Example for Configuring the Primary and Secondary HWTACACS Servers
Networking Requirements
For the network shown in Figure 1, the customer requirements are as follows:
- The HWTACACS server will authenticate access users for Switch. If HWTACACS authentication fails, local authentication is used.
- The HWTACACS server will authorize access users for Switch. If HWTACACS authorization fails, local authorization is used.
- HWTACACS accounting is used by Switch for access users.
- Real-time accounting is performed every 3 minutes.
- The IP addresses of primary and secondary HWTACACS servers are 10.7.66.66/24 and 10.7.66.67/24, respectively. The port number for authentication, accounting, and authorization is 49.
Configuration Roadmap
The configuration roadmap is as follows:
- Configure an HWTACACS server template.
- Configure authentication, authorization, and accounting schemes.
- Apply the HWTACACS server template, authentication scheme, authorization scheme, and accounting scheme to a domain.
- Ensure that the devices are routable before the configuration.
Ensure that the shared key in the HWTACACS server template is the same as the settings on the HWTACACS server.
If the HWTACACS server does not accept the user name containing the domain name, run the undo hwtacacs-server user-name domain-included command in the HWTACACS server template view to configure the device to send packets that do not contain the domain name to the HWTACACS server.
- After the domain is set to the global default domain, and the user name of a user carries the domain name or does not carry any domain name, the user uses AAA configuration information in the global default domain.
- After the undo hwtacacs-server user-name domain-included command is run, the device changes only the user name format in the sent packet, and the domain to which the user belongs is not affected. For example, after this command is run, the user with the user name user@huawei.com still uses AAA configuration information in the domain named huawei.com.
Procedure
- Enable HWTACACS.
<HUAWEI> system-view [HUAWEI] sysname Switch [Switch] hwtacacs enable
- Configure an HWTACACS server template.
# Create an HWTACACS server template named ht.
[Switch] hwtacacs-server template ht# Set the IP addresses and port numbers for the primary HWTACACS authentication, authorization, and accounting servers.
[Switch-hwtacacs-ht] hwtacacs-server authentication 10.7.66.66 49 [Switch-hwtacacs-ht] hwtacacs-server authorization 10.7.66.66 49 [Switch-hwtacacs-ht] hwtacacs-server accounting 10.7.66.66 49
# Set the IP addresses and port numbers for the secondary HWTACACS authentication, authorization, and accounting servers.
[Switch-hwtacacs-ht] hwtacacs-server authentication 10.7.66.67 49 secondary [Switch-hwtacacs-ht] hwtacacs-server authorization 10.7.66.67 49 secondary [Switch-hwtacacs-ht] hwtacacs-server accounting 10.7.66.67 49 secondary
# Set the shared key for the HWTACACS server.
[Switch-hwtacacs-ht] hwtacacs-server shared-key cipher Huawei@2012 [Switch-hwtacacs-ht] quit
- Configure authentication, authorization, and accounting schemes.
# Create an authentication scheme named l-h. Configure the authentication scheme to use HWTACACS authentication as the active authentication mode and local authentication as the backup.
[Switch] aaa [Switch-aaa] authentication-scheme l-h [Switch-aaa-authen-l-h] authentication-mode hwtacacs local [Switch-aaa-authen-l-h] quit
# Create an authorization scheme named hwtacacs. Configure the authorization scheme to use HWTACACS authorization as the active authorization mode and local authorization as the backup.
[Switch-aaa] authorization-scheme hwtacacs [Switch-aaa-author-hwtacacs] authorization-mode hwtacacs local [Switch-aaa-author-hwtacacs] quit
# Create an accounting scheme named hwtacacs, and configure the accounting scheme to use the HWTACACS accounting mode. Configure a policy for the device to keep users online upon accounting-start failures.
[Switch-aaa] accounting-scheme hwtacacs [Switch-aaa-accounting-hwtacacs] accounting-mode hwtacacs [Switch-aaa-accounting-hwtacacs] accounting start-fail online
# Set the real-time accounting interval to 3 minutes.
[Switch-aaa-accounting-hwtacacs] accounting realtime 3 [Switch-aaa-accounting-hwtacacs] quit
- Create a domain named huawei, and apply the authentication scheme l-h, authorization scheme hwtacacs, accounting scheme hwtacacs, and the HWTACACS server template ht to the domain.
[Switch-aaa] domain huawei [Switch-aaa-domain-huawei] authentication-scheme l-h [Switch-aaa-domain-huawei] authorization-scheme hwtacacs [Switch-aaa-domain-huawei] accounting-scheme hwtacacs [Switch-aaa-domain-huawei] hwtacacs-server ht [Switch-aaa-domain-huawei] quit [Switch-aaa] quit
- Configure local authentication.
[Switch] aaa [Switch-aaa] local-user user1 password irreversible-cipher Huawei@123 [Switch-aaa] local-user user1 service-type http [Switch-aaa] local-user user1 privilege level 15 [Switch-aaa] quit
- Configure the global default domain for administrations.
[Switch] domain huawei admin - Verify the configuration.
# Run the display hwtacacs-server template command on Switch to verify the HWTACACS server template configuration.
[Switch] display hwtacacs-server template ht --------------------------------------------------------------------------- HWTACACS-server template name : ht Primary-authentication-server : 10.7.66.66:49 Vrf:- Status:UP Primary-authorization-server : 10.7.66.66:49 Vrf:- Status:UP Primary-accounting-server : 10.7.66.66:49 Vrf:- Status:UP Secondary-authentication-server : 10.7.66.67:49 Vrf:- Status:UP Secondary-authorization-server : 10.7.66.67:49 Vrf:- Status:UP Secondary-accounting-server : 10.7.66.67:49 Vrf:- Status:UP Third-authentication-server : -:0 Vrf:- Status:- Third-authorization-server : -:0 Vrf:- Status:- Third-accounting-server : -:0 Vrf:- Status:- Current-authentication-server : 10.7.66.66:49 Vrf:- Status:UP Current-authorization-server : 10.7.66.66:49 Vrf:- Status:UP Current-accounting-server : 10.7.66.66:49 Vrf:- Status:UP Source-IP-address : - Source-LoopBack : - Shared-key : **************** Quiet-interval(min) : 5 Response-timeout-Interval(sec) : 5 Domain-included : Original Traffic-unit : B ---------------------------------------------------------------------------# Run the display domain command on Switch to verify the domain configuration.
[Switch] display domain name huawei Domain-name : huawei Domain-state : Active Authentication-scheme-name : l-h Accounting-scheme-name : hwtacacs Authorization-scheme-name : hwtacacs Service-scheme-name : - RADIUS-server-template : default HWTACACS-server-template : ht User-group : - Push-url-address : -
Configuration Files
Switch configuration file
# sysname Switch # domain huawei admin # hwtacacs-server template ht hwtacacs-server authentication 10.7.66.66 hwtacacs-server authentication 10.7.66.67 secondary hwtacacs-server authorization 10.7.66.66 hwtacacs-server authorization 10.7.66.67 secondary hwtacacs-server accounting 10.7.66.66 hwtacacs-server accounting 10.7.66.67 secondary hwtacacs-server shared-key cipher %^%#VznDEFI11##ZC>1@:=xUO^!OP~*<c1$FoD*zXPGJ%^%# # aaa authentication-scheme l-h authentication-mode hwtacacs local authorization-scheme hwtacacs authorization-mode hwtacacs local accounting-scheme hwtacacs accounting-mode hwtacacs accounting realtime 3 accounting start-fail online domain huawei authentication-scheme l-h accounting-scheme hwtacacs authorization-scheme hwtacacs hwtacacs-server ht local-user user1 password irreversible-cipher $1a$+:!j;\;$Z!$&%}p%ctzj"W`GM;APoC=XPLB=L-vJG3-'3Dhyci;$ local-user user1 privilege level 15 local-user user1 service-type http # return