No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

CloudEngine 8800, 7800, 6800, and 5800 V200R005C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring an HWTACACS Server Template

Configuring an HWTACACS Server Template

Context

In an HWTACACS server template, you must specify the IP address, port number, and shared key of a specified HWTACACS server. Other settings, such as the HWTACACS user name format and traffic unit, have default values and can be changed based on network requirements.

The HWTACACS server template settings such as the HWTACACS user name format and shared key must be the same as those on the HWTACACS server.

The device supports the following methods of configuring HWTACACS servers:
  • If one server provides authentication, authorization, and accounting, configure only one HWTACACS server.
  • If different servers provide authentication, authorization, and accounting, configure the HWTACACS authentication, authorization, and accounting servers separately.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run hwtacacs enable

    The HWTACACS function is enabled.

    By default, the HWTACACS function is disabled.

  3. Run hwtacacs server template template-name

    An HWTACACS server template is created and the HWTACACS server template view is displayed.

  4. Run hwtacacs server shared-key { cipher cipher-string | key-string }

    The HWTACACS shared key is configured.

    By default, no HWTACACS shared key is configured.

  5. You can use either of the following methods to configure the primary and secondary HWTACACS servers.

    NOTE:

    The priority of an HWTACACS common server is higher than that of an HWTACACS authentication, accounting, or authorization server. If you configure a common server as the primary server, configurations of other servers (authentication, accounting, and authorization servers) cannot take effect.

    • Configure HWTACACS common servers.

      • Run any of the following commands to configure the primary HWTACACS common server.
        • hwtacacs server ip-address [ port ] [ { vpn-instance vpn-instance-name | public-net } | shared-key { key-string | cipher cipher-string } | mux-mode ] *

        • hwtacacs server ipv6-address [ port ] [ shared-key { key-string | cipher cipher-string } | mux-mode | vpn-instance vpn-instance-name ] *

        • hwtacacs server host host-name [ port ] [ shared-key { key-string | cipher cipher-string } | mux-mode | { vpn-instance vpn-instance-name | public-net } ] *

        By default, no primary HWTACACS common server is configured.

      • (Optional) Run any of the following commands to configure the secondary HWTACACS common server.
        • hwtacacs server ip-address [ port ] [ { vpn-instance vpn-instance-name | public-net } | shared-key { key-string | cipher cipher-string } | mux-mode ] * secondary

        • hwtacacs server ipv6-address [ port ] [ shared-key { key-string | cipher cipher-string } | mux-mode | vpn-instance vpn-instance-name ] * secondary

        • hwtacacs server host host-name [ port ] [ shared-key { key-string | cipher cipher-string } | mux-mode | { vpn-instance vpn-instance-name | public-net } ] * secondary

        By default, no secondary HWTACACS common server is configured.

    • Configure HWTACACS authentication, authorization, and accounting servers.

      1. Run any of the following commands to configure the primary HWTACACS authentication server.
        • hwtacacs server authentication ip-address [ port ] [ { vpn-instance vpn-instance-name | public-net } | shared-key { key-string | cipher cipher-string } | mux-mode ]*

        • hwtacacs server authentication ipv6-address [ port ] [ shared-key { key-string | cipher cipher-string } | mux-mode | vpn-instance vpn-instance-name ] *

        • hwtacacs server authentication host host-name [ port ] [ shared-key { key-string | cipher cipher-string } | mux-mode | { vpn-instance vpn-instance-name | public-net } ] *

        By default, no primary HWTACACS authentication server is configured.

      2. (Optional) Run any of the following commands to configure the secondary HWTACACS authentication server.
        • hwtacacs server authentication ip-address [ port ] [ { vpn-instance vpn-instance-name | public-net } | shared-key { key-string | cipher cipher-string } | mux-mode ]* secondary

        • hwtacacs server authentication ipv6-address [ port ] [ shared-key { key-string | cipher cipher-string } | mux-mode | vpn-instance vpn-instance-name ] * secondary

        • hwtacacs server authentication host host-name [ port ] [ shared-key { key-string | cipher cipher-string } | mux-mode | { vpn-instance vpn-instance-name | public-net } ] * secondary

        By default, no secondary HWTACACS authentication server is configured.

