No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Local Authentication and Authorization

Configuring Local Authentication and Authorization

Local Authentication and Authorization

After local authentication and authorization are configured, the device authenticates and authorizes access users based on local user information. In local authentication and authorization, user information, including the local user name, password, and attributes, is configured on the device. Local authentication and authorization feature fast processing and low operation cost. However, the amount of local authentication and authorization information that can be stored is subject to the device hardware capacity.

Configuration Procedure

Configuration

Procedure

Description

Configure a local server.

Configure a local user.

Create a local user. The device authenticates the local user using the created user information.

Configure local authorization rules.

Create authorization rules. The device authorizes the user based on the created authorization rules.

Configure and apply AAA schemes.

Configure AAA schemes.

Configure authentication, authorization, and accounting schemes.

(Optional) Configure a service scheme.

User authorization information can also be configured in the service scheme.

Apply the AAA schemes to a domain.

The created AAA schemes and service scheme take effect only after they are applied to the domain to which users belong.

-

Verify the configuration.

Verify the configuration.

Configuring a Local Server

Context

AAA authentication and authorization can be implemented on a network access server (NAS) device or a server. If AAA authentication and authorization are implemented on the NAS, a local AAA server is configured on the NAS. Local authentication features fast processing and low operation costs. However, how much user information can be stored depends on the hardware capacity of the device.

To configure a local server, you need to configure user authentication and authorization information on the device, including configuring a local user and configuring local authorization.

Configuring a Local User

Context

When configuring a local user, you can configure the number of connections that can be established by the local user, local user level, idle timeout period, and login time, and allow the local user to change the password.

NOTE:
  • To ensure device security, enable password complexity check and change the password periodically.
  • After you change the local account's rights (including the password, access type, FTP directory, and level), the rights of users who are already online remain unchanged. Rather, the rights are only changed once a user goes online again.
  • Local users' access types include:

    • Administrative: ftp, http, ssh, telnet, x25-pad, and terminal
    • Common: 802.1x, bind, ppp, sslvpn, and web
  • Security risks exist if the user login mode is set to Telnet or FTP. You are advised set the user login mode to STelnet or SFTP and set the user access type to SSH.

    When a device starts without any configuration, HTTP uses the randomly generated self-signed certificate to support HTTPs. The self-signed certificate may bring risks. Therefore, you are advised to replace it with the officially authorized digital certificate.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run aaa

    The AAA view is displayed.

  3. Create a local user.

    Procedure

    Command

    Description

    (Optional) Enable the password complexity check.

    user-password complexity-check

    By default, the password complexity check is enabled.

    Create a local user name and a password (using either of the commands).

    local-user user-name password

    By default, the local account password is Admin@huawei.

    This command should be entered in interactive mode. This is because directly entering a plain text password without being in interactive mode poses potential security risks.

    If a user name contains a domain name delimiter (such as @, |, or %) and the domain name parsing direction is not configured using the domainname-parse-direction right-to-left command, the character string before the delimiter is considered as the user name, and that after the delimiter is considered as the domain name. If a user name does not contain a domain name delimiter, the entire character string is considered as the user name. By default, common users are authenticated in the domain default, and administrators are authenticated in the domain default_admin.

    local-user user-name password { cipher | irreversible-cipher } password

    Configure an access type for the local user.

    local-user user-name service-type { 8021x | bind | ftp | http | ppp | ssh | sslvpn | telnet | terminal | web | x25-pad } *

    By default, all access types are disabled for a local user.

    The access type configured for portal access users is web.

    If the user exists, note that:
    • If the irreversible password algorithm is used, the access type can only be administrative.
    • If the reversible password algorithm is used, the access type can be common or administrative, but cannot be a combination of common and administrative. In addition, when the access type is set to an administrative type, the password encryption algorithm is automatically changed to the irreversible algorithm.

    (Optional) Allocate a fixed IP address to the local user.

    local-user user-name bind-ip ip-address

    By default, no fixed IP address is allocated to the local user.

  4. (Optional) Set the user level, user group, access time range, idle timeout period, and number of connections that can be established by the user.

    Procedure

    Command

    Description

    Set the local user level.

    local-user user-name privilege level level

    The default level of a local user is 0.

    Set the local user group.

    local- user user-name user-group group-name

    By default, a local user does not belong to any group.

    Set the access time range for the local user.

    local-user user-name time-range time-name

    By default, no access time range is configured and the local user can access the network anytime.

    Set the idle timeout period for the specified user.

    local-user user-name idle-timeout minutes [ seconds ] or local-user user-name idle-cut

    You can specify the idle timeout period. If the local user is idle for longer than the specified period, the user automatically goes offline.

    If the idle timeout period is set to 0 or a large value, the terminal will remain in the login state, resulting in security risks. Instead, you are advised to run the lock command to lock the connection.

    To enable idle-cut for common users (NAC or PPP users), run the local-user user-name idle-cut command. To enable idle-cut for administrators, run the local-user user-name idle-timeout minutes [ seconds ] command.

    Set the maximum number of connections that can be established by the local user.

    local-user user-name access-limit max-number

    By default, the number of connections that can be established by a user is not limited.

    To configure the local account to be logged in to on only one terminal, set max-number to 1.

  5. (Optional) Configure security of the local user.

    Procedure

    Command

    Description

    Enable the local account lock function, and set the retry interval, maximum number of consecutive authentication failures, and account lock period.

    local-aaa-user wrong-password retry-interval retry-interval retry-time retry-time block-time block-time

    By default, the local account lock function is enabled, the retry interval is 5 minutes, the maximum number of consecutive authentication failures is 3, and the account lock period is 5 minutes.

    Configure the user to access the network using specified IP addresses when the user account is locked. aaa-quiet administrator except-list { ipv4-address | ipv6-address } &<1-32>

    By default, a user cannot access the network when the account is locked.

    To check information about the specified IP addresses, run the display aaa-quiet administrator except-list command.

    Configure the password policy for local access users.

    Enable the password policy for local access users and enter the local access user password policy view.

    local-aaa-user password policy access-user

    By default, the password policy for local access users is disabled.

    Set the maximum number of historical passwords recorded for each user.

    password history record number number

    By default, a maximum of five historical passwords are recorded for each user.

    Exit the local access user password policy view.

    quit

    -

    Configure the password policy for local administrators.

    Enable the password policy for local administrators and enter the local administrator password policy view.

    local-aaa-user password policy administrator

    By default, the password policy for local administrators is disabled.

    Enable the password expiration prompt function and set the password expiration prompt period.

    password alert before-expire day

    By default, the system displays a prompt 30 days before the password expires.

    Enable the initial password change prompt function.

    password alert original

    By default, the system prompts users to change initial passwords.

    Enable the password expiration function and set the password validity period.

    password expire day

    By default, the password validity period is 90 days.

    Set the maximum number of historical passwords recorded for each user.

    password history record number number

    By default, a maximum of five historical passwords are recorded for each user.

    Exit the local administrator password policy view.

    quit

    -

  6. (Optional) Set parameters of access rights for the local user.

    Procedure

    Command

    Description

    Configure the FTP directory that FTP users can access.

    local-user user-name ftp-directory directory

    By default, the FTP directory that FTP users can access is not configured.

    If the access type of the local user is FTP, you must configure the FTP directory, and set the local user level to be lower than the management level; otherwise, the FTP user cannot log in to the device.

    Set the local user state.

    local-user user-name state { active | block }

    By default, a local user is in the active state.

    The device processes requests from users in different states as follows:

    • If the local user is in the active state, the device accepts and processes the authentication request from the user.

    • If the local user is in the block state, the device rejects the authentication request from the user.

    Set the expiration date for the local account.

    local-user user-name expire-date expire-date

    By default, a local account is permanently valid.

    Set the account type of the local user.

    local-user user-name account-type cmcc-tr069

    By default, the account type of a local user is not specified.

    If the TR-069 function is not enabled by the set operator-code cmcc command, this command cannot be executed.

  7. (Optional) Change the login password of the local user.

