hwtacacs-server user-name

Function

The hwtacacs-server user-name domain-included command appends the domain name to a user name while sending HWTACACS request packets.

The undo hwtacacs-server user-name domain-included command excludes the domain name from a user name while sending HWTACACS request packets.

The hwtacacs-server user-name original command sends the user name in the same format as entered by user while sending HWTACACS access request packets.

By default, the user name contains the domain name.

Format

hwtacacs-server user-name domain-included

hwtacacs-server user-name original

undo hwtacacs-server user-name domain-included

Parameters

None

Views

HWTACACS server template view

Default Level

3: Management level

Task Name and Operations

Task Name Operations
hwtacacs write

Usage Guidelines

Usage Scenario

The format of a user name is "user name@domain name".

If the HWTACACS server does not accept the user name that contains the domain name, you can remove the domain name and then send it to the HWTACACS server.

After the undo hwtacacs-server user-name domain-included command is configured, the user names contained in authentication request packets and authorization request packets do not contain domain names. On the contrary, the user names contained in account request packets contain domain names for the purpose of differentiating users.

Precautions

The undo hwtacacs-server user-name domain-included command configuration brings system security risks. Running the hwtacacs-server user-name original command is recommended.

An HWTACACS template having the undo hwtacacs-server user-name domain-included configuration cannot be bound to the default admin domain or a domain having the adminuser-priority configuration (configuration restoration is not affected).

The default admin domain is a domain configured using the default-domain admin command. An admin domain is the default admin domain or a domain having the adminuser-priority configuration. By default, the default admin domain name is default_admin.

Scenario 1:

  • Scenario Description:

If an HWTACACS template (for example, tac) is bound to only the default admin domain, an error message is displayed when the undo hwtacas-server user-name domain-included command is run in the view of the HWTACACS template.

[~HUAWEI-aaa-domain-dom1] hwtacacs-server tac

Error: Configuring devices in a RADIUS server group or TACACS server template bound to the admin domain to send user names without domain names brings security risks. Changing the mode to using the original user name is recommended.

The current AAA configuration is as follows:

[~HUAWEI-aaa] display this

#

aaa

local-user root123 password irreversible-cipher $1c$S0'sK$EOY&$1X;cDL"w6*Cb\]X5gPx&%gt{8,GO@V/MHM3Qhz$O$

local-user root123 service-type telnet ssh

local-user root123 level 3

local-user root123 state block fail-times 3 interval 5

#

authentication-scheme default0

#

authentication-scheme default1

#

authentication-scheme default

authentication-mode hwtacas

#

authorization-scheme default

#

accounting-scheme default0

#

accounting-scheme default1

#

domain default0

#

domain default1

#

domain default_admin

hwtacas-server tac

#

domain default

#

  • Solution:

Run the hwtacacs-server user-name original command to override the undo hwtacacs-server user-name domain-included configuration.

[~HUAWEI] hwtacacs-server template tac

[*HUAWEI-hwtacacs-tac] hwtacacs-server user-name original

[*HUAWEI-hwtacacs-tac] commit

  • Impact:

After the configurations are changed, user names that carry domain names are not supported. A login failure occurs if a user name carrying a domain name, such as, tacacs@default_admin is used for login.

Scenario 2:

  • Scenario Description:

If an HWTACACS template is bound to both the default admin domain and common domain, an error message is displayed when the undo hwtacas-server user-name domain-included command is run in the view of the HWTACACS template.

[*HUAWEI-aaa-domain-dom1] hwtacacs-server tac

Error: Configuring devices in a RADIUS server group or TACACS server template bound to the admin domain to send user names without domain names brings security risks. Changing the mode to using the original user name is recommended.

The current AAA configuration is as follows:

[~HUAWEI-aaa] display this

#

aaa

local-user root123 password irreversible-cipher $1c$S0'sK$EOY&$1X;cDL"w6*Cb\]X5gPx&%gt{8,GO@V/MHM3Qhz$O$

local-user root123 service-type telnet ssh

local-user root123 level 3

local-user root123 state block fail-times 3 interval 5

#

authentication-scheme default0

#

authentication-scheme default1

#

authentication-scheme default

authentication-mode hwtacas

#

authorization-scheme default

#

accounting-scheme default0

#

accounting-scheme default1

#

domain default0

#

domain default1

#

domain default_admin

hwtacas-server tac

#

domain dom2

hwtacas-server tac

#

domain default

#

  • Solution:
    1. Create another HWTACACS template that has the same configurations as the HWTACACS template bound to the non-admin domain.

[~HUAWEI] hwtacacs-server template tacnew

Info: Create a new HWTACACS-server template.

Warning: To improve the service security, please run the hwtacacs-server shared-key command to configure a shared key.

[~HUAWEI-hwtacacs-tacnew] hwtacacs-server 192.168.0.2

[*HUAWEI-hwtacacs-tacnew] hwtacacs-server shared-key cipher %^%#/rZ2A\A7\1/S;S7/L$eD#~Ea#I36)3T#tNS_\0-2%^%#

2. Run the hwtacacs-server user-name original command to override the undo hwtacacs-server user-name domain-included configuration.

