No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

CloudEngine 8800, 7800, 6800, and 5800 V200R005C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
HWTACACS

HWTACACS

Overview of HWTACACS

HWTACACS is a protocol that serves as an enhancement to TACACS+. Similar to RADIUS, HWTACACS uses the client/server model to implement communication between NAS and HWTACACS servers.

HWTACACS is used to perform authentication, authorization, and accounting for the users accessing the Internet through Point-to-Point Protocol (PPP) or Virtual Private Dial-up Network (VPDN) and the management users. For example, an HWTACACS server can be configured to perform authentication, authorization, and accounting for the management users logging in to the device. The device functions as the HWTACACS client by sending the user names and passwords to the HWTACACS server. Authorized users can then log in to the device and perform operations.

Both HWTACACS and RADIUS protocols can implement authentication, authorization, and accounting. They are similar in that they both have the following characteristics:
  • Client/Server model
  • Public key used for encrypting user information
  • Good flexibility and extensibility

HWTACACS is more reliable in transmission and encryption than RADIUS, and is more suitable for security control. Table 1-4 lists the differences between HWTACACS and RADIUS.

Table 1-4 Comparisons between HWTACACS and RADIUS

Item

HWTACACS

RADIUS

Data transmission

Uses TCP, which is more reliable.

Uses UDP, which is more efficient.

Encryption

Encrypts the entire packet, except for the standard HWTACACS header.

Encrypts only the password field in the packet.

Authentication and authorization

Separates authentication from authorization so that they can be implemented on different security servers.

Combines authentication and authorization.

Command line authorization

Supported. The command line use is restricted by both the command level and AAA. When a user enters a command, the command is executed only after being authorized by the HWTACACS server.

Not supported. The commands that a user can use depend on their user level. A user can only use the commands of the same level as or lower level than their user level.

Application

Security control.

Accounting.

HWTACACS Packets

Unlike RADIUS packets, which all use the same format, HWTACACS packets (including the HWTACACS Authentication Packet, HWTACACS Authorization Packet, and HWTACACS Accounting Packet) use different formats. Despite this, HWTACACS packets share the same HWTACACS Packet Header.

HWTACACS Packet Header

All HWTACACS packets have a 12-byte packet header, as shown in Figure 1-7.

Figure 1-7 HWTACACS packet header
Table 1-5 Fields in HWTACACS packet header
Field Description
major version Major version of the HWTACACS protocol. The current version is 0xc.
minor version Minor version of the HWTACACS protocol. The current version is 0x0.
type HWTACACS protocol packet type, including authentication (0x01), authorization (0x02), and accounting (0x03).
seq_no Packet sequence number in a session, ranging from 1 to 254.
flags Encryption flag on the packet body. This field contains 8 bits, of which only the first bit has a valid value. The value 0 indicates that the packet body is encrypted, and the value 1 indicates that the packet body is not encrypted.
session_id Session ID, which is the unique identifier of a session.
length Length of the HWTACACS packet body, excluding the packet header.
HWTACACS Authentication Packet Format
There are three types of HWTACACS authentication packets:
  • Authentication Start: When an authentication starts, the client sends this packet carrying the authentication type, user name, and authentication data to the server.
  • Authentication Response: When the server receives the Authentication Start or Authentication Continue packet from the client, the server sends this packet to the client to notify the client of the current authentication status.
  • Authentication Continue: When receiving the Authentication Response packet from the server, the client returns this packet if the authentication process is not ended.
The HWTACACS authentication packets have different formats.
  • Figure 1-8 shows the format of HWTACACS Authentication Start packets.

    Figure 1-8 HWTACACS Authentication Start packet format
    Table 1-6 Fields in HWTACACS Authentication Start packet
    Field Description
    action Authentication action.
    priv_lvl User privilege level.
    authen_type Authentication type, including:
    • CHAP(0x03)
    • PAP(0x02)
    • ASCII(0x01)
    service Type of the service requesting authentication, which varies depending on the user type:
    • PPP users: PPP(0x03)
    • Administrators: LOGIN(0x01)
    • Other users: NONE(0x00)
    user len Length of the user name entered by a login user.
    port len Length of the port field.
    rem_addr len rem_addr field length.
    data len Authentication data length.
    user Name of the user requesting authentication. The maximum length is 129.
    port

    Name of the user interface requesting authentication. The maximum length is 47.

