HWTACACS Configuration Guide
HWTACACS AAA
Overview of HWTACACS
HWTACACS is a protocol that serves as an enhancement to TACACS (RFC 1492).
HWTACACS is used to perform authentication, authorization, and accounting for users accessing the Internet through Point-to-Point Protocol (PPP) or Virtual Private Dial-up Network (VPDN) and management users.
Both HWTACACS and RADIUS protocols can implement authentication, authorization, and accounting. They are similar in that they both have the following characteristics:
- Client/Server model
- Share key used for encrypting user information
- Good flexibility and extensibility
HWTACACS is more reliable in transmission and encryption than RADIUS, and is more suitable for security control. Table 1-1 lists the differences between HWTACACS and RADIUS.
Item |
HWTACACS |
RADIUS |
|---|---|---|
Data transmission |
Uses TCP, which is more reliable. |
Uses UDP, which is more efficient. |
Encryption |
Encrypts the entire packet, except the standard HWTACACS header. |
Encrypts only the password field in the packet. |
Authentication and authorization |
Separates authentication from authorization so that they can be implemented on different security servers. |
Combines authentication and authorization. |
Command line authorization |
Supported. The command line use is restricted by both the command level and AAA. When a user enters a command, the command is executed only after being authorized by the HWTACACS server. |
Not supported. The commands that a user can use depend on their user level. A user can only use the commands of the same level as or lower level than their user level. |
Application |
Security control. |
Accounting. |
HWTACACS Packets
Unlike RADIUS packets, which all use the same format, HWTACACS packets (including HWTACACS Authentication Packet Format, HWTACACS Authorization Packet Format, and HWTACACS Accounting Packet Format) use different formats. Despite this, HWTACACS packets all share the same HWTACACS Packet Header.
HWTACACS Packet Header
The length of the HWTACACS packet header is 12 bytes, as shown in Figure 1-1.
Field |
Description |
|---|---|
major version |
Major version of the HWTACACS protocol. The current version is 0xc. |
minor version |
Minor version of the HWTACACS protocol. The current version is 0x0. |
type |
HWTACACS protocol packet type, including authentication (0x01), authorization (0x02), and accounting (0x03). |
seq_no |
Packet sequence number in a session, ranging from 1 to 254. |
flags |
Encryption flag on the packet body. This field contains 8 bits, of which only the first bit has a valid value. The value 0 indicates that the packet body is encrypted, and the value 1 indicates that the packet body is not encrypted. |
session_id |
Session ID, which is the unique identifier of a session. |
length |
Length of the HWTACACS packet body, excluding the packet header. |
HWTACACS Authentication Packet Format
There are three types of HWTACACS authentication packets:
- Authentication Start: When an authentication starts, the client sends this packet carrying the authentication type, user name, and authentication data to the server.
- Authentication Continue: When receiving the Authentication Reply packet from the server, the client returns this packet if the authentication process has not ended.
- Authentication Reply: When the server receives the Authentication Start or Authentication Continue packet from the client, the server sends this packet to the client to notify the client of the current authentication status.
HWTACACS Authentication Start packets.
Field |
Description |
|---|---|
action |
Authentication action. Only the login authentication (0x01) action is supported. |
priv_lvl |
User privilege level. |
authen_type |
Authentication type, including:
|
service |
Type of the service requesting authentication, which varies depending on the user type:
|
user len |
Length of the user name entered by a login user. |
port len |
Length of the port field. |
rem_addr len |
rem_addr field length. |
data len |
Authentication data length. |
user |
Name of the user requesting authentication. The maximum length is 129. |
port |
Name of the user interface requesting authentication. The maximum length is 47.
|
rem_addr |
IP address of the login user. |
data |
Authentication data. Different data is encapsulated depending on the values of action and authen_type. For example, when PAP authentication is used, the value of this field is PAP plain-text password. |
HWTACACS Authentication Continue packets.
Field |
Description |
|---|---|
user_msg len |
Length of the character string entered by a login user. |
data len |
Authentication data length. |
flags |
Authentication continue flag.
|
user_msg |
Character string entered by the login user. This field carries the user login password to respond to the server_msg field in the Authentication Reply packet. |
data |
Authentication data. Different data is encapsulated depending on the values of action and authen_type. For example, when PAP authentication is used, the value of this field is PAP plain-text password. |
HWTACACS Authentication Reply packets.
Field |
Description |
|---|---|
status |
Authentication status, including:
|
flags |
Indicates whether the client displays the password entered by user in plain text. The value 1 indicates that the password is not displayed in plain text. |
server_msg len |
Length of the server_msg field. |
data len |
Authentication data length. |
server_msg |
Optional field. This field is sent by the server to the user to provide additional information. |
data |
Authentication data, providing information to client. |
HWTACACS Authorization Packet Format
There are two types of HWTACACS authorization packets:
- Authorization Request: HWTACACS separates authentication from authorization. Therefore, a user can be authenticated by HWTACACS, and authorized using another protocol. If a user is authorized by HWTACACS, the client sends an Authorization Request packet carrying authorization information to the server.
