HWTACACS

CloudEngine 12800 and 12800E V200R005C10 Configuration Guide - Security

This document describes the configurations of Security, including AAA, 802.1x Authentication, ACL, TCAM ACL Customization, local attack defense, Microsegmentation, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, MACsec, DHCP snooping, IPSG, URPF, SSL, Keychain and FIPS.

About This Document
AAA Configuration
- Overview of AAA
- Understanding AAA
- Application Scenarios for AAA
- Licensing Requirements and Limitations for AAA
- Summary of AAA Configuration Tasks
- Configuring Local Authentication and Authorization
- Configuring RADIUS AAA
- Configuring HWTACACS AAA
- Clearing AAA Statistics
- Configuration Examples for AAA
  - Example for Configuring RADIUS Authentication and Accounting
  - Example for Configuring HWTACACS Authentication, Accounting, and Authorization
- Troubleshooting AAA
  - An AAA Local User Cannot Be Created Due to Incorrect Password Setting
802.1x Authentication Configuration
- Understanding 802.1x Authentication
- Application Scenarios for 802.1x Authentication
- Licensing Requirements and Limitations for 802.1x Authentication
- Default Settings for 802.1x Authentication
- Configuring 802.1x Authentication
- Maintaining 802.1x Authentication
  - Clearing Statistics on 802.1x Authentication Packets
  - Forcing Users Offline
- Configuration Examples for 802.1x Authentication
  - Example for Configuring 802.1x Authentication to Control Users' Internal Access
ACL Configuration
- Overview of ACLs
- Understanding ACLs
- Application Scenarios for ACLs
- Licensing Requirements and Limitations for ACLs
- Default Settings for ACLs
- Configuring a Basic ACL
- Configuring an Advanced ACL
- Configuring a Layer 2 ACL
- Configuring a User-defined ACL
- Configuring an ARP-based ACL
- Configuring a Basic ACL6
- Configuring an Advanced ACL6
- Maintaining an ACL
  - Clearing ACL Statistics
  - Checking ACL Resource Usages
- Configuration Examples for ACLs
- ACL FAQ
  - Which Packets Cannot Be Filtered by the ACL Used by a Traffic Policy?
TCAM ACL Customization Configuration
- Overview of TCAM ACL Customization
- Licensing Requirements and Limitations for TCAM ACL Customization
- Configuring TCAM ACL Customization
  - Enabling TCAM ACL Customization
  - Configuring the TCAM ACL Customization Function for Services
- Displaying Information about a TCAM ACL Customization Profile or Preset Profile
- Configuration Examples for TCAM ACL Customization
  - Example for Configuring TCAM ACL Customization
Microsegmentation Configuration
- Overview of Microsegmentation
- Understanding Microsegmentation
- Application Scenarios for Microsegmentation
- Licensing Requirements and Limitations for Microsegmentation
- Configuring Microsegmentation
- Maintaining Microsegmentation
  - Checking Microsegmentation Statistics
  - Clearing Microsegmentation Statistics
- Configuration Examples for Microsegmentation
  - Example for Configuring IP Address-based Microsegmentation
Local Attack Defense Configuration
- Overview of Local Attack Defense
- Licensing Requirements and Limitations for Local Attack Defense
- Default Settings for Local Attack Defense
- Configuring CPU Attack Defense
- Configuring Attack Source Tracing
- Maintaining Local Attack Defense
- Configuration Examples for Local Attack Defense
  - Example for Configuring Local Attack Defense
- Troubleshooting Local Attack Defense
MFF Configuration
- Overview of MFF
- Understanding MFF
- Application Scenarios for MFF
- Licensing Requirements and Limitations for MFF
- Configuring MFF
- Configuration Examples for MFF
  - Example for Configuring MFF to Implement Layer 2 Isolation and Layer 3 Connection
- Troubleshooting MFF
  - Users Fail to Access the Internet After MFF Is Configured
Attack Defense Configuration
- Overview of Attack Defense
- Understanding Attack Defense
- Application Scenarios for Attack Defense
- Licensing Requirements and Limitations for Attack Defense
- Default Settings for Attack Defense
- Configuring Defense Against Malformed Packet Attacks
- Configuring Defense Against Packet Fragment Attacks
- Configuring Defense Against Flood Attacks
- Clearing Attack Defense Statistics