    • For management users, this field indicates the user terminal interface, such as console0 and vty1. For example, the authen_type of Telnet users is ASCII, service is LOGIN, and port is vtyx.
    • For other users, this field indicates the user access interface.
    rem_addr IP address of the login user.
    data Authentication data. Different data is encapsulated depending on the values of action and authen_type. For example, when PAP authentication is used, the value of this field is PAP plain-text password.
  • Figure 1-9 shows the format of HWTACACS Authentication Continue packets.

    Figure 1-9 HWTACACS Authentication Continue packet format
    Table 1-7 Fields in HWTACACS Authentication Continue packet
    Field Description
    user_msg len Length of the character string entered by a login user.
    data len Authentication data length.
    flags Authentication continue flag.
    • 0: Indicates that the authentication continues.
    • 1: Indicates that the authentication has ended.
    user_msg Character string entered by the login user. This field carries the user login password to respond to the server_msg field in the Authentication Response packet.
    data Authentication data. Different data is encapsulated depending on the values of action and authen_type. For example, when PAP authentication is used, the value of this field is PAP cipher-text password.
  • Figure 1-10 shows the format of HWTACACS Authentication Response packets.

    Figure 1-10 HWTACACS Authentication Response packet format
    Table 1-8 Fields in HWTACACS Authentication Response packet
    Field Description
    status

    Authentication status, including:

    • PASS (0x01): Authentication is successful.
    • FAIL (0x02): Authentication fails.
    • GETDATA (0x03): Request user information.
    • GETUSER (0x04): Request user name.
    • GETPASS (0x05): Request password.
    • RESTART (0x06): Request reauthentication.
    • ERROR (0x07): The authentication packets received by the server have errors.
    • FOLLOW (0x21): The server requests reauthentication.
    flags Indicates whether the client displays the password entered by user in plain text. The value 1 indicates that the password is not displayed in plain text.
    server_msg len Length of the server_msg field.
    data len Authentication data length.
    server_msg Optional field. This field is sent by the server to the user to provide additional information.
    data Authentication data, providing information to client.
HWTACACS Authorization Packet Format
There are two types of HWTACACS authorization packets:
  • Authorization Request: HWTACACS separates authentication from authorization. Therefore, a user can be authenticated by HWTACACS, and authorized using another protocol. If a user is authenticated by HWTACACS, the client sends an Authorization Request packet carrying authorization information to the server.
  • Authorization Response: After receiving the Authorization Request packet, the server sends this packet carrying the authorization result to the client.
The HWTACACS authorization packets have different formats.
  • Figure 1-11 shows the format of HWTACACS Authorization Request packets.

    Figure 1-11 HWTACACS Authorization Request packet format
    NOTE:

    The meanings of the following fields in the Authorization Request packet are the same as those in the Authentication Start packet, and are therefore not described here: priv_lvl, authen_type, authen_service, user len, port len, rem_addr len, port, and rem_addr.

    Table 1-9 Fields in HWTACACS Authorization Request packet
    Field Description
    authen_method

    Authentication method, including

    • No authentication method configured (0x00)
    • None authentication (0x01)
    • Local authentication (0x05)
    • HWTACACS authentication (0x06)
    • RADIUS authentication (0x10)
    authen_service Type of the service requesting authentication, which varies depending on the user type:
    • PPP users: PPP(0x03)
    • Administrators: LOGIN(0x01)
    • Other users: NONE(0x00)
    arg_cnt Number of attributes carried in Authorization Request packet.
    argN Attribute of the Authorization Request packet.
  • Figure 1-12 shows the format of HWTACACS Authentication Response packets.

    Figure 1-12 HWTACACS Authorization Response packet format
    NOTE:

    The meanings of the following fields are the same as those in HWTACACS Authentication Response packet, and are therefore not described here: server_msg len, data len, and server_msg.

    Table 1-10 Fields in HWTACACS Authorization Response packet
    Field Description
    status

    Authorization status, including:

    • Authorization is successful (0x01)
    • The attributes in Authorization Request packets are modified by the TACACS server (0x02)
    • Authorization fails (0x10)
    • An error occurs on the authorization server (0x11)
    • An authorization server is respecified (0x21)
    arg_cnt

    Number of attributes carried in Authorization Response packet.

    argN Authorization attribute delivered by the HWTACACS authorization server.
HWTACACS Accounting Packet Format
There are two types of HWTACACS accounting packets:
The HWTACACS accounting packets have different formats.
  • Figure 1-13 shows the format of HWTACACS Accounting Request packets.

    Figure 1-13 HWTACACS Accounting Request packet format
    NOTE:

    The meanings of the following fields in the Accounting Request packet are the same as those in the Authorization Request packet, and are therefore not described here: authen_method, priv_lvl, authen_type, user len, port len, rem_addr len, port, and rem_addr.

    Table 1-11 Fields in HWTACACS Accounting Request packet
    Field Description
    flags Accounting type:
    • Start accounting (0x02)
    • Stop accounting (0x04)
    • Interim accounting (0x08)
    authen_service Type of the service requesting authentication, which varies depending on the user type:
    • PPP users: PPP(0x03)
    • Administrators: LOGIN(0x01)
    • Other users: NONE(0x00)
    arg_cnt Number of attributes carried in Accounting Request packet.
    argN Attribute of the Accounting Request packet.
  • Figure 1-14 shows the format of HWTACACS Accounting Response packets.

    Figure 1-14 HWTACACS Accounting Response packet format
    Table 1-12 Fields in HWTACACS Accounting Request packet
    Field Description
    server_msg len Length of the server_msg field.
    data len Length of the data field.
    status Accounting status:
    • Accounting is successful (0x01)
    • Accounting fails (0x02)
    server_msg Information sent by the accounting server to the client.
    data Information sent by the accounting server to the administrator.

HWTACACS Interaction Process

This section describes how HWTACACS performs authentication, authorization, and accounting for Telnet users. Figure 1-15 shows the message exchange process.
Figure 1-15 HWTACACS message interaction
The following describes the HWTACACS message exchange process shown in Figure 1-15:
  1. A Telnet user sends a request packet.
  2. After receiving the request packet, the HWTACACS client sends an Authentication Start packet to the HWTACACS server.
  3. The HWTACACS server sends an Authentication Response packet to request the user name.
  4. After receiving the Authentication Response packet, the HWTACACS client sends a packet to query the user name.
  5. The user enters the user name.
  6. The HWTACACS client sends an Authentication Continue packet containing the user name to the HWTACACS server.
  7. The HWTACACS server sends an Authentication Response packet to request the password.
  8. After receiving the Authentication Response packet, the HWTACACS client queries the password.
  9. The user enters the password.
  10. The HWTACACS client sends an Authentication Continue packet containing the password to the HWTACACS server.
  11. The HWTACACS server sends an Authentication Response packet, indicating that the user has been authenticated.
  12. The HWTACACS client sends an Authorization Request packet to the HWTACACS server.
  13. The HWTACACS server sends an Authorization Response packet, indicating that the user has been authorized.
  14. The HWTACACS client receives the Authorization Response packet and displays the login page.
  15. The HWTACACS client sends an Accounting Request (start) packet to the HWTACACS server.
  16. The HWTACACS server sends an Accounting Response packet.
  17. The user requests to go offline.
  18. The HWTACACS client sends an Accounting Request (stop) packet to the HWTACACS server.
  19. The HWTACACS server sends an Accounting Response packet.
NOTE:

HWTACACS and TACACS+ protocols of other vendors can implement authentication, authorization, and accounting. HWTACACS is compatible with other TACACS+ protocols because their authentication procedures and implementations are the same.

Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100074765

Views: 18894

Downloads: 64

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next