- Authorization Response: After receiving the Authorization Request packet, the server sends this packet carrying the authorization result to the client.
HWTACACS Authorization Request packets.
NOTE: The meanings of the following fields in the Authorization Request packet are the same as those in the Authentication Start packet, and are therefore not described here: priv_lvl, authen_type, authen_service, user len, port len, rem_addr len, port, and rem_addr.
Field |
Description |
|---|---|
authen_method |
Authentication method, including:
|
authen_service |
Type of the service requesting authentication, which varies depending on the user type:
|
arg_cnt |
Number of attributes carried in the Authorization Request packet. |
argN |
Attribute of the Authorization Request packet. |
HWTACACS Authentication Reply packets.
NOTE: The meanings of the following fields are the same as those in HWTACACS Authentication Reply packet, and are therefore not described here: server_msg len, data len, and server_msg.
Field |
Description |
|---|---|
status |
Authorization status, including:
|
arg_cnt |
Number of attributes carried in the Authorization Response packet. |
argN |
Authorization attribute delivered by the HWTACACS authorization server. |
HWTACACS Accounting Packet Format
There are two types of HWTACACS accounting packets:
- Accounting Request: Contains authorization information.
- Accounting Response: After receiving and recording an Accounting Request packet, the server returns this packet.
HWTACACS Accounting Request packets.
NOTE: The meanings of the following fields in the Accounting Request packet are the same as those in the Authorization Request packet, and are therefore not described here: authen_method, priv_lvl, authen_type, user len, port len, rem_addr len, port, and rem_addr.
Field |
Description |
|---|---|
flags |
Accounting type:
|
authen_service |
Type of the service requesting authentication, which varies depending on the user type:
|
arg_cnt |
Number of attributes carried in the Accounting Request packet. |
argN |
Attribute of the Accounting Request packet. |
HWTACACS Accounting Response packets.
Field |
Description |
|---|---|
server_msg len |
Length of the server_msg field. |
data len |
Length of the data field. |
status |
Accounting status:
|
server_msg |
Information sent by the accounting server to the client. |
data |
Information sent by the accounting server to the administrator. |
HWTACACS Authentication, Authorization, and Accounting Process
This section describes how HWTACACS performs authentication, authorization, and accounting for Telnet users. Figure 1-9 shows the message exchange process.
The following describes the HWTACACS message exchange process shown in Figure 1-9:
- A Telnet user sends a request packet.
- After receiving the request packet, the HWTACACS client sends an Authentication Start packet to the HWTACACS server.
- The HWTACACS server sends an Authentication Response packet to request the user name.
- After receiving the Authentication Response packet, the HWTACACS client sends a packet to query the user name.
- The user enters the user name.
- The HWTACACS client sends an Authentication Continue packet containing the user name to the HWTACACS server.
- The HWTACACS server sends an Authentication Response packet to request the password.
- After receiving the Authentication Response packet, the HWTACACS client queries the password.
- The user enters the password.
- The HWTACACS client sends an Authentication Continue packet containing the password to the HWTACACS server.
- The HWTACACS server sends an Authentication Response packet, indicating that the user has been authenticated.
- The HWTACACS client sends an Authorization Request packet to the HWTACACS server.
- The HWTACACS server sends an Authorization Response packet, indicating that the user has been authorized.
- The HWTACACS client receives the Authorization Response packet and displays the login page.
- The HWTACACS client sends an Accounting Request (start) packet to the HWTACACS server.
- The HWTACACS server sends an Accounting Response packet.
- The user requests to go offline.
- The HWTACACS client sends an Accounting Request (stop) packet to the HWTACACS server.
- The HWTACACS server sends an Accounting Response packet.
NOTE: HWTACACS and TACACS+ protocols of other vendors can implement authentication, authorization, and accounting. HWTACACS is compatible with other TACACS+ protocols because their authentication procedures and implementations are the same.
HWTACACS Attributes
In the HWTACACS authorization or accounting packets, the argN field carries the information exchanged between a server and a client in the form of HWTACACS. This section describes the HWTACACS attributes in detail.
Overview of HWTACACS Attributes
Table 1-10 describes the HWTACACS attributes supported by the device. The device can only parse the attributes included in the table.