- Configuration Examples for Attack Defense
  - Example for Configuring Attack Defense
Traffic Suppression and Storm Control Configuration
- Overview of Traffic Suppression and Storm Control
- Understanding Traffic Suppression and Storm Control
  - Traffic Suppression
  - Storm Control
- Application Scenarios for Traffic Suppression and Storm Control
  - Traffic Suppression
  - Storm Control
- Licensing Requirements and Limitations for Traffic Suppression and Storm Control
- Default Settings for Traffic Suppression and Storm Control
- Configuring Traffic Suppression
- Configuring Storm Control
- Configuration Examples for Traffic Suppression and Storm Control
  - Example for Configuring Traffic Suppression
  - Example for Configuring Storm Control
ARP Security Configuration
- Overview of ARP Security
- Understanding ARP Security
- Application Scenarios for ARP Security
  - Defense Against ARP Flood Attacks
  - Defense Against ARP Spoofing Attacks
- Licensing Requirements and Limitations for ARP Security
- Default Settings for ARP Security
- Configuring Defense Against ARP Flood Attacks
- Configuring Defense Against ARP Spoofing Attacks
- Maintaining ARP Security
- Configuration Examples for ARP Security
  - Example for Configuring ARP Security Functions
  - Example for Configuring Defense Against ARP MITM Attacks
Port Security Configuration
- Overview of Port Security
- Understanding Port Security
- Application Scenarios for Port Security
- Licensing Requirements and Limitations for Port Security
- Default Settings for Port Security
- Configuring Port Security
- Configuration Examples for Port Security
  - Example for Configuring Port Security
MACsec Configuration
- Overview of MACsec
- Understanding MACsec
- Application Scenarios for MACsec
- Default Configuration
- Licensing Requirements and Limitations for MACsec
- Configuring MACsec
- Maintaining MACsec
  - Displaying MACsec Statistics
  - Clearing MACsec Statistics
- Configuration Examples for MACsec
  - Example for Configuring Point-to-Point MACsec
DHCP Snooping Configuration
- Overview of DHCP Snooping
- Understanding DHCP Snooping
  - DHCP Snooping Fundamentals
  - Option 82 Supported by DHCP Snooping
- Application Scenarios for DHCP Snooping
- Licensing Requirements and Limitations for DHCP Snooping
- Default Settings for DHCP Snooping
- Configuring Basic Functions of DHCP Snooping
- Configuring DHCP Snooping Attack Defense
- Inserting the Option 82 Field in a DHCP Message
- Maintaining DHCP Snooping
- Configuration Examples for DHCP Snooping
  - Example for Configuring DHCP Snooping Attack Defense
- Troubleshooting DHCP Snooping
  - DHCP Clients Cannot Go Online Due to DHCP Snooping
IPSG Configuration
- Overview of IPSG
- Licensing Requirements and Limitations for IPSG
- Default Settings for IPSG
- Configuring IPSG
- Maintaining IPSG
  - Checking Statistics on Discarded IP Packets
  - Clearing Statistics on Discarded IP Packets
- Configuration Examples for IPSG
  - Example for Configuring IPSG to Check Interface + IP + MAC Binding Entries
URPF Configuration
- Overview of URPF
- Understanding URPF
- Application Scenarios for URPF
- Licensing Requirements and Limitations for URPF
- Default Settings for URPF
- Configuring URPF
- Configuration Examples for URPF
  - Example for Configuring URPF (CE12800)
  - Example for Configuring URPF (CE12800E)
SSL Configuration
- Overview of SSL
- Understanding SSL
- Application Scenarios for SSL
  - Application of SSL in Information Center
- Licensing Requirements and Limitations for SSL
- Configuring SSL
  - Configuring an SSL Policy
  - Applying an SSL Policy
- Configuration Examples for SSL
  - Example for Outputting SSL-Encrypted Logs to a Log Host
Keychain Configuration
- Overview of Keychains
- Understanding Keychains
- Application Scenarios for Keychains
- Licensing Requirements and Limitations for Keychain
- Configuring a Keychain
- Configuration Examples for Keychains
  - Example for Applying the Keychain to RIP
  - Example for Applying the Keychain to BGP
FIPS Configuration
- Overview of FIPS
- Configuring the FIPS Mode
Separating the Management Port from the Service Plane
Checking Security Risks
Setting the System Master Key

Rate and give feedback:

