No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

ME60 V800R010C10SPC500 Configuration Guide - Security Hardening 01

This is ME60 V800R010C10SPC500 Configuration Guide - Security Hardening

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Deploying the TACACS for Command-Line Authorization

Deploying the TACACS for Command-Line Authorization

ME devices have a large number of command lines due to the complexity of the configuration models and services of ME devices. To simplify ME device management and maintenance, ME devices are configured to manage authorities based on roles instead of identities. Therefore, when an administrator is authorized, all command lines of the corresponding level are provided to the administrator.

In actual network operation and maintenance, the administrator does not require all the command-line authorities of the corresponding level. The Terminal Access Controller Access-Control System (TACACS) is deployed to limit the set of command lines that can be used by the administrator.

Configure TACACS command-line authorization on the ME device and authorize command lines on the TACACS server to complete the configuration.

Example for Configuring Command-Line Authorization for Users Based on the HWTACACS Protocol

Networking Requirements

In Figure 7-1, the user uses a device to access the network. The user is in the huawei domain and belongs to level 3, but the user does not need to execute all the level 3 commands. The HWTACACS protocol is used to authorize the user based on command lines to simplify management and ensure device security.

The IP address of the HWTACACS server is 192.168.66.66/24, the authenticated port number is 49, and the authorized port number is 49.

Figure 7-1 Command-line authorization based on the TACACS

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure an HWTACACS server template.
  2. Configure an authentication scheme and an authorization scheme to authorize the user based on command lines.
  3. Apply the HWTACACS server template, authentication scheme, and authorization scheme.
Data Preparation

To complete the configuration, you need the following data:

  • IP address of the primary (secondary) HWTACACS authentication server
  • IP address of the primary (secondary) HWTACACS authorization server
Procedure
  1. Configure an HWTACACS server template.

    # Configure the HWTACACS server template ht.

    <HUAWEI> system-view
    [~HUAWEI] hwtacacs-server template ht
    [*HUAWEI] commit
    

    # Configure the IP addresses and ports of the HWTACACS authentication server and HWTACACS authorization server.

    [~HUAWEI-hwtacacs-ht] hwtacacs-server authentication 192.168.66.66 49
    [*HUAWEI-hwtacacs-ht] hwtacacs-server authorization 192.168.66.66 49
    

    # Configure the key of the HWTACACS server.

    [*HUAWEI-hwtacacs-ht] hwtacacs-server shared-key cipher it-is-my-secret
    [*HUAWEI-hwtacacs-ht] commit
    [~HUAWEI-hwtacacs-ht] quit
    
  2. Configure an authentication scheme and an authorization scheme to authorize the user based on command lines.

    # Enter the AAA view.

    [~HUAWEI] aaa

    # Configure the authentication scheme to be l-h and the authentication mode to be HWTACACS.

    [*HUAWEI-aaa] authentication-scheme l-h
    [*HUAWEI-aaa-authen-l-h] authentication-mode hwtacacs
    [*HUAWEI-aaa-authen-l-h] commit
    [~HUAWEI-aaa-authen-l-h] quit
    

    # Configure the authorization scheme to be hwtacacs and the authorization mode to be HWTACACS so that the level 3 user is authorized based on command lines.

    [~HUAWEI-aaa] authorization-scheme hwtacacs
    [*HUAWEI-aaa-author-hwtacacs] authorization-mode hwtacacs
    [*HUAWEI-aaa-author-hwtacacs] authorization-cmd 3 hwtacacs
    [*HUAWEI-aaa-author-hwtacacs] commit
    [~HUAWEI-aaa-author-hwtacacs] quit
    
  3. Configure the huawei domain. Use the l-h authentication scheme, HWTACACS authorization scheme, and ht HWTACACS template in the domain.
    [~HUAWEI-aaa] domain huawei
    [*HUAWEI-aaa-domain-huawei] authentication-scheme l-h
    [*HUAWEI-aaa-domain-huawei] authorization-scheme hwtacacs
    [*HUAWEI-aaa-domain-huawei] hwtacacs-server ht
    [*HUAWEI-aaa-domain-huawei] commit
    [~HUAWEI-aaa-domain-huawei] quit
    [~HUAWEI-aaa] quit
    
  4. Verify the configuration.

    On the Device, run:

    display authorization-scheme hwtacacs

    The authorization of the level 3 user based on command lines is displayed.

    <HUAWEI> display authorization-scheme hwtacacs
    ---------------------------------------------------------------------------
    Authorization-scheme-name    : hwtacacs
    Authorization-method         : HWTACACS authorization
    Authorization-cmd usergroup  : Local
    Authorization-cmd level 0    : Local
    Authorization-cmd level 1    : Local
    Authorization-cmd level 2    : Local
    Authorization-cmd level 3    : HWTACACS
    Authorization-cmd level 4    : Local
    Authorization-cmd level 5    : Local
    Authorization-cmd level 6    : Local
    Authorization-cmd level 7    : Local
    Authorization-cmd level 8    : Local
    Authorization-cmd level 9    : Local
    Authorization-cmd level 10   : Local
    Authorization-cmd level 11   : Local
    Authorization-cmd level 12   : Local
    Authorization-cmd level 13   : Local
    Authorization-cmd level 14   : Local
    Authorization-cmd level 15   : Local
Configuration Files
#
Sysname HUAWEI
#
hwtacacs-server template ht
 hwtacacs-server authentication 192.168.66.66
 hwtacacs-server authorization 192.168.66.66
 hwtacacs-server shared-key cipher %^%#XMNsMz!>uA.icY~2{Y\VkFp27X<QS/dQ<lI.mvDI%^%#
#
aaa
 local-user client001 password irreversible-cipher $1a$![l=a#\%@V=uB8E9kwCz1<Wo~K!IJf/,7p`&^Sh7<SK>oK.c8p4Ah<d<_'4y$
 local-user huawei service-type ftp
 local-user huawei ftp-directory cfcard:
 authentication-scheme default0
 authentication-scheme default1
 authentication-scheme default
 authentication-mode local radius
 authentication-scheme l-h
  authentication-mode hwtacacs
 #
 authorization-scheme default
 authorization-scheme hwtacacs
  authorization-mode hwtacacs
  authorization-cmd 3 hwtacacs
 #
 accounting-scheme default0
 accounting-scheme default1
 accounting-scheme default        
#
domain default
 domain huawei
  authentication-scheme l-h
  authorization-scheme hwtacacs
  hwtacacs-server ht   
#
return
Translation
Download
Updated: 2019-01-04

Document ID: EDOC1100059445

Views: 9216

Downloads: 12

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next