Example for Configuring HWTACACS+Local Authentication and User Level Authorization for Administrators
Network Requirements
- The administrator can log in to the device through STelnet only after entering a correct user name and password.
- After the administrator logs in to the device through STelnet, the privilege level 15 is authorized to the administrator.
If the link between the device and server is disconnected, the administrator will be authenticated locally during a login to the device.
Configuration Roadmap
- Configure STelnet login on the switch: Set the authentication mode of accessing VTY user interfaces to AAA, enable the STelnet service, and configure the authentication mode and service type for SSH users.
- Configure HWTACACS authentication on the switch: Create an HWTACACS server template, configure an AAA scheme, and configure a global default administrative domain.
- (Optional) Configure the mode in which the user privilege level is raised on the switch.
- Configure a local user on the switch.
- Configure an HWTACACS server.
Precautions
- Ensure that there are reachable routes between devices.
Ensure that the shared key in the HWTACACS server template is the same as that configured on the HWTACACS server.
- If the login account is created on the switch but not on the HWTACACS server, HWTACACS authentication will fail and local authentication will not be performed. Local authentication will be performed only when the HWTACACS server is Down or does not respond.
- If the accounting mode is set to HWTACACS in an accounting scheme, the administrator will pass local authentication but fail to log in to the device because starting accounting will fail after the link between the device and server is disconnected. To prevent this problem, run the accounting start-fail online command in the accounting scheme view to allow users to go online after initial accounting fails.
- When you run the super command to change a user privilege level to a lower level or the same level, no authentication is required. When you run the super command to change a user privilege level to a higher level, authentication is required. A user's privilege level can be raised only when the user is authenticated successfully.
Procedure
- Configure STelnet login.
# Generate a local key pair on the server.
<HUAWEI> system-view [HUAWEI] sysname Switch [Switch] dsa local-key-pair create Info: The key name will be: Switch_Host_DSA. Info: The key modulus can be any one of the following : 1024, 2048. Info: If the key modulus is greater than 512, it may take a few minutes. Please input the modulus [default=2048]: Info: Generating keys... Info: Succeeded in creating the DSA host keys.
# Set the authentication mode and protocol for accessing VTY user interfaces 0 to 14 to AAA and SSH, respectively.
[Switch] user-interface vty 0 14 [Switch-ui-vty0-14] authentication-mode aaa [Switch-ui-vty0-14] protocol inbound ssh [Switch-ui-vty0-14] quit
# Enable the SSH server function on the device.
[Switch] stelnet server enable
# Set the authentication mode of all SSH users to password authentication and the service type to STelnet.
[Switch] ssh authentication-type default password
If the authentication mode and service type of only a few SSH users are password authentication and STelnet respectively, you can specify the SSH user name to set the authentication mode and service type of a single SSH user. For example, set the authentication mode and service type of an SSH user with the user name admin to password authentication and STelnet, respectively.
[Switch] ssh user admin authentication-type password
[Switch] ssh user admin service-type stelnet
- Configure HWTACACS authentication.
# Configure an HWTACACS server template template1 on the device to enable the device to communicate with the HWTACACS server.
[Switch] hwtacacs enable [Switch] hwtacacs-server template template1 [Switch-hwtacacs-template1] hwtacacs-server authentication 10.1.6.6 49 [Switch-hwtacacs-template1] hwtacacs-server authorization 10.1.6.6 49 [Switch-hwtacacs-template1] hwtacacs-server accounting 10.1.6.6 49 [Switch-hwtacacs-template1] hwtacacs-server shared-key cipher Hello@1234 [Switch-hwtacacs-template1] quit
# Configure an authentication scheme named sch1 and set the authentication mode to HWTACACS+local.
[Switch] aaa [Switch-aaa] authentication-scheme sch1 [Switch-aaa-authen-sch1] authentication-mode hwtacacs local [Switch-aaa-authen-sch1] quit
# (Optional) Set the mode in which a user privilege level is raised to HWTACACS Local.
[Switch-aaa-authen-sch1] authentication-super hwtacacs super [Switch-aaa-authen-sch1] quit
# Configure an authorization scheme sch2 and set the authorization mode to HWTACACS+local.
[Switch-aaa] authorization-scheme sch2 [Switch-aaa-author-sch2] authorization-mode hwtacacs local [Switch-aaa-author-sch2] quit
# Configure an accounting scheme named sch3 and set the accounting mode to HWTACACS accounting.
[Switch-aaa] accounting-scheme sch3 [Switch-aaa-accounting-sch3] accounting-mode hwtacacs [Switch-aaa-accounting-sch3] accounting start-fail online [Switch-aaa-accounting-sch3] quit
# Reference the HWTACACS server template and AAA schemes to the domain huawei.com.
[Switch-aaa] domain huawei.com [Switch-aaa-domain-huawei.com] hwtacacs-server template1 [Switch-aaa-domain-huawei.com] authentication-scheme sch1 [Switch-aaa-domain-huawei.com] authorization-scheme sch2 [Switch-aaa-domain-huawei.com] accounting-scheme sch3 [Switch-aaa-domain-huawei.com] quit [Switch-aaa] quit
# Specify the domain huawei.com as a global default administrative domain.
[Switch] domain huawei.com admin
- Configure local authentication.