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

HWTACACS

Overview of HWTACACS
HWTACACS Packets
HWTACACS Interaction Process

Overview of HWTACACS

HWTACACS is a protocol that serves as an enhancement to TACACS+. HWTACACS is an information exchange protocol that uses the client/server model to provide centralized validation of users who attempt to access your switch. It uses Transmission Control Protocol (TCP) and TCP port number 49 to transmit data. HWTACACS provides independent authentication, authorization, and accounting for users accessing the Internet, it can be implemented on different servers. HWTACACS is compatible with a third-party vendor's TACACS+. Huawei switches can function as HWTACACS clients to interwork with TACACS+ servers to implement AAA. For example, a switch running HWTACACS can communicate with a third-party vendor server (such as ACS). However, HWTACACS may not be compatible with a third-party vendor's proprietary attributes because different vendors define different fields and meanings for proprietary attributes.

Similar to RADIUS, HWTACACS uses the client/server model to implement communication between NAS and HWTACACS servers.

HWTACACS is used to perform authentication, authorization, and accounting for the users accessing the Internet through Point-to-Point Protocol (PPP) or Virtual Private Dial-up Network (VPDN) and the management users. For example, an HWTACACS server can be configured to perform authentication, authorization, and accounting for the management users logging in to the device. The device functions as the HWTACACS client by sending the user names and passwords to the HWTACACS server. Authorized users can then log in to the device and perform operations.

Both HWTACACS and RADIUS protocols can implement authentication, authorization, and accounting. They are similar in that they both have the following characteristics:

Client/Server model
Public key used for encrypting user information
Good flexibility and extensibility

HWTACACS is more reliable in transmission and encryption than RADIUS, and is more suitable for security control. Table 1-10 lists the differences between HWTACACS and RADIUS.

Table 1-10 Comparisons between HWTACACS and RADIUS

Item	HWTACACS	RADIUS
Data transmission	Uses TCP, which is more reliable.	Uses UDP, which is more efficient.
Encryption	Encrypts the entire packet, except for the standard HWTACACS header.	Encrypts only the password field in the packet.
Authentication and authorization	Separates authentication from authorization so that they can be implemented on different security servers.	Combines authentication and authorization.
Command line authorization	Supported. The command line use is restricted by both the command level and AAA. When a user enters a command, the command is executed only after being authorized by the HWTACACS server.	Not supported. The commands that a user can use depend on their user level. A user can only use the commands of the same level as or lower level than their user level.
Application	Security control.	Accounting.

HWTACACS Packets

Unlike RADIUS packets, which all use the same format, HWTACACS packets (including the HWTACACS Authentication Packet, HWTACACS Authorization Packet, and HWTACACS Accounting Packet) use different formats. Despite this, HWTACACS packets share the same HWTACACS Packet Header.

HWTACACS Packet Header

All HWTACACS packets have a 12-byte packet header, as shown in Figure 1-7.

Figure 1-7 HWTACACS packet header

Table 1-11 Fields in HWTACACS packet header

Field	Description
major version	Major version of the HWTACACS protocol. The current version is 0xc.
minor version	Minor version of the HWTACACS protocol. The current version is 0x0.
type	HWTACACS protocol packet type, including authentication (0x01), authorization (0x02), and accounting (0x03).
seq_no	Packet sequence number in a session, ranging from 1 to 254.
flags	Encryption flag on the packet body. This field contains 8 bits, of which only the first bit has a valid value. The value 0 indicates that the packet body is encrypted, and the value 1 indicates that the packet body is not encrypted.
session_id	Session ID, which is the unique identifier of a session.
length	Length of the HWTACACS packet body, excluding the packet header.

HWTACACS Authentication Packet Format

There are three types of HWTACACS authentication packets:

Authentication Start: When an authentication starts, the client sends this packet carrying the authentication type, user name, and authentication data to the server.
Authentication Response: When the server receives the Authentication Start or Authentication Continue packet from the client, the server sends this packet to the client to notify the client of the current authentication status.
Authentication Continue: When receiving the Authentication Response packet from the server, the client returns this packet if the authentication process is not ended.

The HWTACACS authentication packets have different formats.

Figure 1-8 shows the format of HWTACACS Authentication Start packets.