Attribute Name |
Description |
|---|---|
acl |
Authorization ACL ID. |
addr |
User IP address. |
autocmd |
Commands the system automatically execute after a user logs in. |
bytes_in |
Traffic received by the device. K, M, and G represent KByte, MByte, and GByte. No unit is displayed if byte is used. |
bytes_out |
Traffic sent by the device. K, M, and G represent KByte, MByte, and GByte. No unit is displayed if byte is used. |
callback-line |
Information sent from the authentication server and to be displayed to a user, such as a mobile number. |
cmd |
Commands executed by the system shell. The maximum length is 251 characters. The complete command is encapsulated when the command is recorded and the first keyword is encapsulated when the command is authorized. |
cmd-arg |
Parameter in the command line to be authorized. The cmd-arg=<cr> is added at the end of the command line. |
disc_cause |
Reason for disconnection. Only accounting stop packets carry this attribute. The reasons for disconnection include:
|
disc_cause_ext |
Extended reason for disconnection. Only accounting stop packets carry this attribute. The extended reasons for disconnection include:
|
dnaverage |
Downstream average rate, in bit/s. |
dnpeak |
Downstream peak rate, in bit/s. |
dns-servers |
IP address of the primary DNS server. |
elapsed_time |
Online duration, in seconds. |
ftpdir |
Initial directory of an FTP user. |
gw-password |
Tunnel password. The value is a string of 1 to 248 characters. If the value contains more than 248 characters, only the first 248 characters are valid. |
idletime |
Idle session timeout period. If a user does not perform any operation within this period, the system disconnects the user. |
l2tp-hello-interval |
Interval for sending L2TP Hello packets. The device does not support this attribute. |
l2tp-hidden-avp |
The attribute value pair (AVP) of L2TP. The device does not support this attribute. |
l2tp-nosession-timeout |
If no session exists within this period, the L2TP tunnel is torn down. The device does not support this attribute. |
l2tp-group-num |
L2TP group number. Other L2TP attributes take effect only if this attribute is delivered. Otherwise, other L2TP attributes are ignored. |
l2tp-tos-reflect |
TOS of L2TP. The device does not support this attribute. |
l2tp-tunnel-authen |
Indicates whether the L2TP tunnel is authenticated:
|
l2tp-udp-checksum |
UPD packet checksum. |
nocallback-verify |
No authentication is required for callback. |
nohangup |
Indicates whether the device automatically disconnects a user. This attribute is valid only after the autocmd attribute is configured. It decides whether to disconnect a user who has executed the autocmd command. The value can be true or false:
|
paks_in |
Number of packets received by the device. |
paks_out |
Number of packets sent by the device. |
priv-lvl |
User level. |
protocol |
Protocol type. It belongs to service type, and is only valid for PPP and connection services. The device supports four protocol types: pad, telnet, ip, and vpdn. The protocol used depends on the service type:
|
task_id |
Task ID. The task IDs recorded when a task starts and ends must be the same. |
timezone |
Local time zone. |
tunnel-id |
Local user name of the tunnel. The value is a string of 1 to 29 characters. If the value contains more than 29 characters, only the first 29 characters are valid. |
tunnel-type |
Tunnel type. The device only supports the L2TP tunnel. The value of tunnel-type is 3. |
service |
Service type, which can be accounting or authorization. |
source-ip |
Local IP address of the tunnel. |
upaverage |
Upstream average rate, in bit/s. |
uppeak |
Upstream peak rate, in bit/s. |
HWTACACS Attributes Available in Packets
There are two types of HWTACACS authorization packets: Authorization Request packets and Authorization Response packets. However, HWTACACS authorization packets can also be classified into EXEC authorization packets, command line authorization packets, and access user authorization packets, depending on the usage scenario. Different authorization packets carry different attributes. For details, see Table 1-11. The following describes the use of HWTACACS authorization packets for different usage scenarios:
- EXEC authorization packets: Used by the HWTACACS server to control rights of the management users logging in through Telnet, console port, SSH, and FTP.
- Command line authorization packets: Used by the device to authorize each command line executed by the user. Only authorized command lines can be executed.
- Access user authorization packets: Used by the HWTACACS server to control the rights of NAC users such as 802.1X and Portal users.
Just as with HWTACACS authorization packets, there are two types of HWTACACS accounting packets: Accounting Request packets and Accounting Response packets. HWTACACS accounting packets can also be classified into network accounting packets, connection accounting packets, EXEC accounting packets, system accounting packets, and command accounting packets, depending on the connection type. Different accounting packets carry different attributes. For details, see Table 1-12. The following describes the use of HWTACACS accounting packets for different connection types:
- Network accounting packets: Used when networks are accessed by PPP users. For example, when a PPP user connects to a network, the server sends an accounting start packet; when the user is using network services, the server periodically sends interim accounting packets; when the user goes offline, the server sends an accounting stop packet.
- Connection accounting packets: Used when users log in to the server through Telnet or FTP clients. When a user connects to the device, the user can run commands to access a remote server and obtain files from the server. The device sends an accounting start packet when the user connects to the remote server and an accounting stop packet when the user disconnects from the remote server.
- EXEC accounting packets: Used when users log in to the device through Telnet or FTP. When a user connects to a network, the server sends an accounting start packet; when the user is using network services, the server periodically sends interim accounting packets; when the user goes offline, the server sends an accounting stop packet.
- System accounting packets: Used during fault diagnosis. The server records the system-level events to help administrators monitor the device and locate network faults.
- Command accounting packets: When an administrator runs any command on the device, the device sends the command to the HWTACACS server through a command accounting stop packet so that the server can record the operations performed by the administrator.
NOTE: - Y: The packet supports this attribute.
- N: The packet does not support this attribute.