# Set the local account to user1, password to Huawei@123, and privilege level to 15.
[Switch] aaa [Switch-aaa] local-user user1 password irreversible-cipher Huawei@123 [Switch-aaa] local-user user1 service-type ssh [Switch-aaa] local-user user1 privilege level 15 [Switch-aaa] return
- Configure an HWTACACS server.
The configuration includes adding a device, adding an administrator account, and setting the administrator level to 15.
To allow raising the administrator's privilege level, you need to set the maximum privilege level to 15 on the server and enable the server to deliver the initial privilege level 10.
- Verify the configuration.
- Check whether the administrator can successfully log in to the switch through STelnet.
Enter the user name user1 and password Huawei@123 configured on the HWTACACS server. After the authentication succeeds, the user can log in to the switch through STelnet.
- When the link between the switch and HWTACACS server is working properly, run the display access-user username user-name detail command on the switch to check information about the user user1.In the command output, the values of User access type, User Privilege, User authentication type, Current authentication method, Current authorization method, and Current accounting method indicate that the login mode is SSH, the privilege level is 10, the authentication type is administrator authentication, and the authentication, authorization, as well as accounting modes are HWTACACS.
<Switch> display access-user username user1 detail ------------------------------------------------------------------------------ Basic: User ID : 11 User name : user1 Domain-name : huawei.com User MAC : - User IP address : 10.1.1.10 User IPv6 address : - User access time : 2019/07/10 09:15:02 User accounting session ID : huawei255255000000000f****2016009 Option82 information : - User access type : SSH User Privilege : 10 AAA: User authentication type : Administrator authentication Current authentication method : HWTACACS Current authorization method : HWTACACS Current accounting method : HWTACACS ------------------------------------------------------------------------------ - Raise the administrator level from 10 to 15.
<Switch> super 15 Password: Now user privilege is 15 level, and only those commands whose level is equal to or less than this level can be used. Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE
- When the link between the switch and HWTACACS server is disconnected, run the display access-user username user-name detail command on the switch to check information about the user user1.In the command output, the values of User access type, User Privilege, User authentication type, Current authentication method, Current authorization method, and Current accounting method indicate that the login mode is SSH, the privilege level is 15, the authentication type is administrator authentication, the authentication and authorization modes are local, and the accounting mode is HWTACACS.
<Switch> display access-user username user1 detail ------------------------------------------------------------------------------ Basic: User ID : 11 User name : user1 Domain-name : huawei.com User MAC : - User IP address : 10.1.1.10 User IPv6 address : - User access time : 2019/07/10 09:20:02 User accounting session ID : huawei255255000000000f****2016009 Option82 information : - User access type : SSH User Privilege : 15 AAA: User authentication type : Administrator authentication Current authentication method : Local Current authorization method : Local Current accounting method : HWTACACS ------------------------------------------------------------------------------
- Check whether the administrator can successfully log in to the switch through STelnet.
Configuration Files
Switch configuration file
# sysname Switch # hwtacacs-server template template1 hwtacacs-server authentication 10.1.6.6 hwtacacs-server authorization 10.1.6.6 hwtacacs-server accounting 10.1.6.6 hwtacacs-server shared-key cipher %^%#)@1e81]jJP9}9O9|W>MT|TWbI,\rL4[.BT&@);rU%^%# # aaa authentication-scheme sch1 authentication-mode hwtacacs local authentication-super hwtacacs super authorization-scheme sch2 authorization-mode hwtacacs local accounting-scheme sch3 accounting-mode hwtacacs accounting start-fail online domain huawei.com authentication-scheme sch1 accounting-scheme sch3 authorization-scheme sch2 hwtacacs-server template1 local-user user1 password irreversible-cipher $1a$&YTv-xg$H<$Rj=5*sUqT+0i<B<0lAELMMraNPQAp'cD1!N~mjNI$ local-user user1 privilege level 15 local-user user1 service-type ssh # user-interface vty 0 14 authentication-mode aaa # stelnet server enable # return