[*HUAWEI-hwtacacs-tacnew] hwtacacs-server user-name original

[*HUAWEI-hwtacacs-tac] commit

[*HUAWEI-hwtacacs-tacnew] display this

#

hwtacacs-server template tacnew

hwtacacs-server 192.168.0.2

hwtacacs-server shared-key cipher %^%#/rZ2A\A7\1/S;S7/L$eD#~Ea#I36)3T#tNS_\0-2%^%#

hwtacacs-server user-name original

#

3. Bind the new HWTACACS template to the default admin domain.

[-aaa-domain-default_admin] hwtacacs-server tacnew

[-aaa-domain-default_admin] commit

  • Impact:

After the configurations are changed, user names that carry domain names are not supported. A login failure occurs if a user name carrying a domain name, such as, tacacs@default_admin is used for login.

Scenario 3:

  • Scenario Description:

If an HWTACACS template is bound to only the non-default admin domain, an error message is displayed when the undo hwtacas-server user-name domain-included command is run in the view of the HWTACACS template.

[~HUAWEI-hwtacacs-tac] undo hwtacas-server user-name domain-included

Error: Configuring devices in a RADIUS server group or TACACS server template bound to the admin domain to send user names without domain names brings security risks. Changing the mode to using the original user name is recommended.

The current AAA configuration is as follows:

[~HUAWEI-aaa] display this

#

aaa

local-user root123 password irreversible-cipher $1c$S0'sK$EOY&$1X;cDL"w6*Cb\]X5gPx&%gt{8,GO@V/MHM3Qhz$O$

local-user root123 service-type telnet ssh

local-user root123 level 3

local-user root123 state block fail-times 3 interval 5

#

authentication-scheme default0

#

authentication-scheme default1

#

authentication-scheme default

authentication-mode radius

#

authorization-scheme default

#

accounting-scheme default0

#

accounting-scheme default1

#

domain default0

#

domain default1

#

domain default_admin

#

domain dom1

adminuser-priority 3

hwtacas-server tac

#

domain default

#

  • Solution:
    1. Run the hwtacacs-server user-name original command to override the undo hwtacacs-server user-name domain-included configuration.

[*HUAWEI-hwtacacs-tacnew] hwtacacs-server user-name original

[*HUAWEI-hwtacacs-tacnew] commit

[~HUAWEI-hwtacacs-tacnew] display this

#

hwtacacs-server template tacnew

hwtacacs-server 192.168.0.2

hwtacacs-server shared-key cipher %^%#/rZ2A\A7\1/S;S7/L$eD#~Ea#I36)3T#tNS_\0-2%^%#

hwtacacs-server user-name original

#

2. Add user names that carry domain names on the HWTACACS server.

For example, add the user name user001@dom1 for an existing user name user001.

  • Impact:None

Scenario 4:

  • Scenario Description:

If an HWTACACS template is bound to both the non-default admin domain and common domain, an error message is displayed when the undo hwtacas-server user-name domain-included command is run in the view of the HWTACACS template.

[~HUAWEI-hwtacacs-tac] undo hwtacas-server user-name domain-included

Error: Configuring devices in a RADIUS server group or TACACS server template bound to the admin domain to send user names without domain names brings security risks. Changing the mode to using the original user name is recommended.

The current AAA configuration is as follows:

[~HUAWEI-aaa] display this

#

aaa

local-user root123 password irreversible-cipher $1c$S0'sK$EOY&$1X;cDL"w6*Cb\]X5gPx&%gt{8,GO@V/MHM3Qhz$O$

local-user root123 service-type telnet ssh

local-user root123 level 3

local-user root123 state block fail-times 3 interval 5

#

authentication-scheme default0

#

authentication-scheme default1

#

authentication-scheme default

authentication-mode radius

#

authorization-scheme default

#

accounting-scheme default0

#

accounting-scheme default1

#

domain default0

#

domain default1

#

domain default_admin

#

domain dom1

adminuser-priority 3

hwtacas-server tac

#

domain dom2

hwtacas-server tac

#

domain default

#

  • Solution:
    1. Create another HWTACACS template that has the same configurations as the HWTACACS template bound to the non-admin domain.

[~HUAWEI] hwtacacs-server template tacnew

Info: Create a new HWTACACS-server template.

Warning: To improve the service security, please run the hwtacacs-server shared-key command to configure a shared key.

[~HUAWEI-hwtacacs-tacnew] hwtacacs-server 192.168.0.2

[*HUAWEI-hwtacacs-tacnew] hwtacacs-server shared-key cipher %^%#/rZ2A\A7\1/S;S7/L$eD#~Ea#I36)3T#tNS_\0-2%^%#

2. Run the hwtacacs-server user-name original command to override the undo hwtacacs-server user-name domain-included configuration.

[*HUAWEI-hwtacacs-tacnew] hwtacacs-server user-name original

[*HUAWEI-hwtacacs-tacnew] commit

[~HUAWEI-hwtacacs-tacnew] display this

#

hwtacacs-server template tacnew

hwtacacs-server 192.168.0.2

hwtacacs-server shared-key cipher %^%#/rZ2A\A7\1/S;S7/L$eD#~Ea#I36)3T#tNS_\0-2%^%#

hwtacacs-server user-name original

#

3. Bind the new HWTACACS template to the common admin domain.

[~HUAWEI-aaa-domain-dom1] hwtacacs-server tacnew

[*HUAWEI-aaa-domain-dom1] commit

4. Add user names that carry domain names on the HWTACACS server.

For example, add the user name user001@dom1 for an existing user name user001.

  • Impact: None.

Example

# To configure the user name format for template htipl and include the domain name from a user name while sending HWTACACS packets to server.
<HUAWEI> system-view
[~HUAWEI] hwtacacs-server template htipl
[*HUAWEI-hwtacacs-htipl] hwtacacs-server user-name domain-included
Parent Topic: AAA and User Management Configuration Commands (Administrative User)
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >