No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

CloudEngine 8800, 7800, 6800, and 5800 V200R005C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, separating the management plane from the service plane, security risks.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring AAA Schemes

Configuring AAA Schemes

Context

To use local authentication and authorization, set the authentication mode in the authentication scheme to local authentication and the authorization mode in the authorization scheme to local authorization.

By default, the device performs local authentication and authorization for access users.

Procedure

  • Configure an authentication scheme.
    1. Run system-view

      The system view is displayed.

    2. Run aaa

      The AAA view is displayed.

    3. Run authentication-scheme authentication-scheme-name

      An authentication scheme is created and the authentication scheme view is displayed, or the view of an existing authentication scheme is displayed.

      A default authentication scheme named default is available on the device. This authentication scheme can be modified but not deleted.

    4. Run authentication-mode local

      The authentication mode is set to local authentication.

      By default, local authentication is used.

    5. Run commit

      The configuration is committed.

  • Configure an authorization scheme.
    1. Run system-view

      The system view is displayed.

    2. Run aaa

      The AAA view is displayed.

    3. Run authorization-scheme authorization-scheme-name

      An authorization scheme is created and the authorization scheme view is displayed, or the view of an existing authorization scheme is displayed.

      A default authorization scheme named default is available on the device. This authorization scheme can be modified but not deleted.

    4. Run authorization-mode local [ none ]

      The authorization mode is configured.

      By default, local authorization is used.

    5. Run quit

      The AAA view is displayed.

    6. (Optional) Run task-group task-group-name

      A task group is created and the task group view is displayed.

      By default, no task group is configured.

    7. Run one of the following commands to set task permissions.

      • Run the task task-name { read | write | execute | debug } * command to set permissions for a specific task.
      • Run the batch-task { read | write | execute | debug } * task-name-list { task-name &<1-20> } command to set permissions for tasks in batches.
      • Run the task-all { read | write | execute | debug } * command to set permissions for all tasks in batches.

    8. (Optional) Run include task-group task-group-name

      The rights of a specified task group are added to the current task group.

      By default, the right inclusion relationship with other task groups is not added to a task group.

      If the rights of the current task group need to include all rights of another task group or the current task group needs to inherit the rights of existing task groups, you can run the include task-group command to configure the inclusion relationship between task groups and add rights of a specified task group to the current task group.

      The rights of the current task group depend on the rights of the included task group. When the rights of the included task group are changed, the rights of the current task group are changed accordingly.

    9. (Optional) Run rule command rule-name permit view view-name expression command-string

      A right rule in the current task group for configuring command-line execution rights is created.

      By default, no command-line right rule is configured in a task group.

      This command has a more refined execution result than the task command. It can authorize or forbid a command line or a batch of command lines with the same prefix in the task group.

      In the same task group, the priority of the command is higher than that of the task command. When the right configuration of the rule command command conflicts with that of the task command, the right configuration of the rule command command takes effect.

    10. (Optional) Run quit

      The AAA view is displayed.

    11. (Optional) Run user-group user-group-name

      A user group is created and the user group view is displayed.

      By default, no user group is created.

    12. (Optional) Run task-group task-group-name

      The task group is bound to the user group.

      By default, no task group is bound to a user group.

    13. (Optional) Run include user-group user-group-name

      The rights of a specified user group are added to the current user group.

      By default, the right inclusion relationship with other user groups is not added to a user group.

      If the rights of the current user group need to include all rights of another user group or the current user group needs to inherit the rights of existing user groups, you can run the include user-group command to configure the inclusion relationship between user groups and add rights of a specified user group to the current user group.

      The rights of the current user group depend on the right of the included user group. When the rights of the included user group are changed, the rights of the current user group are changed accordingly.

    14. (Optional) Run rule command rule-name { permit | deny } view view-name expression command-string

      A right rule is configured in the current user group for configuring command-line execution rights.

      By default, no command-line right rule is configured in a user group.

      When task authentication is performed, the matching sequence of the right rule (the rule command (user group view) command) in the user group, the right rule (the rule command (task group view) command) in the task group, and the task (the task command) in the task group is as follows: the right rule in the user group (including the configured and inherited right rules using the include user-group command) > the right rule in the task group > the task in the task group.

      When the right configuration of the user group conflicts with the right rules inherited from other user groups using the include user-group command, the right configuration of the user group takes effect.

    15. Run commit

      The configuration is committed.

Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100074765

Views: 18661

Downloads: 64

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next