No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

CloudEngine 8800, 7800, 6800, and 5800 V200R005C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring AAA Schemes

Configuring AAA Schemes

Context

To use HWTACACS authentication, authorization, and accounting, set the authentication mode in the authentication scheme, authorization mode in the authorization scheme, and accounting mode in the accounting scheme to HWTACACS.

When configuring HWTACACS authentication, you can specify local authentication as the backup. This allows local authentication or non-authentication to be implemented if HWTACACS authentication fails. When configuring HWTACACS authorization, you can specify local authorization or non-authorization as the backup.

NOTE:

By default, the authentication, authorization, and accounting schemes named default are applied to both the default and default_admin domains. If the default schemes are modified, user authentication, authorization, or accounting may fail in a domain. Modify the default schemes with caution.

Procedure

  • Configure an authentication scheme.
    1. Run system-view

      The system view is displayed.

    2. Run aaa

      The AAA view is displayed.

    3. Run authentication-scheme authentication-scheme-name

      An authentication scheme is created and the authentication scheme view is displayed, or the view of an existing authentication scheme is displayed.

      A default authentication scheme named default is available on the device. This authentication scheme can be modified but not deleted.

    4. Run authentication-mode hwtacacs

      The HWTACACS authentication mode is specified.

      By default, local authentication is used.

      To use local authentication as the backup, run the authentication-mode hwtacacs local command.

      NOTE:

      If multiple authentication modes are configured in an authentication scheme, authentication modes are prioritized in the order in which they were configured. The device uses the authentication mode that was configured later only when it does not receive any response from the current authentication mode. The device stops authentication if the current authentication fails.

    5. Run commit

      The configuration is committed.

  • Configure an authorization scheme.
    1. Run system-view

      The system view is displayed.

    2. Run aaa

      The AAA view is displayed.

    3. Run authorization-scheme authorization-scheme-name

      An authorization scheme is created and the authorization scheme view is displayed, or the view of an existing authorization scheme is displayed.

      A default authorization scheme named default is available on the device. This authorization scheme can be modified but not deleted.

    4. Run authorization-mode { hwtacacs | if-authenticated | local } * [ none ]

      The authorization mode is specified.

      By default, local authorization is used.

      If HWTACACS authorization is configured, you must configure an HWTACACS server template and apply the template to the corresponding user domain.

      NOTE:

      If multiple authorization modes are configured in an authorization scheme, authorization modes are prioritized in the order in which they were configured. The device uses the authorization mode that was configured later only after the current authorization fails.

    5. (Optional) Run authorization-cmd [ privilege-level ] { local | hwtacacs } *

      Command line authorization is enabled for users at a certain level.

      By default, command line authorization is disabled for users at a certain level.

      If command line authorization is enabled, you must configure an HWTACACS server template and apply the template to the corresponding user domain.

    6. Run quit

      The AAA view is displayed.

    7. (Optional) Run task-group task-group-name

      A task group is created and the task group view is displayed.

      By default, no task group is created.

    8. (Optional) Run task task-name { debug | execute | read | write } *

      A task is added to the task group.

      By default, no task is added to a task group.

    9. (Optional) Run include task-group task-group-name

      The rights of a specified task group are added to the current task group.

      By default, the right inclusion relationship with other task groups is not added to a task group.

      If the rights of the current task group need to include all rights of another task group or the current task group needs to inherit the rights of existing task groups, you can run the include task-group command to configure the inclusion relationship between task groups and add rights of a specified task group to the current task group.

      The rights of the current task group depend on the rights of the included task group. When the rights of the included task group are changed, the rights of the current task group are changed accordingly.

    10. (Optional) Run rule command rule-name permit view view-name expression command-string

      A right rule in the current task group for configuring command-line execution rights is created.

      By default, no command-line right rule is configured in a task group.

      This command has a more refined execution result than the task command. It can authorize or forbid a command line or a batch of command lines with the same prefix in the task group.

      In the same task group, the priority of the command is higher than that of the task command. When the right configuration of the rule command command conflicts with that of the task command, the right configuration of the rule command command takes effect.

    11. (Optional) Run quit

      The AAA view is displayed.

    12. (Optional) Run user-group user-group-name

      A user group is created and the user group view is displayed.

      By default, no user group is created.

    13. (Optional) Run task-group task-group-name

      A task group is added to the list of task groups that are bound to the user group.

      By default, no task group is bound to a user group.

    14. (Optional) Run include user-group user-group-name

      The rights of a specified user group are added to the current user group.

      By default, the right inclusion relationship with other user groups is not added to a user group.

      If the rights of the current user group need to include all rights of another user group or the current user group needs to inherit the rights of existing user groups, you can run the include user-group command to configure the inclusion relationship between user groups and add rights of a specified user group to the current user group.

      The rights of the current user group depend on the right of the included user group. When the rights of the included user group are changed, the rights of the current user group are changed accordingly.

    15. (Optional) Run rule command rule-name { permit | deny } view view-name expression command-string

      A right rule is configured in the current user group for configuring command-line execution rights.

      By default, no command-line right rule is configured in a user group.

      When task authentication is performed, the matching sequence of the right rule (the rule command (user group view) command) in the user group, the right rule (the rule command (task group view) command) in the task group, and the task (the task command) in the task group is as follows: the right rule in the user group (including the configured and inherited right rules using the include user-group command) > the right rule in the task group > the task in the task group.

      When the right configuration of the user group conflicts with the right rules inherited from other user groups using the include user-group command, the right configuration of the user group takes effect.

    16. Run commit

      The configuration is committed.

  • Configure an accounting scheme.
    1. Run system-view

      The system view is displayed.

    2. Run aaa

      The AAA view is displayed.

    3. Run accounting-scheme accounting-scheme-name

      An accounting scheme is created and the accounting scheme view is displayed, or the view of an existing accounting scheme is displayed.

      A default accounting scheme named default is available on the device. This accounting scheme can be modified but not deleted.

    4. Run accounting-mode hwtacacs

      The HWTACACS accounting mode is specified.

      The default accounting mode is none.

    5. Run commit

      The configuration is committed.

Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100074765

Views: 18735

Downloads: 64

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next