheme scheme-name

    By default, the authentication scheme default is applied to the default_admin domain, and the authentication scheme named radius is applied to the default domain and other domains.

    Apply an authorization scheme to the domain.

    authorization-scheme authorization-scheme-name

    By default, no authorization scheme is applied to a domain.

    Apply an accounting scheme to the domain.

    accounting-scheme accounting-scheme-name

    By default, the accounting scheme default is applied to a domain. In this accounting scheme, non-accounting is used and real-time accounting is disabled.

  5. Apply a service scheme and an HWTACACS server template to the domain.

    Procedure

    Command

    Description

    (Optional) Apply a service scheme to the domain.

    service-scheme service-scheme-name

    By default, no service scheme is applied to a domain.

    Apply an HWTACACS server template to the domain.

    hwtacacs-server template-name

    By default, no HWTACACS server template is applied to a domain.

  6. (Optional) Configure other functions for the domain.

    Procedure

    Command

    Description

    Specify the domain state.

    state { active | block [ time-range time-name &<1–4> ] }

    When a domain is in the blocking state, users in this domain cannot log in. By default, a created domain is in the active state.

    Apply a user group to the domain.

    user-group group-name

    By default, no user group is applied to a domain.

  7. (Optional) Run statistic enable

    Traffic statistics collection is enabled for users in the domain.

    By default, traffic statistics collection is disabled for users in a domain.

  8. (Optional) Configure a domain name parsing scheme. (If domain name parsing is configured in both the AAA view and authentication profile view, the device preferentially uses the configuration in the authentication profile. The configuration in the authentication profile applies only to wireless users.)

    Procedure

    Command

    Description

    AAA view

    Exit from the domain view.

    quit

    -

    Specify the domain name parsing direction.

    domainname-parse-direction { left-to-right | right-to-left }

    The domain name can be parsed from left to right, or from right to left.

    By default, the domain name is parsed from left to right.

    Set the domain name delimiter.

    domain-name-delimiter delimiter

    A domain name delimiter can be any of the following: \ / : < > | @ ' %.

    The default domain name delimiter is @.

    Specify the domain name location.

    domain-location { after-delimiter | before-delimiter }

    The domain name can be placed before or after the delimiter.

    By default, the domain name is placed after the domain name delimiter.

    Set the security string delimiter.

    security-name-delimiter delimiter

    The default security string delimiter is * (asterisk).

Verifying the HWTACACS AAA Configuration

Procedure

  • Run the display aaa configuration command to check the AAA summary.
  • Run the display authentication-scheme [ authentication-scheme-name ] command to verify the authentication scheme configuration.
  • Run the display authorization-scheme [ authorization-scheme-name ] command to verify the authorization scheme configuration.
  • Run the display accounting-scheme [ accounting-scheme-name ] command to verify the accounting scheme configuration.
  • Run the display recording-scheme [ recording-scheme-name ] command to verify the recording scheme configuration.
  • Run the display service-scheme [ name name ] command to verify the service scheme configuration.
  • Run the display hwtacacs-server template [ template-name ] command to verify the HWTACACS server template configuration.
  • Run the display hwtacacs-server template template-name verbose command to check statistics about HWTACACS authentication, accounting, and authorization.
  • Run the display hwtacacs-server accounting-stop-packet { all | number | ip { ipv4-address | ipv6-address } } command to verify information about accounting-stop packets of the HWTACACS server.
  • Run the display domain [ name domain-name ] command to verify the domain configuration.
  • Run the display aaa statistics access-type-authenreq command to display the number of authentication requests.
Translation
Download
Updated: 2019-05-20

Document ID: EDOC1100034077

Views: 112548

Downloads: 206

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next