Figure 1-8 HWTACACS Authentication Start packet format

Table 1-12 Fields in HWTACACS Authentication Start packet

Field	Description
action	Authentication action.
priv_lvl	User privilege level.
authen_type	Authentication type, including: CHAP(0x03) PAP(0x02) ASCII(0x01)
service	Type of the service requesting authentication, which varies depending on the user type: PPP users: PPP(0x03) Administrators: LOGIN(0x01) Other users: NONE(0x00)
user len	Length of the user name entered by a login user.
port len	Length of the port field.
rem_addr len	rem_addr field length.
data len	Authentication data length.
user	Name of the user requesting authentication. The maximum length is 129.
port	Name of the user interface requesting authentication. The maximum length is 47. For management users, this field indicates the user terminal interface, such as console0 and vty1. For example, the authen_type of Telnet users is ASCII, service is LOGIN, and port is vtyx. For other users, this field indicates the user access interface.
rem_addr	IP address of the login user.
data	Authentication data. Different data is encapsulated depending on the values of action and authen_type. For example, when PAP authentication is used, the value of this field is PAP plain-text password.

Figure 1-9 shows the format of HWTACACS Authentication Continue packets.

Figure 1-9 HWTACACS Authentication Continue packet format

Table 1-13 Fields in HWTACACS Authentication Continue packet

Field	Description
user_msg len	Length of the character string entered by a login user.
data len	Authentication data length.
flags	Authentication continue flag. 0: Indicates that the authentication continues. 1: Indicates that the authentication has ended.
user_msg	Character string entered by the login user. This field carries the user login password to respond to the server_msg field in the Authentication Response packet.
data	Authentication data. Different data is encapsulated depending on the values of action and authen_type. For example, when PAP authentication is used, the value of this field is PAP cipher-text password.

Figure 1-10 shows the format of HWTACACS Authentication Response packets.

Figure 1-10 HWTACACS Authentication Response packet format

Table 1-14 Fields in HWTACACS Authentication Response packet

Field	Description
status	Authentication status, including: PASS (0x01): Authentication is successful. FAIL (0x02): Authentication fails. GETDATA (0x03): Request user information. GETUSER (0x04): Request user name. GETPASS (0x05): Request password. RESTART (0x06): Request reauthentication. ERROR (0x07): The authentication packets received by the server have errors. FOLLOW (0x21): The server requests reauthentication.
flags	Indicates whether the client displays the password entered by user in plain text. The value 1 indicates that the password is not displayed in plain text.
server_msg len	Length of the server_msg field.
data len	Authentication data length.
server_msg	Optional field. This field is sent by the server to the user to provide additional information.
data	Authentication data, providing information to client.

HWTACACS Authorization Packet Format

There are two types of HWTACACS authorization packets:

Authorization Request: HWTACACS separates authentication from authorization. Therefore, a user can be authenticated by HWTACACS, and authorized using another protocol. If a user is authenticated by HWTACACS, the client sends an Authorization Request packet carrying authorization information to the server.
Authorization Response: After receiving the Authorization Request packet, the server sends this packet carrying the authorization result to the client.

The HWTACACS authorization packets have different formats.

Figure 1-11 shows the format of HWTACACS Authorization Request packets.

Figure 1-11 HWTACACS Authorization Request packet format

The meanings of the following fields in the Authorization Request packet are the same as those in the Authentication Start packet, and are therefore not described here: priv_lvl, authen_type, authen_service, user len, port len, rem_addr len, port, and rem_addr.

Table 1-15 Fields in HWTACACS Authorization Request packet

Field	Description
authen_method	Authentication method, including No authentication method configured (0x00) None authentication (0x01) Local authentication (0x05) HWTACACS authentication (0x06) RADIUS authentication (0x10)
authen_service	Type of the service requesting authentication, which varies depending on the user type: PPP users: PPP(0x03) Administrators: LOGIN(0x01) Other users: NONE(0x00)
arg_cnt	Number of attributes carried in Authorization Request packet.
argN	Attribute of the Authorization Request packet.

Figure 1-12 shows the format of HWTACACS Authentication Response packets.

Figure 1-12 HWTACACS Authorization Response packet format

The meanings of the following fields are the same as those in HWTACACS Authentication Response packet, and are therefore not described here: server_msg len, data len, and server_msg.

