No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

CloudEngine 8800, 7800, 6800, and 5800 V200R005C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring HWTACACS Authentication, Accounting, and Authorization

Example for Configuring HWTACACS Authentication, Accounting, and Authorization

Networking Requirements

For the network shown in Figure 1-20, the customer requirements are as follows:

  • The HWTACACS server will authenticate access users for Switch. If HWTACACS authentication fails, local authentication is used.
  • The HWTACACS server will authorize access users for Switch. If HWTACACS authorization fails, local authorization is used.
  • HWTACACS accounting is used by Switch for access users.
  • The IP addresses of primary and secondary HWTACACS servers are 10.7.66.66/24 and 10.7.66.67/24, respectively. The port number for authentication, accounting, and authorization is 49.
  • The command execution records can be viewed on the server.
Figure 1-20 Networking diagram of HWTACACS authentication, accounting, and authorization

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure an HWTACACS server template.
  2. Configure authentication, authorization, and accounting schemes.
  3. Apply the HWTACACS server template, authentication scheme, authorization scheme, and accounting scheme to a domain.
  4. Configure a recording scheme.

Procedure

  1. Enable HWTACACS.

    <HUAWEI> system-view
    [HUAWEI] sysname Switch
    [*HUAWEI] commit
    [~Switch] hwtacacs enable
    [*Switch] commit

  2. Configure an HWTACACS server template.

    # Create an HWTACACS server template named ht.

    [~Switch] hwtacacs server template ht

    # Set the IP addresses and port numbers for the primary HWTACACS authentication, authorization, and accounting servers.

    [*Switch-hwtacacs-ht] hwtacacs server authentication 10.7.66.66 49
    [*Switch-hwtacacs-ht] hwtacacs server authorization 10.7.66.66 49
    [*Switch-hwtacacs-ht] hwtacacs server accounting 10.7.66.66 49

    # Set the IP addresses and port numbers for the secondary HWTACACS authentication, authorization, and accounting servers.

    [*Switch-hwtacacs-ht] hwtacacs server authentication 10.7.66.67 49 secondary
    [*Switch-hwtacacs-ht] hwtacacs server authorization 10.7.66.67 49 secondary
    [*Switch-hwtacacs-ht] hwtacacs server accounting 10.7.66.67 49 secondary

    # Set the shared key for the HWTACACS server.

    NOTE:

    Ensure that the shared key in the HWTACACS server template is the same as that set on the HWTACACS server.

    [*Switch-hwtacacs-ht] hwtacacs server shared-key cipher Huawei@2012
    [*Switch-hwtacacs-ht] commit
    [~Switch-hwtacacs-ht] quit

  3. Configure authentication, authorization, and accounting schemes.

    # Create an authentication scheme named l-h. Configure the authentication scheme to use HWTACACS authentication as the active authentication mode and local authentication as the backup.

    [~Switch] aaa
    [~Switch-aaa] authentication-scheme l-h
    [*Switch-aaa-authen-l-h] authentication-mode hwtacacs local
    [*Switch-aaa-authen-l-h] commit
    [~Switch-aaa-authen-l-h] quit

    # Create an authorization scheme named hwtacacs. Configure the authorization scheme to use HWTACACS authorization as the active authorization mode and local authorization as the backup.

    [~Switch-aaa] authorization-scheme hwtacacs
    [*Switch-aaa-author-hwtacacs] authorization-mode hwtacacs local
    [*Switch-aaa-author-hwtacacs] commit
    [~Switch-aaa-author-hwtacacs] quit

    # Create an accounting scheme named hwtacacs, and configure the accounting scheme to use the HWTACACS accounting mode.

    [~Switch-aaa] accounting-scheme hwtacacs
    [*Switch-aaa-accounting-hwtacacs] accounting-mode hwtacacs
    [*Switch-aaa-accounting-hwtacacs] commit
    [~Switch-aaa-accounting-hwtacacs] quit

  4. Create a domain named huawei, and apply the authentication scheme l-h, authorization scheme hwtacacs, accounting scheme hwtacacs, and the HWTACACS server template ht to the domain.