      3. Run any of the following commands to configure the primary HWTACACS authorization server.
        • hwtacacs server authorization ip-address [ port ] [ { vpn-instance vpn-instance-name | public-net } | shared-key { key-string | cipher cipher-string } | mux-mode ]*

        • hwtacacs server authorization ipv6-address [ port ] [ shared-key { key-string | cipher cipher-string } | mux-mode | vpn-instance vpn-instance-name ] *

        • hwtacacs server authorization host host-name [ port ] [ shared-key { key-string | cipher cipher-string } | mux-mode | { vpn-instance vpn-instance-name | public-net } ] *

        By default, no primary HWTACACS authorization server is configured.

      4. (Optional) Run any of the following commands to configure the secondary HWTACACS authorization server.
        • hwtacacs server authorization ip-address [ port ] [ { vpn-instance vpn-instance-name | public-net } | shared-key { key-string | cipher cipher-string } | mux-mode ]* secondary

        • hwtacacs server authorization ipv6-address [ port ] [ shared-key { key-string | cipher cipher-string } | mux-mode | vpn-instance vpn-instance-name ] * secondary

        • hwtacacs server authorization host host-name [ port ] [ shared-key { key-string | cipher cipher-string } | mux-mode | { vpn-instance vpn-instance-name | public-net } ] * secondary

        By default, no secondary HWTACACS authorization server is configured.

      5. Run any of the following commands to configure the primary HWTACACS accounting server.
        • hwtacacs server accounting ip-address [ port ] [ { vpn-instance vpn-instance-name | public-net } | shared-key { key-string | cipher cipher-string } | mux-mode ] *

        • hwtacacs server accounting ipv6-address [ port ] [ shared-key { key-string | cipher cipher-string } | mux-mode | vpn-instance vpn-instance-name ] *

        • hwtacacs server accounting host host-name [ port ] [ shared-key { key-string | cipher cipher-string } | mux-mode | { vpn-instance vpn-instance-name | public-net } ] *

        By default, no primary HWTACACS accounting server is configured.

      6. (Optional) Run any of the following commands to configure the secondary HWTACACS accounting server.
        • hwtacacs server accounting ip-address [ port ] [ { vpn-instance vpn-instance-name | public-net } | shared-key { key-string | cipher cipher-string } | mux-mode ] * secondary

        • hwtacacs server accounting ipv6-address [ port ] [ shared-key { key-string | cipher cipher-string } | mux-mode | vpn-instance vpn-instance-name ] * secondary

        • hwtacacs server accounting host host-name [ port ] [ shared-key { key-string | cipher cipher-string } | mux-mode | { vpn-instance vpn-instance-name | public-net } ] * secondary

        By default, no secondary HWTACACS accounting server is configured.

  6. (Optional) Run hwtacacs server user-name domain-excluded

    The device is configured not to encapsulate the domain name in the user name when sending HWTACACS packets to an HWTACACS server.

    By default, the device encapsulates the domain name in the user name when sending HWTACACS packets to an HWTACACS server.

  7. (Optional) Run hwtacacs server source-ip ip-address

    The source IP address in HWTACACS packets is set.

    By default, the source IP address in HWTACACS packets is not set. The device uses the IP address of the actual outbound interface as the source IP address in HWTACACS packets.

    After you specify the source IP address in HWTACACS packets on the device, the device uses this IP address to communicate with the HWTACACS server. The HWTACACS server also uses the specified IP address to communicate with the device.

  8. (Optional) Run hwtacacs server timer response-timeout interval

    The response timeout interval for the HWTACACS server is set.

    The default response timeout interval for an HWTACACS server is 5 seconds.

    If the device does not receive a response packet from the HWTACACS server within the timeout interval, it considers that the HWTACACS server is unreachable and then tries other authentication and authorization methods.

  9. (Optional) Run hwtacacs server timer quiet interval

    The interval for the primary HWTACACS server to restore to the active state is set.

    The default interval for the primary HWTACACS server to restore to the active state is 5 minutes.

  10. Run commit

    The configuration is committed.

  11. Run return

    The user view is displayed.

  12. (Optional) Run hwtacacs-user change-password hwtacacs server template-name

    The password saved on the HWTACACS server is changed.

    NOTE:

    To ensure device security, you are advised to frequently change the password.

Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100074765

Views: 22498

Downloads: 92

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next