    Procedure

    Command

    Description

    Return to the user view.

    return

    -

    Change the login password of the local user.

    local-user change-password

    -

Configuring Authorization Rules

Context

Table 1-33 describes authorization parameters that can be set locally during local authorization configuration.

Table 1-33  Local authorization parameters

Authorization Parameter

Usage Scenario

Description

VLAN

VLAN-based authorization is easy to deploy and maintenance costs are low. It applies to scenarios where employees in an office or a department have the same access rights.

In local authorization, you only need to configure VLANs and corresponding network resources on the device.

An authorized VLAN cannot be delivered to online Portal users.

After a user is authorized based on a VLAN, the user needs to manually trigger an IP address request using DHCP.

Service scheme

A service scheme and corresponding network resources need to be configured on the device.

You need to configure a service scheme and corresponding network resources on the device.

A service scheme can be applied to a domain, and users in the domain then can obtain authorization information in the service scheme.

User group

A user group consists of users (terminals) with the same attributes, such as the role and rights. For example, according to the enterprise department structure, you can divide users on a campus network into different groups, such as R&D group, finance group, marketing group, and guest group, and perform different security policies for these groups.

In local authorization, all you need to do is configure user groups and corresponding network resources on the device.

A user group can be applied to a domain, and users in the domain then can obtain authorization information in the user group.

For details on how to configure a user group, see Configure an authorization user group.

Procedure

  • Configure an authorization VLAN.

    Configure a VLAN and the network resources in the VLAN on the device.

  • Configure a service scheme.

    For details on how to configure a service scheme, see (Optional) Configuring a Service Scheme.

  • Configure an authorization user group.

    For details about how to configure an authorized user group, see the table below.

    Procedure

    Command

    Description

    Create a user group and enter the user group view.

    user-group group-name

    When using a user group in a hot standby scenario or a dual-link backup scenario, specify the user group index, and ensure that the user group name and index specified on the active device are the same as those specified on the standby device.

    Bind an ACL to the user group.

    acl-id acl-number

    By default, no ACL is bound to a user group.

    The IPv4 ACL to be bound to a user group must have been created using the acl (system view) command.

    Set the priority for the user group.

    remark { 8021p 8021p-value | dscp dscp-value | exp exp-value | lp lp-value }*

    By default, the user group priority is not specified.

Configuring AAA Schemes

Context

To use local authentication and authorization, set the authentication mode in an authentication scheme to local authentication and the authorization mode in an authorization scheme to local authorization.

By default, the device performs local authentication and authorization for access users.

NOTE:

If non-authentication is configured using the authentication-mode command, users can pass the authentication using any user name or password. To protect the device and improve network security, you are advised to enable authentication to allow only authenticated users to access the device or network.

Procedure

  • Configure an authentication scheme.
    1. Run system-view

      The system view is displayed.

    2. Run aaa

      The AAA view is displayed.

    3. Run authentication-scheme authentication-scheme-name

      An authentication scheme is created and the authentication scheme view is displayed, or an existing authentication scheme view is displayed.

      Two default authentication schemes named default and radius are available on the device. These two authentication schemes can be modified but not deleted.

    4. Run authentication-mode local

      The authentication mode is set to local.

      By default, local authentication is used.

    5. (Optional) Run authentication-super [ hwtacacs | super ] * none

      An authentication mode for upgrading user levels is set.

      The default mode is super (local authentication).

    6. Run quit

      The AAA view is displayed.

    7. (Optional) Run domainname-parse-direction { left-to-right | right-to-left }

      The direction in which the domain name is parsed is specified.

      By default, a domain name is parsed from left to right.

    8. Run quit

      The system view is displayed.

    9. (Optional) Run aaa-authen-bypass enable time time-value

      The bypass authentication duration is set.

      By default, the bypass authentication function is disabled.

  • Configure an authorization scheme.
    1. Run system-view

      The system view is displayed.

    2. Run aaa

      The AAA view is displayed.

    3. Run authorization-scheme authorization-scheme-name

      An authorization scheme is created and the authorization scheme view is displayed, or an existing authorization scheme view is displayed.

      A default authorization scheme named default is available on the device. This authorization scheme can be modified but not deleted.

    4. Run authorization-mode local [ none ]

      The authorization mode is set.

      By default, local authorization is used.

    5. Run quit

      The AAA view is displayed.

    6. (Optional) Run authorization-modify mode { modify | overlay }

      The update mode of user authorization information delivered by the authorization server is set.

      The default mode is overlay.

    7. Run quit

      The system view is displayed.

    8. (Optional) Run aaa-author-bypass enable time time-value

      The bypass authorization duration is set.

      By default, the bypass authorization function is disabled.

(Optional) Configuring a Service Scheme

Context

Users must obtain authorization information before going online. You can configure a service scheme to manage authorization information about users.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run aaa

    The AAA view is displayed.

  3. Run service-scheme service-scheme-name

    A service scheme is created and the service scheme view is displayed.

    By default, no service scheme is configured on the device.

  4. Run admin-user privilege level level

    The user is configured as the administrator and the administrator level for login is specified.

    The value range of level is from 0 to 15. By default, the user level is not specified.

  5. Configure server information.

    Step

    Command

    Remarks

    Configure a DHCP server group. dhcp-server group group-name

    By default, no DHCP server group is configured in a service scheme.

    Configure the IP address of the primary DNS server. dns ip-address

    By default, no primary DNS server is configured in a service scheme.

    Configure the IP address of the secondary DNS server. dns ip-address secondary

    By default, no secondary DNS server is configured in a service scheme.

  6. Configure resources delivered by the server in an Efficient VPN scenario.

    Step

    Command

    Remarks

    Configure the primary WINS server. wins ip-address

    By default, no primary WINS server is configured in a service scheme.

    Configure the secondary WINS server. wins ip-address secondary

    By default, no secondary WINS server is configured in a service scheme.

    Configure the URL and version number in the service scheme. auto-update url url-string version version-number

    By default, no URL or version number is configured in a service scheme.

    Configure the default DNS domain name in the service scheme. dns-name domain-name

    By default, no default DNS domain name is configured in a service scheme.

    Configure the local subnet information to be sent to the remote end. route set acl acl-number

    By default, no local subnet information is sent to the remote end.

    Configure the IP address of the interface bound to the IPSec tunnel to be sent to the remote end. route set interface

    By default, no IP address of the interface bound to the IPSec tunnel is sent to the remote end.

  7. Run ip-pool pool-name [ move-to new-position ]

    An IP address pool is bound to the service scheme or an existing IP address pool is moved.

    By default, no IP address pool is bound to a service scheme.

    NOTE:

    Ensure that the IP address pool has been configured before running this command.

  8. Run qos-profile profile-name

    A QoS profile is bound to the service scheme.

    By default, no QoS profile is bound to a service scheme.

    NOTE:

    Ensure that the QoS profile has been configured before running this command.

  9. Run idle-cut idle-time flow-value [ inbound | outbound ]

    The idle-cut function is enabled for domain users and the idle-cut parameters are set.

    By default, the idle-cut function is disabled for domain users.

    NOTE:

    The idle-cut function takes effect only after the idle time and traffic threshold are configured. To configure the traffic threshold, run the idle-cut idle-time flow-value command. To configure the idle time, use the value of idle-time configured on the device or the value (carried in RADIUS attribute 28 Idle-Timeout) authorized by the RADIUS server. If both values exist, the value authorized by the RADIUS server has a higher priority.

    You can only run the idle-cut command in the service scheme view and the local-user idle-cut command in the AAA view to enable the idle-cut function for common users (PPPoE and Portal users). The configuration implemented in the service scheme view has a higher priority. If you need to perform idle-cut for administrators, run the local-user idle-timeout command in the AAA view during the local authentication, and use RADIUS attribute 28 (Idle-Timeout) during the RADIUS authentication.

Applying AAA Schemes to a Domain

Context

The created authentication and authorization schemes take effect only after being applied to a domain. When local authentication and authorization are used, the default accounting scheme non-accounting is used.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run aaa

    The AAA view is displayed.