Table 1-16 Fields in HWTACACS Authorization Response packet

Field	Description
status	Authorization status, including: Authorization is successful (0x01) The attributes in Authorization Request packets are modified by the TACACS server (0x02) Authorization fails (0x10) An error occurs on the authorization server (0x11) An authorization server is respecified (0x21)
arg_cnt	Number of attributes carried in Authorization Response packet.
argN	Authorization attribute delivered by the HWTACACS authorization server.

Field

Description

status

Authorization status, including:

Authorization is successful (0x01)
The attributes in Authorization Request packets are modified by the TACACS server (0x02)
Authorization fails (0x10)
An error occurs on the authorization server (0x11)
An authorization server is respecified (0x21)

arg_cnt

Number of attributes carried in Authorization Response packet.

argN

Authorization attribute delivered by the HWTACACS authorization server.

HWTACACS Accounting Packet Format

There are two types of HWTACACS accounting packets:

Accounting Request: This packet contains authorization information.
Accounting Response: After receiving and recording an Accounting Request packet, the server returns this packet.

The HWTACACS accounting packets have different formats.

Figure 1-13 shows the format of HWTACACS Accounting Request packets.

Figure 1-13 HWTACACS Accounting Request packet format

The meanings of the following fields in the Accounting Request packet are the same as those in the Authorization Request packet, and are therefore not described here: authen_method, priv_lvl, authen_type, user len, port len, rem_addr len, port, and rem_addr.

Table 1-17 Fields in HWTACACS Accounting Request packet

Field	Description
flags	Accounting type: Start accounting (0x02) Stop accounting (0x04) Interim accounting (0x08)
authen_service	Type of the service requesting authentication, which varies depending on the user type: PPP users: PPP(0x03) Administrators: LOGIN(0x01) Other users: NONE(0x00)
arg_cnt	Number of attributes carried in Accounting Request packet.
argN	Attribute of the Accounting Request packet.

Figure 1-14 shows the format of HWTACACS Accounting Response packets.

Figure 1-14 HWTACACS Accounting Response packet format

Table 1-18 Fields in HWTACACS Accounting Request packet

Field	Description
server_msg len	Length of the server_msg field.
data len	Length of the data field.
status	Accounting status: Accounting is successful (0x01) Accounting fails (0x02)
server_msg	Information sent by the accounting server to the client.
data	Information sent by the accounting server to the administrator.

HWTACACS Interaction Process

This section describes how HWTACACS performs authentication, authorization, and accounting for Telnet users. Figure 1-15 shows the message exchange process.

Figure 1-15 HWTACACS message interaction

The following describes the HWTACACS message exchange process shown in Figure 1-15:

A Telnet user sends a request packet.
After receiving the request packet, the HWTACACS client sends an Authentication Start packet to the HWTACACS server.
The HWTACACS server sends an Authentication Response packet to request the user name.
After receiving the Authentication Response packet, the HWTACACS client sends a packet to query the user name.
The user enters the user name.
The HWTACACS client sends an Authentication Continue packet containing the user name to the HWTACACS server.
The HWTACACS server sends an Authentication Response packet to request the password.
After receiving the Authentication Response packet, the HWTACACS client queries the password.
The user enters the password.
The HWTACACS client sends an Authentication Continue packet containing the password to the HWTACACS server.
The HWTACACS server sends an Authentication Response packet, indicating that the user has been authenticated.
The HWTACACS client sends an Authorization Request packet to the HWTACACS server.
The HWTACACS server sends an Authorization Response packet, indicating that the user has been authorized.
The HWTACACS client receives the Authorization Response packet and displays the login page.
The HWTACACS client sends an Accounting Request (start) packet to the HWTACACS server.
The HWTACACS server sends an Accounting Response packet.
The user requests to go offline.
The HWTACACS client sends an Accounting Request (stop) packet to the HWTACACS server.
The HWTACACS server sends an Accounting Response packet.

HWTACACS and TACACS+ protocols of other vendors can implement authentication, authorization, and accounting. HWTACACS is compatible with other TACACS+ protocols because their authentication procedures and implementations are the same.

Overview of HWTACACS
HWTACACS Packets
HWTACACS Interaction Process

Translation

简体中文

Download

Updated: 2021-09-17

Document ID: EDOC1100075347

Downloads: 100

Average rating:

This Document Applies to these Products

Related Version

Digital Signature File

Digital Signature Authentication Mode

Enterprise

Huawei Cloud

Carrier

Consumer

Corporate