    [~Switch-aaa] domain huawei
    [*Switch-aaa-domain-huawei] authentication-scheme l-h
    [*Switch-aaa-domain-huawei] authorization-scheme hwtacacs
    [*Switch-aaa-domain-huawei] accounting-scheme hwtacacs
    [*Switch-aaa-domain-huawei] hwtacacs server ht
    [*Switch-aaa-domain-huawei] commit
    [~Switch-aaa-domain-huawei] quit
    

  5. Create a recording scheme to configure the device to send records, such as executed commands, connection information, and system events, to the HWTACACS accounting server.

    [~Switch-aaa] recording-scheme newscheme
    [*Switch-aaa-recording-newscheme] recording-mode hwtacacs ht
    [*Switch-aaa-recording-newscheme] quit
    [*Switch-aaa] cmd recording-scheme newscheme
    [*Switch-aaa] system recording-scheme newscheme
    [*Switch-aaa] outbound recording-scheme newscheme
    [*Switch-aaa] commit
    [~Switch-aaa] quit
    [~Switch] quit

  6. Verify the configuration.

    # Run the display hwtacacs server template command on Switch to verify the HWTACACS server template configuration.

    <Switch> display hwtacacs server template ht
    --------------------------------------------------------------------------------
    Template name                          : ht 
    Template ID                            : 0  
    Primary authentication server          : 10.7.66.66-49:-  
    Primary authorization server           : 10.7.66.66-49:- 
    Primary accounting server              : 10.7.66.66-49:- 
    Primary common server                  : 0.0.0.0-0:- 
    Current authentication server          : 10.7.66.66:49:- 
    Current authorization server           : 10.7.66.66-49:-
    Current accounting server              : 10.7.66.66-49:- 
    Source IP address                      : 0.0.0.0  
    Shared key                             : ****************  
    Quiet interval (min)                   : 5     
    Response timeout interval (sec)        : 5    
    Domain included                        : Yes    
    Secondary authentication server count  : 1 
    Secondary authorization server count   : 1 
    Secondary accounting server count      : 1 
    Secondary common server count          : 0 
    --------------------------------------------------------------------------------

    # Run the display aaa domain command on Switch to verify the domain configuration.

    <Switch> display aaa domain huawei  
    ---------------------------------------------------------------                 
    Domain-name                 : huawei                                            
    Domain-state                : Active                                            
    Authentication-scheme-name  : l-h                                               
    Authorization-scheme-name   : hwtacacs                                          
    Accounting-scheme-name      : hwtacacs                                          
    User-access-limit           : No                                                
    Online-number               : 0                                                 
    AdminUser-priority          : -
    HWTACACS-server-template    : ht                                                
    RADIUS-server-group         : -                                                 
    ---------------------------------------------------------------                 

Configuration Files

Switch configuration file

#
sysname Switch
#
hwtacacs server template ht
 hwtacacs server authentication 10.7.66.66
 hwtacacs server authentication 10.7.66.67 secondary
 hwtacacs server authorization 10.7.66.66
 hwtacacs server authorization 10.7.66.67 secondary
 hwtacacs server accounting 10.7.66.66
 hwtacacs server accounting 10.7.66.67 secondary 
 hwtacacs server shared-key cipher %^%#=09BH"8vs%P!g{",bR<<@Ja}7Bs]iTZPYP7\q[<:%^%#
#  
aaa
 authentication-scheme l-h
  authentication-mode hwtacacs local
 # 
 authorization-scheme hwtacacs
  authorization-mode hwtacacs local
 # 
 accounting-scheme hwtacacs
  accounting-mode hwtacacs
 # 
 domain huawei
  authentication-scheme l-h
  accounting-scheme hwtacacs
  authorization-scheme hwtacacs
  hwtacacs server ht
#                                                                                                                                  
 recording-scheme newscheme                                                                                                           
  recording-mode hwtacacs ht                                                                                                    
 #                                                                                                                                  
 system recording-scheme newscheme                                                                                                    
 #                                                                                                                                  
 outbound recording-scheme newscheme                                                                                                  
 #                                                                                                                                  
 cmd recording-scheme newscheme
#
return 
Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100074765

Views: 20491

Downloads: 88

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next