Attribute |
Command Line Authorization Packet |
EXEC Authorization Response Packet |
Access User Authorization Response Packet |
|---|---|---|---|
acl |
N |
Y |
N |
addr |
N |
N |
Y |
addr-pool |
N |
N |
Y |
autocmd |
N |
Y |
N |
callback-line |
N |
Y |
Y |
cmd |
Y |
N |
N |
cmd-arg |
Y |
N |
N |
dnaverage |
N |
N |
Y |
dnpeak |
N |
N |
Y |
dns-servers |
N |
N |
Y |
ftpdir |
N |
Y |
N |
gw-password |
N |
N |
Y |
idletime |
N |
Y |
N |
ip-addresses |
N |
N |
Y |
l2tp-group-num |
N |
N |
Y |
l2tp-tunnel-authen |
N |
N |
Y |
nocallback-verify |
N |
Y |
N |
nohangup |
N |
Y |
N |
priv-lvl |
N |
Y |
N |
source-ip |
N |
N |
Y |
tunnel-type |
N |
N |
Y |
tunnel-id |
N |
N |
Y |
upaverage |
N |
N |
Y |
Attribute |
Network Accounting Start Packet |
Network Accounting Stop Packet |
Network Interim Accounting Packet |
Connection Accounting Start Packet |
Connection Accounting Stop Packet |
EXEC Accounting Start Packet |
EXEC Accounting Stop Packet |
EXEC Interim Accounting Packet |
System Accounting Stop Packet |
Command Line Accounting Stop Packet |
|---|---|---|---|---|---|---|---|---|---|---|
addr |
Y |
Y |
Y |
Y |
Y |
N |
N |
N |
N |
N |
bytes_in |
N |
Y |
Y |
N |
Y |
N |
Y |
Y |
N |
N |
bytes_out |
N |
Y |
Y |
N |
Y |
N |
Y |
Y |
N |
N |
cmd |
N |
N |
N |
Y |
Y |
N |
N |
N |
N |
Y |
disc_cause |
N |
Y |
N |
N |
N |
N |
Y |
Y |
N |
N |
disc_cause_ext |
N |
Y |
N |
N |
N |
N |
Y |
Y |
N |
N |
elapsed_time |
N |
Y |
Y |
N |
Y |
N |
Y |
Y |
Y |
N |
paks_in |
N |
Y |
Y |
N |
Y |
N |
Y |
Y |
N |
N |
paks_out |
N |
Y |
Y |
N |
Y |
N |
Y |
Y |
N |
N |
priv-lvl |
N |
N |
N |
N |
N |
N |
N |
N |
N |
Y |
protocol |
Y |
Y |
Y |
Y |
Y |
N |
N |
N |
N |
N |
service |
Y |
Y |
Y |
Y |
Y |
Y |
Y |
Y |
Y |
Y |
task_id |
Y |
Y |
Y |
Y |
Y |
Y |
Y |
Y |
Y |
Y |
timezone |
Y |
Y |
Y |
Y |
Y |
Y |
Y |
Y |
Y |
Y |
tunnel-id |
N |
N |
N |
N |
N |
N |
N |
N |
N |
N |
tunnel-type |
Y |
N |
N |
N |
N |
N |
N |
N |
N |
N |
Using HWTACACS to Perform Authentication, Authorization, and Accounting
HWTACACS Authentication, Authorization, and Accounting
Similar to RADIUS, HWTACACS uses the client/server model to implement AAA for access users by communicating with the HWTACACS server.
HWTACACS protects a network from unauthorized access and supports command-line authorization. HWTACACS is more reliable in transmission and encryption than RADIUS, and is more suitable for security control.
Configuring an HWTACACS Server
If HWTACACS authentication and authorization are used, users' authentication, authorization, and accounting information needs to be configured on the HWTACACS server.
If a user wants to establish a connection with the access device through a network to obtain rights to access other networks and network resources, the access device transparently transmits the user's authentication, authorization, and accounting information to the HWTACACS server. The HWTACACS server determines whether the user can pass authentication based on the configured information. If the user passes the authentication, the RADIUS server sends an Access-Accept packet containing the user's authorization information to the access device. The access device then allows the user to access the network and grants rights to the user based on information in the Access-Accept packet.
Configuring AAA Schemes
Context
To use HWTACACS authentication, authorization, and accounting, set the authentication mode in the authentication scheme, authorization mode in the authorization scheme, and accounting mode in the accounting scheme to HWTACACS.
When configuring HWTACACS authentication, you can configure local authentication or non-authentication as the backup. This allows local authentication to be implemented if HWTACACS authentication fails. When configuring HWTACACS authorization, you can configure local authorization or non-authorization as the backup.
NOTE: If non-authentication is configured using the authentication-mode command, users can pass the authentication using any user name or password. To protect the device and improve network security, you are advised to enable authentication to allow only authenticated users to access the device or network.
Procedure
- Configure an authentication scheme.
- Run system-view
The system view is displayed.
- Run aaa
The AAA view is displayed.
