< Home

Configuring AAA Schemes

Context

To use HWTACACS authentication, authorization, and accounting, set the authentication mode in the authentication scheme, authorization mode in the authorization scheme, and accounting mode in the accounting scheme to HWTACACS.

When configuring HWTACACS authentication, you can configure local authentication or non-authentication as the backup. This allows local authentication to be implemented if HWTACACS authentication fails. When configuring HWTACACS authorization, you can configure local authorization or non-authorization as the backup.

If non-authentication is configured using the authentication-mode command, users can pass the authentication using any user name or password. To protect the device and improve network security, you are advised to enable authentication to allow only authenticated users to access the device or network.

Procedure

  • Configure an authentication scheme.
    1. Run system-view

      The system view is displayed.

    2. Run aaa

      The AAA view is displayed.

    3. Run authentication-scheme scheme-name

      An authentication scheme is created and the authentication scheme view is displayed, or the view of an existing authentication scheme is displayed.

      By default, two authentication schemes named default and radius are available on the device. These two authentication schemes can be modified but not deleted.

    4. Run authentication-mode hwtacacs

      The HWTACACS authentication mode is specified.

      By default, local authentication is used. The names of local users are case-insensitive.

      To use local authentication as the backup, run the authentication-mode hwtacacs [ local | local-case ] command.

    5. (Optional) Run undo server no-response accounting

      The device is configured not to send accounting packets when the server does not respond to a user's authentication request and the user then is authenticated using the local authentication mode.

      By default, when the accounting function is configured, the device does not send accounting packets when the server does not respond to a user's authentication request and the user then is authenticated using the local authentication mode.

    6. (Optional) Run authentication-super { hwtacacs | radius | super } * [ none ]

      The authentication mode for upgrading user levels is specified.

      The default mode is super (local authentication).

    7. Run quit

      The AAA view is displayed.

    8. (Optional) Configure the account locking function.

      1. Run the access-user remote authen-fail retry-interval retry-interval retry-time retry-time block-time block-time command to enable the account locking function for access users who fail remote authentication.

        Or: run the administrator remote authen-fail retry-interval retry-interval retry-time retry-time block-time block-time command to enable the account locking function for administrators who fail remote authentication.

        By default, the account locking function is disabled for access users who fail remote authentication, and the account locking function is enabled for administrators who fail remote authentication. The authentication retry interval is 5 minutes, the maximum number of consecutive authentication failures is 30, and the account locking period is 5 minutes.

      2. Run aaa-quiet administrator except-list { ipv4-address | ipv6-address } &<1-32>

        A user is configured to access the network using a specified IP address if the user account is locked.

        By default, a user cannot access the network if the user account is locked.

        You can run the display aaa-quiet administrator except-list command to query the specified IP addresses.

      3. Run remote-user authen-fail unblock { all | username username }

        A remote AAA authentication account that has failed authentication is unlocked.

    9. (Optional) Run security-name enable

      The security string function is enabled.

      By default, the security string function is enabled.

    10. (Optional) Run security-name-delimiter delimiter

      A security string delimiter is set.

      The default security string delimiter is * (asterisk).

    11. (Optional) Run domainname-parse-direction { left-to-right | right-to-left }

      The direction in which the user name and domain name are parsed is specified.

      By default, a domain name is parsed from left to right.

    12. Run quit

      The system view is displayed.

    13. (Optional) Run aaa-authen-bypass enable time time-value

      The bypass authentication duration is set.

      By default, the bypass authentication function is disabled.

  • Configure an authorization scheme.
    1. Run system-view

      The system view is displayed.

    2. Run aaa

      The AAA view is displayed.

    3. Run authorization-scheme authorization-scheme-name

      An authorization scheme is created and the authorization scheme view is displayed, or the view of an existing authorization scheme is displayed.

      By default, an authorization scheme named default is available on the device. The default authorization scheme can be modified but not deleted.

    4. Run authorization-mode hwtacacs [ local | local-case ] [ none ]

      The authorization mode is specified.

      By default, local authorization is used. The names of local users are case-insensitive.

      If HWTACACS authorization is configured, you must configure an HWTACACS server template and apply the template to the corresponding user domain.

    5. (Optional) Run authorization-cmd privilege-level hwtacacs [ local ] [ none ]

      Command-line authorization is enabled for users at a certain level.

      By default, command-line authorization is disabled for users at a certain level.

      If command-line authorization is enabled, you must configure an HWTACACS server template and apply the template to the corresponding user domain.

    6. Run quit

      The AAA view is displayed.

    7. Run quit

      The system view is displayed.

    8. (Optional) Run aaa-author-bypass enable time time-value

      The bypass authorization duration is set.

      By default, the bypass authorization is disabled.

    9. (Optional) Run aaa-author-cmd-bypass enable time time-value

      The bypass command-line authorization duration is set.

      By default, the bypass command-line authorization is disabled.

  • Configure an accounting scheme.
    1. Run system-view

      The system view is displayed.

    2. Run aaa

      The AAA view is displayed.

    3. Run accounting-scheme accounting-scheme-name

      An accounting scheme is created and the accounting scheme view is displayed, or the view of an existing accounting scheme is displayed.

      By default, the accounting scheme named default is available on the device. The default accounting scheme can be modified but not deleted.

    4. Run accounting-mode hwtacacs

      The hwtacacs accounting mode is specified.

      The default accounting mode is none.

    5. (Optional) Run accounting start-fail { offline | online }

      A policy for accounting-start failures is configured.

      By default, users cannot go online if accounting-start fails.

    6. (Optional) Run accounting realtime interval

      Real-time accounting is enabled and the accounting interval is set.

      By default, real-time accounting is disabled. The device performs accounting for users based on their online duration.

    7. (Optional) Run accounting interim-fail [ max-times times ] { offline | online }

      The maximum number of real-time accounting failures is set, and a policy is specified for the device if the maximum number of real-time accounting attempts fail.

      The default maximum number of real-time accounting failures is 3. The device will keep the users online if three real-time accounting attempts fail.

Parent Topic: Using HWTACACS to Perform Authentication, Authorization, and Accounting
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >