No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuring RADIUS and HWTACACS

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring RADIUS and HWTACACS

Configuring RADIUS and HWTACACS

Introduction

Huawei campus switches support RADIUS- and HWTACACS-based authentication, authorization, and accounting (AAA). This document describes how to configure these functions.

Prerequisites

This document uses Huawei S5700 series switches as an example to describe how to configure RADIUS and HWTACACS AAA. There may be differences in the implementation of different switch models and versions. Please refer to the product documentation of a specific version.

Configuring RADIUS AAA

The following describes how to configure RADIUS AAA. RADIUS accounting is not mandatory, and is configured only when users have accounting requirements or accounting packets are used for user information statistics collection.

  1. Configure an AAA scheme.

    In the authentication scheme, set the authentication mode to RADIUS authentication. In the accounting scheme, set the accounting mode to RADIUS accounting.

    RADIUS authentication and authorization functions cannot be separated. Once a user passes authentication, the user is successfully authorized. Therefore, you do not need to configure an authorization scheme.

    NOTE:
    • You are advised to set the local authentication mode to backup authentication to ensure that users can still be authenticated and go online if the RADIUS server is faulty. In this case, you need to configure a local user on the switch. For details, see 3.
    • The switch does not support local accounting. If local authentication is specified in the authentication scheme, the policy for accounting-start failures must be set to "allowing users to go online if accounting-start fails".
    #
    aaa
     authentication-scheme rad1
      authentication-mode radius local  
     accounting-scheme rad1 
      accounting-mode radius
      accounting start-fail online 
    #          

  2. Configure a RADIUS server template.

    In the server template, specify the IP address, port number, and shared key of the RADIUS server connected to the switch. The configuration on the switch must be the same as that on the RADIUS server.

    # 
    radius-server template t1 
     radius-server shared-key cipher %^%#wPPdHk[4q=4%I@XG|VE-:vg+I'-QC6-LlAE~Q&k;%^%#
     radius-server authentication 10.1.1.1 1812 weight 80
     radius-server accounting 10.1.1.1 1813 weight 80
    # 

  3. Configure a local user. (This step is required when the local authentication mode is set to backup authentication.)

    Configure the user name, password, level, and service type of the local user.

    The local user password is displayed in cipher text in the configuration file. The default local user level is 0. The local user level is in the range from 0 to 15.

    By default, the local user named admin exists in the system. The password, level, and service type of the user are admin@huawei.com, 15, and http and terminal, respectively.
    #
    local-user user1 password irreversible-cipher $1a$~p]oP2VS:9$[._-/`)oN$5*l\2~IqR=g}g0%kay+H~vlLF/g<^A$ 
    local-user user1 privilege level 15
    local-user user1 service-type telnet 
    #

  4. Configure a domain.

    Configure the domain to which the user belongs and bind the AAA scheme and RADIUS server template to the domain.

    #
    domain huawei 
     authentication-scheme rad1
     accounting-scheme rad1
     radius-server t1
    # 

Configuring HWTACACS AAA

HWTACACS is compatible with Cisco TACACS+. When functioning as HWTACACS clients, Huawei switches can interconnect with TACACS+ servers to implement AAA. For example, an HWTACACS-enabled Huawei device can interconnect with a Cisco server (such as the ACS), but HWTACACS may not be compatible with some Cisco proprietary attributes. This is because different vendors may have different definitions about proprietary attributes.

The following describes how to configure HWTACACS AAA. HWTACACS accounting is optional and needs to be configured only when users have accounting requirements or accounting packets are used for user information statistics collection.

  1. Configure an AAA scheme.

    In the AAA scheme, set the authentication mode, authorization mode, and accounting mode to HWTACACS.

    HWTACACS authentication, authorization, and accounting functions are independent of each other, and can be configured on different servers. Typically, these functions are configured on the same server.

    NOTE:
    • You are advised to set the local authentication mode and local authorization mode to backup authentication and backup authorization respectively, to ensure that users can still be authenticated and go online if the HWTACACS server is faulty. In this case, you need to configure a local user on the switch. For details, see 3.
    • The switch does not support local accounting. If local authentication is specified in the authentication scheme, the policy for accounting-start failures must be set to "allowing users to go online if accounting-start fails".
    #
    aaa
     authentication-scheme tac1
      authentication-mode hwtacacs local  
     authorization-scheme tac1 
      authorization-mode hwtacacs local
     accounting-scheme tac1 
      accounting-mode hwtacacs
      accounting start-fail online 
    #  

  2. Configure an HWTACACS server template.

    In the server template, specify the IP address, port number, and shared key of the HWTACACS server connected to the switch. The configuration on the switch must be the same as that on the HWTACACS server. The default port number is 49.

    #
    hwtacacs-server template t1 
     hwtacacs-server authentication 10.1.1.2 
     hwtacacs-server authorization 10.1.1.2 
     hwtacacs-server accounting 10.1.1.2 
     hwtacacs-server shared-key cipher %^%#!~;V,L$O!#P7jD#k]wgL)ChiX74XR-)jn.:m={!<%^%#
    # 

  3. Configure a local user. This step is required when the local authentication mode is set to backup authentication.

    Configure the user name, password, level, and service type of the local user.

    The local user password is displayed in cipher text in the configuration file. The default local user level is 0. The local user level is in the range from 0 to 15.

    By default, the local user named admin exists in the system. The password, level, and service type of the user are admin@huawei.com, 15, and http and terminal, respectively.
    #
    local-user user1 password irreversible-cipher $1a$~p]oP2VS:9$[._-/`)oN$5*l\2~IqR=g}g0%kay+H~vlLF/g<^A$ 
    local-user user1 privilege level 15
    local-user user1 service-type telnet 
    #

  4. Configure CLI-based authorization.

    HWTACACS can provide CLI-based authorization for administrators. Typically, an administrator of a certain level can run commands of this level or lower. After the CLI-based authorization function is configured for an administrator of a level, each command executed by the administrator needs to be authorized by the HWTACACS server.
    NOTE:

    If the undo authorization-cmd command is run after the CLI-based authorization function is applied, the administrator will fail to run any command except the quit command. The administrator needs to log in again.

    # 
     authorization-scheme tac1 
      authorization-mode hwtacacs local
      authorization-cmd 15 hwtacacs local
    # 

  5. Configure a domain.

    Configure the domain to which the user belongs and bind the AAA scheme and HWTACACS server template to the domain.

    #
    domain huawei 
     authentication-scheme tac1
     authorization-scheme tac1 
     accounting-scheme tac1
     radius-server t1
    # 

Translation
Download
Updated: 2019-07-23

Document ID: EDOC1100095727

Views: 439

Downloads: 19

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next