- Run authentication-scheme scheme-name
An authentication scheme is created and the authentication scheme view is displayed, or the view of an existing authentication scheme is displayed.
By default, two authentication schemes named default and radius are available on the device. These two authentication schemes can be modified but not deleted.
- Run authentication-mode hwtacacs
The HWTACACS authentication mode is specified.
By default, local authentication is used. The names of local users are case-insensitive.
To use local authentication as the backup, run the authentication-mode hwtacacs [ local | local-case ] command.
- (Optional) Run authentication-super { hwtacacs | radius | super } *[ none ]
The authentication mode for upgrading user levels is specified.
The default mode is super (local authentication).
- Run quit
The AAA view is displayed.
- (Optional) Configure the account locking function.
- Run remote-aaa-user authen-fail retry-interval retry-interval retry-time retry-time block-time block-time
The remote AAA authentication account locking function is enabled, and the authentication retry interval, maximum number of consecutive authentication failures, and account locking period are configured.
By default, the remote AAA account locking function is enabled, the authentication retry interval is 50 minutes, the maximum number of consecutive authentication failures is 30, and the account locking period is 5 minutes.
- Run aaa-quiet administrator except-list { ipv4-address | ipv6-address } &<1-32>
A user is configured to access the network using a specified IP address if the user account is locked.
By default, a user cannot access the network if the user account is locked.
You can run the display aaa-quiet administrator except-list command to query the specified IP addresses.
- Run remote-user authen-fail unblock { all | username username }
A remote AAA authentication account that has failed authentication is unlocked.
- Run remote-aaa-user authen-fail retry-interval retry-interval retry-time retry-time block-time block-time
- (Optional) Run security-name enable
The security string function is enabled.
By default, the security string function is enabled.
- (Optional) Run security-name-delimiter delimiter
A security string delimiter is set.
The default security string delimiter is * (asterisk).
- (Optional) Run domainname-parse-direction { left-to-right | right-to-left }
The direction in which the user name and domain name are parsed is specified.
By default, a domain name is parsed from left to right.
- Run quit
The system view is displayed.
- (Optional) Run aaa-authen-bypass enable time time-value
The bypass authentication duration is set.
By default, the bypass authentication function is disabled.
- Run system-view
- Configure an authorization scheme.
- Run system-view
The system view is displayed.
- Run aaa
The AAA view is displayed.
- Run authorization-scheme authorization-scheme-name
An authorization scheme is created and the authorization scheme view is displayed, or the view of an existing authorization scheme is displayed.
By default, an authorization scheme named default is available on the device. The default authorization scheme can be modified but not deleted.
- Run authorization-mode hwtacacs [ local | local-case ] [ none ]
The authorization mode is specified.
By default, local authorization is used. The names of local users are case-insensitive.
If HWTACACS authorization is configured, you must configure an HWTACACS server template and apply the template to the corresponding user domain.
- (Optional) Run authorization-cmd privilege-level hwtacacs [ local ] [ none ]
Command-line authorization is enabled for users at a certain level.
By default, command-line authorization is disabled for users at a certain level.
If command-line authorization is enabled, you must configure an HWTACACS server template and apply the template to the corresponding user domain.
- Run quit
The AAA view is displayed.
- Run quit
The system view is displayed.
- (Optional) Run aaa-author-bypass enable time time-value
The bypass authorization duration is set.
By default, the bypass authorization is disabled.
- (Optional) Run aaa-author-cmd-bypass enable time time-value
The bypass command-line authorization duration is set.
By default, the bypass command-line authorization is disabled.
- Run system-view
- Configure an accounting scheme.
- Run system-view
The system view is displayed.
- Run aaa
The AAA view is displayed.
- Run accounting-scheme accounting-scheme-name
An accounting scheme is created and the accounting scheme view is displayed, or the view of an existing accounting scheme is displayed.
By default, the accounting scheme named default is available on the device. The default accounting scheme can be modified but not deleted.
- Run accounting-mode hwtacacs
The hwtacacs accounting mode is specified.
The default accounting mode is none.
- (Optional) Run accounting start-fail { offline | online }
A policy for accounting-start failures is configured.
By default, users cannot go online if accounting-start fails.
- (Optional) Run accounting realtime interval
Real-time accounting is enabled and the accounting interval is set.
By default, real-time accounting is disabled. The device performs accounting for users based on their online duration.
- (Optional) Run accounting interim-fail [ max-times times ] { offline | online }
The maximum number of real-time accounting failures is set, and a policy is specified for the device if the maximum number of real-time accounting attempts fail.
The default maximum number of real-time accounting failures is 3. The device will keep the users online if three real-time accounting attempts fail.
----End
- Run system-view
Configuring an HWTACACS Server Template
Context
When configuring an HWTACACS server template, you must specify the IP address, port number, and shared key of a specified HWTACACS server. Other settings, such as the HWTACACS user name format and traffic unit, have default values and can be modified based on network requirements.
The HWTACACS server template settings such as the HWTACACS user name format and shared key must be the same as those on the HWTACACS server.
