No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E V800R010C10SPC500 Feature Description - Security 01

This is NE40E V800R010C10SPC500 Feature Description - Security
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
HWTACACS

HWTACACS

The HWTACACS client component provides the following services:

  • Authentication: the process of determining whether a user has the rights to access and use the network and services.
  • Authorization: the process of determining the services that a user is allowed to use.
  • Accounting: the process of determining network resource consumption by user.
  • Command authorization: a set of commands to accept or reject from the user are configured on the server. If a user enters one of the commands, the HWTACACS server verifies the command and accepts or rejects the command based on the configured list.
  • Vendor-specific attributes.
  • Primary-secondary mode.
  • Multiplexing of HWTACACS sessions.

Authentication

HWTACACS authentication has the following types:

  • HWTACACS Authentication for Administrators

    When an AAA message is received for administrator authentication, the HWTACACS client interacts with the HWTACACS server and exchanges a set of messages, including single START followed by REPLY and a pair of CONTINUE and REPLY messages. Authentication of an administrator is based on the status field of the REPLY message received from the server.

  • HWTACACS Authentication for PPP Users

    When an AAA message is received for PPP user authentication, the HWTACACS client interacts with the HWTACACS server and exchanges a set of messages, including single START and REPLY messages. Authentication of a PPP user is based on the status field of a REPLY message received from the server.

Authorization

HWTACACS authorization has the following types:

  • HWTACACS Authorization for Administrator and PPP Users

    When an AAA message is received for authorization, the HWTACACS client interacts with the HWTACACS server and exchanges a set of messages, including single REQUEST and RESPONSE messages. The user action is authorized based on the status field of a RESPONSE message received from the server.

  • Command Authorization for Administrators

    A set of commands to accept or reject from the administrator user are configured on the server. If an administrator enters one of the commands, the HWTACACS server verifies the command and accepts or rejects the command based on the configured list.

Accounting

If authentication and authorization are successful, the AAA module forwards the accounting start request to the HWTACACS client module, which sends the accounting start request to the server. The HWTACACS client module processes the server response and forwards the accounting success/failure response to the AAA module. Similarly, if a user logs out, the AAA module sends the Accounting stop packet to HWTACACS.

The HWTACACS client and server record all commands that are executed by users, and the command records are saved on the HWTACACS server.

Primary-Secondary Mode

HWTACACS clients work with a group of HWTACACS servers. In this mode, one primary and several secondary servers are configured. Upon receiving a user request, the primary server responds to the user request. If the primary server does not respond to the request, then one of the secondary servers in the up state responds to the request. The secondary servers are selected based on the specified order. When the specified time elapses, the primary server retries to respond to the request.

Vendor Specific Attributes

HWTACACS supports a set of HUAWEI-proprietary attributes. These attribute-value pairs are received from the HWTACACS server. Upon receiving an attribute-value pair, HWTACACS sends the vendor-specific attributes to the AAA module, which then decides on the rights and services for user access. Following are the vendor-specific attributes that HWTACACS supports:
  • User group name
  • FTP directory
  • User rights
  • User service type

Multiplexing of HWTACACS Sessions

Multiplexing of HWTACACS sessions allows multiple sessions on a server to run over a single TCP connection. If a user selects the option "multiplexing of HWTACACS sessions", one TCP connection is used for new sessions. The multiplexing mode is used only if the server accepts the request for a single connection or separate connections for new requests. By default, the TCP connection established with the HWTACACS server is closed after the server responds to each AAA request.

When the modes are switched between multiplexing and non-multiplexing, the ongoing session is not affected and continues running in the mode in which the session was started. For new sessions, the new mode applies. When all ongoing sessions in multiplexing mode are completed, the configured mode is verified to determine whether the multiplexed TCP connection needs to be sustained or terminated.

Common Server

When configuring the HWTACACS accounting server, authorization server, and authentication server, you need to configure the server IP addresses and VPN instances separately. Even if the servers share the same IP address and VPN instance, the configurations have to be repeated for three times.

HWTACACS supports common HWTACACS server for all AAA operations. User can configure authentication, authorization and accounting server with same IP address and VPN by using HWTACACS common server command.

Translation
Download
Updated: 2019-01-03

Document ID: EDOC1100055047

Views: 12503

Downloads: 29

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next