Example for Configuring Authentication for Telnet Login Users (HWTACACS and Local Authentication)
HWTACACS and Local Authentication Overview
When an HWTACACS authentication server is deployed on a network, users can be authenticated through HWTACACS. User information is created and maintained by the HWTACACS authentication server. A user can successfully log in to the device only when the entered user name and password are the same as those configured on the HWTACACS server. Compared with RADIUS, HWTACACS is more reliable in transmission and encryption, and is more suitable for security control. Generally, HWTACACS authentication is configured on the network requiring high security, for example, financial, government, and telecommunication carrier networks.
Both HWTACACS authentication and local authentication are configured on a device, when the HWTACACS server does not respond, the device performs local authentication. If only HWTACACS authentication is configured, users fail the authentication when the device cannot connect to the HWTACACS server.
Networking Requirements
As shown in Figure 1, an HWTACACS server is deployed on a network, and the administrator Telnets to the device to remotely manage it. The specific requirements are as follows:
- The administrator must enter correct user name and password to log in to the device through Telnet.
- The device performs HWTACACS authentication for the administrator first. If the HWTACACS server does not respond, the device performs local authentication.
- After logging in to the device through Telnet, the administrator can run the commands at levels 0-15.
Configuration Roadmap
- Enable the Telnet service.
- Set the authentication method for Telnet login users to AAA.
- Configure AAA local authentication, including creating a local user, setting the user access type to Telnet, and setting the user level to 15.
- Configure HWTACACS authentication, including creating an HWTACACS server template, an AAA authentication scheme, and a service scheme, and applying the schemes to a domain.
This example only provides the configurations on the device. Ensure that the required parameters have been set on the HWTACACS server, for example, device's IP address, shared key, and user information.
Procedure
- Configure interfaces and assign IP addresses.
<HUAWEI> system-view [HUAWEI] sysname Switch [Switch] vlan batch 10 20 [Switch] interface vlanif 10 [Switch-Vlanif10] ip address 10.1.2.10 24 [Switch-Vlanif10] quit [Switch] interface vlanif 20 [Switch-Vlanif20] ip address 10.1.6.10 24 [Switch-Vlanif20] quit [Switch] interface gigabitethernet0/0/1 [Switch-GigabitEthernet0/0/1] port link-type access [Switch-GigabitEthernet0/0/1] port default vlan 10 [Switch-GigabitEthernet0/0/1] quit [Switch] interface gigabitethernet0/0/2 [Switch-GigabitEthernet0/0/2] port link-type access [Switch-GigabitEthernet0/0/2] port default vlan 20 [Switch-GigabitEthernet0/0/2] quit
- Enable the Telnet server.
[Switch] telnet server enable - Set the authentication method for the VTY user interface to AAA.
[Switch] user-interface maximum-vty 15 //Set the maximum number of VTY login uses to 15 (The value range varies according to product versions and models). By default, the maximum number of Telnet users is 5. [Switch] user-interface vty 0 14 //Enter the VTY 0-14 user view. [Switch-ui-vty0-14] authentication-mode aaa //Set the authentication method for the VTY user view to AAA. [Switch-ui-vty0-14] protocol inbound telnet //Configure the VTY user interface to support Telnet. By default, switches in V200R006 and earlier versions support Telnet, and switches in V200R007 and later versions support SSH. [Switch-ui-vty0-14] quit
- Configure AAA local authentication.
[Switch] aaa [Switch-aaa] local-user user1@huawei.com password irreversible-cipher Huawei@1234 //Create the local user user1@huawei.com and set password. The password is displayed in cipher text in the configuration file, so remember the password. If you forget the password, run this command again to reconfigure the passwordThe command is local-user user-name password cipher password in V200R002 and earlier versions. [Switch-aaa] local-user user1@huawei.com service-type telnet //Set the access type of user1@huawei.com to Telnet. The user can log in through only Telnet (By default, users can log in through any method in versions earlier than V200R007 and cannot log in through any method in V200R007 and later versions). [Switch-aaa] local-user user1@huawei.com privilege level 15 //Set the user level of user1@huawei.com to 15. The user can use the commands of level 15 and lower levels. [Switch-aaa] quit
- Configure HWTACACS authentication.
# Configure an HWTACACS server template to implement communication between the device and the HWTACACS server.
[Switch] hwtacacs-server template 1 [Switch-hwtacacs-1] hwtacacs-server authentication 10.1.6.6 49 //Specify the IP address and port number of the HWTACACS authentication server. [Switch-hwtacacs-1] hwtacacs-server shared-key cipher Hello@1234 //Specify the shared key of the HWTACACS authentication server, which must be the same as that configured on the HWTACACS server. [Switch-hwtacacs-1] quit
# Configure an AAA authentication scheme, set the authentication methods to HWTACACS and local authentication.
[Switch] aaa [Switch-aaa] authentication-scheme sch1 [Switch-aaa-authen-sch1] authentication-mode hwtacacs local [Switch-aaa-authen-sch1] quit
# Configure a service scheme and set the user level to 15.
[Switch-aaa] service-scheme sch1 [Switch-aaa-service-sch1] admin-user privilege level 15 [Switch-aaa-service-sch1] quit
# Apply the AAA authentication scheme, HWTACACS server template, and service scheme to the domain.
[Switch-aaa] domain huawei.com [Switch-aaa-domain-huawei.com] authentication-scheme sch1 [Switch-aaa-domain-huawei.com] hwtacacs-server 1 [Switch-aaa-domain-huawei.com] service-scheme sch1 [Switch-aaa-domain-huawei.com] quit [Switch-aaa] quit
- Verify the configuration.
# Choose Start > Run on your computer running Windows operating system and enter cmd to open the cmd window. Run the telnet command and enter the user name user1@huawei.com and password Huawei@1234 to log in to the device through Telnet.
C:\Documents and Settings\Administrator> telnet 10.1.2.10 Username:user1@huawei.com Password:*********** <Switch>//The administrator successfully logs in.
# Shut down the interface connected to the HWTACACS authentication server, to disconnect the device from the HWTACACS server. Choose Start > Run on your computer and enter cmd to open the cmd window. Run the telnet command and enter the user name user1@huawei.com and password Huawei@1234 to log in to the device through Telnet. You can successfully log in to the device, indicating that the device performs local authentication when the HWTACACS server does not respond.
Configuration Files
Configuration file of the Switch
# sysname Switch # vlan batch 10 20 # telnet server enable # hwtacacs-server template 1 hwtacacs-server authentication 10.1.6.6 hwtacacs-server shared-key cipher %^%#q(P3<qAXm=Pq).G8bgq@"sbFOf%0k%umgQJ3#MF3%^%# # aaa authentication-scheme sch1 authentication-mode hwtacacs local service-scheme sch1 admin-user privilege level 15 domain huawei.com authentication-scheme sch1 service-scheme sch1 hwtacacs-server 1 local-user user1@huawei.com password irreversible-cipher %^%#+bxGT|w}~J-FHdDG"R8"($BX%XF/R1uba0UwL0).&r"Z#zbz*2G1$%6)Rd/V%^%# local-user user1@huawei.com privilege level 15 local-user user1@huawei.com service-type telnet # interface Vlanif10 ip address 10.1.2.10 255.255.255.0 # interface Vlanif20 ip address 10.1.6.10 255.255.255.0 # interface GigabitEthernet0/0/1 port link-type access port default vlan 10 # interface GigabitEthernet0/0/2 port link-type access port default vlan 20 # user-interface maximum-vty 15 user-interface vty 0 14 authentication-mode aaa protocol inbound telnet # return