Procedure
- Run system-view
The system view is displayed.
- Run hwtacacs enable
HWTACACS is enabled.
By default, HWTACACS is enabled.
- Run hwtacacs-server template template-name
An HWTACACS server template is created and the HWTACACS server template view is displayed.
By default, no HWTACACS server template is configured on the device.
- Configure HWTACACS authentication, authorization, and accounting servers.
Configuration
Command
Description
Configure an HWTACACS authentication server.
hwtacacs-server authentication ip-address [ port ] [ public-net | vpn-instance vpn-instance-name ] [ secondary | third ]
By default, no HWTACACS authentication server is configured.
Configure an HWTACACS authorization server.
hwtacacs-server authorization ip-address [ port ] [ public-net | vpn-instance vpn-instance-name ] [ secondary | third ]
By default, no HWTACACS authorization server is configured.
Configure an HWTACACS accounting server.
hwtacacs-server accounting ip-address [ port ] [ public-net | vpn-instance vpn-instance-name ] [ secondary | third ]
By default, no HWTACACS accounting server is configured.
- Set parameters for interconnection between the device and an HWTACACS server.
Procedure
Command
Description
Set the shared key for the HWTACACS server.
hwtacacs-server shared-key cipher key-string
By default, no shared key is set for an HWTACACS server.
(Optional) Configure the format of the user name in the packet sent by the device to the HWTACACS server.
- Configure the user name to contain the domain name: hwtacacs-server user-name domain-included
- Configure the original user name: hwtacacs-server user-name original
- Configure the user name not to contain the domain name: undo hwtacacs-server user-name domain-included
By default, the device does not change the user name entered by the user when sending packets to the HWTACACS server.
(Optional) Set the HWTACACS traffic unit.
hwtacacs-server traffic-unit { byte | kbyte | mbyte | gbyte }
The default HWTACACS traffic unit on the device is bytes.
(Optional) Set the source IP address for communication between the device and HWTACACS server.
hwtacacs-server source-ip { ip-address | source-loopback interface- number }
By default, the device uses the IP address of the actual outbound interface as the source IP address encapsulated in HWTACACS packets.
- (Optional) Set the response timeout interval and activation interval for the HWTACACS server.
Procedure
Command
Description
Set the response timeout interval for the HWTACACS server.
hwtacacs-server timer response-timeout interval
The default response timeout interval for an HWTACACS server is 5 seconds.
If the device does not receive a response packet from an HWTACACS server within the response timeout interval, it considers that the HWTACACS server is unreachable and then tries other authentication and authorization methods.
Set the interval for the primary HWTACACS server to restore to the active state.
hwtacacs-server timer quiet interval
The default interval for the primary HWTACACS server to restore to the active state is 5 minutes.
- Run quit
The system view is displayed.
- (Optional) Run hwtacacs-server accounting-stop-packet resend { disable | enable number }
Retransmission of accounting-stop packets is enabled and the number of packets that can be retransmitted each time is specified.
By default, retransmission of accounting-stop packets is enabled, and 100 account-stop packets can be retransmitted each time.
- Run return
The user view is displayed.
- (Optional) Run hwtacacs-user change-password hwtacacs-server template-name
The password saved on the HWTACACS server is changed.
NOTE:
To ensure device security, you are advised to frequently change the password.
(Optional) Configuring a Service Scheme
Context
Users must obtain authorization information before going online. You can configure a service scheme to manage authorization information about users.
NOTE: When the device is switched to the NAC common mode, only the administrator level, number of users who can access the network using the same user name, and redirection ACL can be configured in the service scheme.
Procedure
- Run system-view
The system view is displayed.
- Run aaa
The AAA view is displayed.
- Run service-scheme service-scheme-name
A service scheme is created and the service scheme view is displayed.
By default, no service scheme is configured on the device.
- Run admin-user privilege level level
The user is configured as the administrator and the administrator level for login is specified.
The value range of level is from 0 to 15. By default, the user level is not specified.
- Configure server information.
Step
Command
Remarks
Configure a DHCP server group.
dhcp-server group group-name
By default, no DHCP server group is configured in a service scheme.
Configure the IP address of the primary DNS server.
dns ip-address
By default, no primary DNS server is configured in a service scheme.
Configure the IP address of the secondary DNS server.
dns ip-address secondary
By default, no secondary DNS server is configured in a service scheme.
Configure the primary WINS server.
wins ip-address
By default, no primary WINS server is configured in a service scheme.
Configure the secondary WINS server.
wins ip-address secondary
By default, no secondary WINS server is configured in a service scheme.
- Run ip-pool pool-name [ move-to new-position ]
An IP address pool is bound to the service scheme or an existing IP address pool is moved.
By default, no IP address pool is bound to a service scheme.
NOTE:
Ensure that the IP address pool has been configured before running this command.
- Run policy-route next-hop-ip-address [ vlan-id ]
Policy-based routing (PBR) is configured in the service scheme.
By default, PBR is not configured in a service scheme.
- Run redirect-acl { acl-number | name acl-name }
The ACL used for redirection is configured in the service scheme.
By default, no ACL used for redirection is configured in a service scheme.
- Run idle-cut idle-time flow-value [ inbound | outbound ]
The idle-cut function is enabled for domain users and the idle-cut parameters are set.
By default, the idle-cut function is disabled for domain users.
NOTE:
You can only run the idle-cut command in the service scheme view to enable the idle-cut function for common users (wireless users). If you need to perform idle-cut for administrators, run the local-user idle-timeout command in the AAA view during the local authentication, and use RADIUS attribute 28 (Idle-Timeout) during the RADIUS authentication.
- Run access-limit user-name max-num number
The maximum number of users who are allowed to access the network using the same user name is configured.
By default, the number of users who are allowed to access the network using the same user name is not limited, and is determined by the maximum number of access users supported by the device.
NOTE:
Only users who are successfully authenticated support the configurations for limiting the number of access users based on the same user name, and pre-connection users do not support such configurations.
- Run priority priority-value
The user priority is configured in the service scheme.
By default, the user priority is 0.
NOTE:
This function takes effect only for wireless users.
- Configure network access control parameters in the service scheme.
- Run acl-id acl-number
An ACL is bound to the service scheme.
By default, no ACL is bound to a service scheme.
NOTE:
Before running this command, ensure that an ACL has been created using the acl or acl name command and ACL rules have been configured using the rule command.
The priorities of the following access policies are in descending order:
ACL number delivered by the RADIUS server > ACL number configured on the local device > ACL rule delivered by the RADIUS server through the attribute HW-Data-Filter numbered 26-82 > User group delivered by the RADIUS server > User group configured on the local device > UCL group delivered by the RADIUS server > UCL group configured on the local device
The RADIUS server delivers the ACL number, user group, and UCL group through the standard attribute Filter-Id numbered 11.
- Run ucl-group { group-index | name group-name }
A UCL group is bound to the service scheme.
By default, no UCL group is bound to a service scheme.
Before running this command, ensure that a UCL group that identifies the user category has been created and configured.
- Run user-vlan vlan-id
A user VLAN is configured in the service scheme.
By default, no user VLAN is configured in a service scheme.
Before running this command, ensure that a VLAN has been created using the vlan command.
- Run voice-vlan
The voice VLAN function is enabled in the service scheme.
By default, the voice VLAN function is disabled in a service scheme.
To make this configuration take effect, ensure that a VLAN has been specified as the voice VLAN using the link command and the voice VLAN function has been enabled on the interface.
- Run qos-profile profile-name
A QoS profile is bound to the service scheme.
By default, no QoS profile is bound to a service scheme.
Before running this command, ensure that a QoS profile has been configured. The procedure for configuring a QoS profile is as follows:
NOTE:
Among all parameters in the QoS profile bound to the service scheme, only the parameters configured using the following commands take effect.
- In the system view, run qos-profile name profile-name
A QoS profile is created and the QoS profile view is displayed.
- Configure traffic policing and packet processing priority in the QoS profile view.
- Run car cir cir-value [ pir pir-value ] [ cbs cbs-value pbs pbs-value ] { inbound | outbound }
Traffic policing is configured in the QoS profile.
By default, traffic policing is not configured in a QoS profile.
- Run remark dscp dscp-value { inbound | outbound }
The action of re-marking DSCP priorities of IP packets is configured in the QoS profile.
By default, the action of re-marking DSCP priorities of IP packets is not configured in a QoS profile.
- Run remark 8021p 8021p-value
The action of re-marking 802.1p priorities of VLAN packets is configured in the QoS profile.
By default, the action of re-marking 802.1p priorities of VLAN packets is not configured in a QoS profile.
- Run user-queue pir pir-value [ flow-queue-profile flow-queue-profile-name ] [ flow-mapping-profile flow-mapping-profile-name ]
A user queue is created in the QoS profile to implement HQoS scheduling.
By default, no user queue is configured in a QoS profile.
- Run acl-id acl-number
Applying AAA Schemes to a Domain
Context
The created authentication scheme, authorization scheme, accounting scheme, and HWTACACS server template are in effect only when they are applied to a domain.
Procedure
- Run system-view
The system view is displayed.
- Run aaa
The AAA view is displayed.
- Run domain domain-name [ domain-index domain-index ]
A domain is created and the domain view is displayed, or the view of an existing domain is displayed.
The device has two default domains:
- default: Used by common access users
- default_admin: Used by administrators
NOTE:
- If a user enters a user name that does not contain a domain name, the user is authenticated in the default domain. In this case, you need to run the domain domain-name [ admin ] command and set domain-name to configure a global default domain on the device.
- If a user enters a user name that contains a domain name during authentication, the user must enter the correct value of domain-name.
- Apply AAA schemes to the domain.
Procedure
Command
Description
Apply an authentication scheme to the domain.
authentication-scheme scheme-name
By default, the authentication scheme default is applied to the default_admin domain, and the authentication scheme named radius is applied to the default domain and other domains.
Apply an authorization scheme to the domain.
authorization-scheme authorization-scheme-name
By default, no authorization scheme is applied to a domain.
Apply an accounting scheme to the domain.
accounting-scheme accounting-scheme-name
By default, the accounting scheme default is applied to a domain. In this accounting scheme, non-accounting is used and real-time accounting is disabled.
- Apply a service scheme and an HWTACACS server template to the domain.
Procedure
Command
Description
(Optional) Apply a service scheme to the domain.
service-scheme service-scheme-name
By default, no service scheme is applied to a domain.
Apply an HWTACACS server template to the domain.
hwtacacs-server template-name
By default, no HWTACACS server template is applied to a domain.
- (Optional) Configure other functions for the domain.
Procedure
Command
Description
Specify the domain state.
state { active | block [ time-range time-name &<1–4> ] }
When a domain is in the blocking state, users in this domain cannot log in. By default, a created domain is in the active state.
Apply a user group to the domain.
user-group group-name
By default, no user group is applied to a domain.
- (Optional) Run statistic enable
Traffic statistics collection is enabled for users in the domain.
By default, traffic statistics collection is disabled for users in a domain.
- (Optional) Configure a domain name parsing scheme. (If domain name parsing is configured in both the AAA view and authentication profile view, the device preferentially uses the configuration in the authentication profile. The configuration in the authentication profile applies only to wireless users.)
Procedure
Command
Description
AAA view
Exit from the domain view.
quit
-
Specify the domain name parsing direction.
domainname-parse-direction { left-to-right | right-to-left }
The domain name can be parsed from left to right, or from right to left.
By default, the domain name is parsed from left to right.
Set the domain name delimiter.
domain-name-delimiter delimiter
A domain name delimiter can be any of the following: \ / : < > | @ ' %.
The default domain name delimiter is @.
Specify the domain name location.
domain-location { after-delimiter | before-delimiter }
The domain name can be placed before or after the delimiter.
By default, the domain name is placed after the domain name delimiter.
Set the security string delimiter.
security-name-delimiter delimiter
The default security string delimiter is * (asterisk).
Authentication profile view
Exit from the AAA view.
quit
-
Create an authentication profile and enter the authentication profile view.
authentication-profile name authentication-profile-name
By default, the device has six built-in authentication profiles: default_authen_profile, dot1x_authen_profile, mac_authen_profile, portal_authen_profile, dot1xmac_authen_profile, and multi_authen_profile.
Specify the domain name parsing direction.
domainname-parse-direction { left-to-right | right-to-left }
The domain name can be parsed from left to right, or from right to left.
By default, the domain name parsing direction is not specified.
Set the domain name delimiter.
domain-name-delimiter delimiter
A domain name delimiter can be any of the following: \ / : < > | @ ' %.
By default, no domain name delimiter is set.
Specify the domain name location.
domain-location { after-delimiter | before-delimiter }
The domain name can be placed before or after the delimiter.
By default, the domain name location is not specified.
Set the security string delimiter.
security-name-delimiter delimiter
By default, no security string delimiter is set.
- (Optional) Specify a permitted domain for wireless users. (This step applies only to wireless users.)
Procedure
Command
Description
Return to the system view.
quit
-
Create an authentication profile and enter the authentication profile view.
authentication-profile name authentication-profile-name
By default, the device has six built-in authentication profiles: default_authen_profile, dot1x_authen_profile, mac_authen_profile, portal_authen_profile, dot1xmac_authen_profile, and multi_authen_profile.
Specify a permitted domain for wireless users.
permit-domain name domain-name &<1-4>
By default, no permitted domain is specified for wireless users.
After a permitted domain is specified in an authentication profile, only users in the permitted domain can be subject to authentication, authorization, and accounting.
Verifying the HWTACACS AAA Configuration
Procedure
- Run the display aaa configuration command to check the AAA summary.
- Run the display authentication-scheme [ authentication-scheme-name ] command to verify the authentication scheme configuration.
- Run the display authorization-scheme [ authorization-scheme-name ] command to verify the authorization scheme configuration.
- Run the display accounting-scheme [ accounting-scheme-name ] command to verify the accounting scheme configuration.
- Run the display recording-scheme [ recording-scheme-name ] command to verify the recording scheme configuration.
- Run the display service-scheme [ name name ] command to verify the service scheme configuration.
- Run the display hwtacacs-server template [ template-name ] command to verify the HWTACACS server template configuration.
- Run the display hwtacacs-server template template-name verbose command to check statistics about HWTACACS authentication, accounting, and authorization.
- Run the display hwtacacs-server accounting-stop-packet { all | number | ip ip-address } command to verify information about accounting-stop packets of the HWTACACS server.
- Run the display domain [ name domain-name ] command to verify the domain configuration.
- Run the display aaa statistics access-type-authenreq command to display the number of authentication requests.
- Run the display access-user user-name-table statistics { all | username username } command to check statistics on users who are allowed to access the network using the user name.