  3. Run domain domain-name [ domain-index domain-index ]

    A domain is created and the domain view is displayed, or the view of an existing domain is displayed.

    The device has two default domains:
    • default: Used by common access users
    • default_admin: Used by administrators
    NOTE:
    • If a user enters a user name that does not contain a domain name, the user is authenticated in the default domain. In this case, you need to run the domain domain-name [ admin ] command and set domain-name to configure a global default domain on the device.
    • If a user enters a user name that contains a domain name during authentication, the user must enter the correct value of domain-name.

  4. Apply AAA schemes to the domain.

    Procedure

    Command

    Description

    Apply an authentication scheme to the domain.

    authentication-scheme authentication-scheme-name

    By default, the authentication scheme named radius is applied to the default domain, the authentication scheme named default is applied to the default_admin domain, and the authentication scheme named default is applied to other domains.

    Apply an authorization scheme to the domain.

    authorization-scheme authorization-scheme-name

    By default, no authorization scheme is applied to a domain.

  5. Configure local authorization rules.

    Procedure

    Command

    Description

    (Optional) Apply a user group to the domain.

    user-group group-name

    By default, no user group is applied to a domain.

    (Optional) Apply a service scheme to the domain.

    service-scheme service-scheme-name

    By default, no service scheme is applied to a domain.

  6. (Optional) Specify the domain state and enable traffic statistics collection for the domain.

    Procedure

    Command

    Description

    Specify the domain state.

    state { active | block [ time-range time-name &<1–4> ] }

    When a domain is in the blocking state, users in this domain cannot log in. By default, a created domain is in the active state.

  7. (Optional) Run statistic enable

    Traffic statistics collection is enabled for users in the domain.

    By default, traffic statistics collection is disabled for users in a domain.

  8. (Optional) Configure a domain name parsing scheme. (If domain name parsing is configured in both the AAA view and authentication profile view, the device preferentially uses the configuration in the authentication profile. The configuration in the authentication profile applies only to wireless users.)

    Procedure

    Command

    Description

    AAA view

    Exit from the domain view.

    quit

    -

    Specify the domain name parsing direction.

    domainname-parse-direction { left-to-right | right-to-left }

    The domain name can be parsed from left to right, or from right to left.

    By default, the domain name is parsed from left to right.

    Set the domain name delimiter.

    domain-name-delimiter delimiter

    A domain name delimiter can be any of the following: \ / : < > | @ ' %.

    The default domain name delimiter is @.

    Specify the domain name location.

    domain-location { after-delimiter | before-delimiter }

    The domain name can be placed before or after the delimiter.

    By default, the domain name is placed after the domain name delimiter.

    Set the security string delimiter.

    security-name-delimiter delimiter

    The default security string delimiter is * (asterisk).

Verifying the Local Authentication and Authorization Configuration

Procedure

  • Run the display aaa configuration command to check the AAA summary.
  • Run the display authentication-scheme [ authentication-scheme-name ] command to verify the authentication scheme configuration.
  • Run the display authorization-scheme [ authorization-scheme-name ] command to verify the authorization scheme configuration.
  • Run the display access-user [ domain domain-name | interface interface-type interface-number [ vlan vlan-id [ qinq qinq-vlan-id ] ] | ip-address ip-address [ vpn-instance vpn-instance-name ] | ipv6-address ipv6-address | access-slot slot-id | user-group user-group-name | username user-name ] [ detail ], display access-user [ mac-address mac-address | service-scheme service-scheme-name | user-id user-id | statistics | ssid ssid-name ], or display access-user access-type { admin [ ftp | ssh | telnet | terminal | web ] | ppp | l2tp } [ username user-name ] command to check the summary of online users.
  • Run the display domain [ name domain-name ] command to verify the domain configuration.
  • Run the display local-user [ domain domain-name | state { active | block } | username username ] * command to check the brief information about local users.
  • Run the display local-user expire-time command to verify the time when the local account expires.
  • Run the display aaa statistics access-type-authenreq command to verify the number of authentication requests.
Translation
Download
Updated: 2019-05-20

Document ID: EDOC1100034077

Views: 113598

Downloads: 210

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next