< Home

stack authentication

Function

The stack authentication command configures the authentication mode and authentication information used when a switch needs to join a stack.

The undo stack authentication command deletes the authentication mode and authentication information used when a switch needs to join a stack.

By default, a switch does not need to be authenticated when joining a stack.

Format

stack authentication slot slot-id { mac mac-address | esn esn-value | shared-key cipher shared-key }

undo stack authentication slot slot-id

Parameters

Parameter

Description

Value

slot slot-id

Specifies the stack ID of a switch.

The value is an integer that ranges from 0 to 8.

mac mac-address

Configures MAC-based authentication.

The value is in H-H-H format, where H is a hexadecimal number of 1 to 4 digits.

esn esn-value

Configures ESN-based authentication.

The value is a string of 10 to 32 characters.

shared-key cipher shared-key

Configures shared key-based authentication.

The value is a string of case-sensitive characters without spaces. A plain text key contains 1 to 64 characters, and a cipher text key contains 48 to 108 characters.

NOTE:

It is recommended that a shared key contains at least seven characters, including at least two types of lowercase letters, uppercase letters, digits, and special characters.

The master switch and the specified slot must configure the same shared key.

If a shared key is used for authentication, the master switch and the member switch specified in this command must be configured with the same shared key.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

A switch can join a stack without being authenticated. In this situation, an attacker can add any switch to a stack to obtain the configuration file of the stack master switch, resulting in information leak. To solve this problem, configure authentication when a switch needs to join a stack. This configuration ensures that this switch joins the stack only when it is authenticated successfully.

A switch will be authenticated only when its stack ID is the same as that specified in the stack authentication command. Otherwise, this switch can join a stack without being authenticated. Therefore, before adding a switch to a stack, you are advised to change the slot ID of the switch to an unused stack ID in the stack and then configure an authentication mode for this stack ID.

Precautions

  • This command can be executed only after the stacking function is enabled.
  • Only one authentication mode can be configured for a stack ID, and the latest configuration takes effect.
  • If a switch to join a stack fails the authentication, this switch will restart repeatedly.

Example

# Configure MAC-based authentication to be used when a switch with the stack ID 4 needs to join a stack.

<HUAWEI> system-view
[HUAWEI] stack authentication slot 4 mac-address 3-3-3
Parent Topic: Stack Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >