No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Examples for Configuring Local Authentication and Authorization

Examples for Configuring Local Authentication and Authorization

The configuration examples refer to the applications of local authentication and authorization on the actual network.

Networking Requirements

As shown in Figure 2-4, the administrator admin@aaa logs in to the router through Telnet and uses local authentication and authorization. The admin@aaa user can execute all AAA command lines. The user, however, can only view ACL command lines and cannot configure ACL command lines.

Figure 2-4 Networking for local authentication and authorization

Precautions

None

Configuration Roadmap

Configure local user authentication and authorization as follows:

  1. Configure the task group and add tasks of the corresponding module.

  2. Configure the user group, bind the corresponding task group, and bind the user group to a domain.

  3. Configure the user and specify the user group of the user.

  4. Configure the user authentication and authorization modes.

Data Preparation

To complete the configuration, you need the following data:

  • Task group name

  • User group name

  • Domain name

Procedure

  1. Configure the task group.

    # Create a task group.

    <HUAWEI> system-view
    [~HUAWEI] aaa
    [~HUAWEI-aaa] task-group admin

    # Add AAA read-write tasks and ACL read-only tasks to the task group.

    [*HUAWEI-aaa-task-group-admin] task aaa execute write read
    [*HUAWEI-aaa-task-group-admin] task acl read
    [*HUAWEI-aaa-task-group-admin] task config read write execute debug
    [*HUAWEI-aaa-task-group-admin] commit
    [~HUAWEI-aaa-task-group-admin] quit

  2. Create a user group and bind the task group to the user group, and then bind the user group to the domain.

    Create a user group.

    [~HUAWEI-aaa] user-group admin

    # Bind the task group to the user group.

    [*HUAWEI-aaa-user-group-admin] task-group admin
    [*HUAWEI-aaa-user-group-admin] commit
    [~HUAWEI-aaa-user-group-admin] quit

  3. Configure the user authentication and authorization schemes.

    # Configure a local authentication scheme.

    [~HUAWEI-aaa] authentication-scheme localtype
    [*HUAWEI-aaa-authen-localtype] authentication-mode local
    [*HUAWEI-aaa-authen-localtype] commit
    [~HUAWEI-aaa-authen-localtype] quit

    # Configure a local authorization scheme.

    [~HUAWEI-aaa] authorization-scheme localtype
    [*HUAWEI-aaa-author-localtype] authorization-mode local
    [*HUAWEI-aaa-author-localtype] commit
    [~HUAWEI-aaa-author-localtype] quit

    # Reference the authentication and authorization schemes under the domain.

    [~HUAWEI-aaa] domain aaa
    [*HUAWEI-aaa-domain-aaa] authentication-scheme localtype
    [*HUAWEI-aaa-domain-aaa] authorization-scheme localtype
    [*HUAWEI-aaa-domain-aaa] commit
    [~HUAWEI-aaa-domain-aaa] quit

  4. Create a local user.

    [~HUAWEI-aaa] local-user admin@aaa password cipher Huawei-123
    [*HUAWEI-aaa] local-user admin@aaa user-group admin
    [*HUAWEI-aaa] commit
    [~HUAWEI-aaa] quit
    [~HUAWEI] telnet server enable
    [*HUAWEI] commit

  5. Verify the configuration.

    After the preceding configurations are complete, log in to the network through the Telnet. In this case, you can only execute AAA commands and view ACL commands, but you cannot configure the commands.

    [~HUAWEI] acl 3000
    Error: No permission to run the command.

Configuration Files

#
aaa
 local-user admin@aaa password cipher "@J*U2S*(7F,YWX*NZ55OA!!
 local-user admin@aaa user-group admin
 #
 authentication-scheme default
 #
 authentication-scheme localtype
 #
 authorization-scheme default
 #
 authorization-scheme localtype
 #
 accounting-scheme default
 #
 domain default
 #
 domain aaa
  authentication-scheme localtype
  authorization-scheme localtype
 #
 task-group admin
  task acl read  
  task aaa read write execute  
  task config read write execute debug
 #
 user-group admin
  task-group admin 
#
interface GigabitEthernet0/3/0
 undo shutdown
 ip address 10.137.217.251 255.255.254.0
#
ip route-static 0.0.0.0 0.0.0.0 10.137.216.1
#
user-interface vty 0 4
 authentication-mode aaa
return
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 20315

Downloads: 39

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next