Examples for Configuring Access User Authentication/Authorization/Accounting Based on the HWTACACS Protocol

The configuration examples refer to the applications of HWTACACS authentication/authorization/accounting on the actual network. The access users in the huawei domain use the HWTACACS to implement authentication/authorization/accounting.

Networking Requirements

As shown in Figure 1:

  • The access users are authenticated in local mode first. If the local authentication provides no response, the access users will be further authenticated by using the HWTACACS server.

  • After the level of an access user is promoted, the access user is authenticated by using the HWTACACS server first. If the HWTACACS authentication provides no response, the access user will be further authenticated in local mode.

  • The access users are authorized by using the HWTACACS server.

  • Accounting must be implemented for all users.

  • The HWTACACS server 192.168.66.66/32 is the primary server, with authentication port 49, authorization port 49, and accounting port 49. The HWTACACS server 192.168.66.67/32 is the secondary server, with authentication port 49, authorization port 49, and accounting port 49 by default.

Figure 1 Networking for local and HWTACACS authentication/authorization/accounting

Precautions

None

Configuration Roadmap

Configure local and HWTACACS authentication/authorization/accounting as follows:

  1. Configure the HWTACACS server template.

  2. Configure the authentication scheme, the authorization scheme, and the accounting scheme.

  3. Apply the HWTACACS server template, the authentication scheme, the authorization scheme, and the accounting scheme to the domain.

Data Preparation

To complete the configuration, you need the following data:

  • IP address of the primary (secondary) HWTACACS authentication server

  • IP address of the primary (secondary) HWTACACS authorization server

  • IP address of the primary (secondary) HWTACACS accounting server

Procedure

  1. Enable hwtacacs and configure the HWTACACS server template.

    # Enable hwtacacs and configure the HWTACACS server template ht.

    <HUAWEI> system-view
[~HUAWEI] hwtacacs enable
[*HUAWEI] hwtacacs-server template ht

    # Configure the IP address and port number of the primary HWTACACS authentication/authorization/accounting server.

    [*HUAWEI-hwtacacs-ht] hwtacacs-server authentication 192.168.66.66 49
[*HUAWEI-hwtacacs-ht] hwtacacs-server authorization 192.168.66.66 49
[*HUAWEI-hwtacacs-ht] hwtacacs-server accounting 192.168.66.66 49

    # Configure the IP address and port number of the secondary HWTACACS authentication/authorization/accounting server.

    [*HUAWEI-hwtacacs-ht] hwtacacs-server authentication 192.168.66.67 49 secondary
[*HUAWEI-hwtacacs-ht] hwtacacs-server authorization 192.168.66.67 49 secondary
[*HUAWEI-hwtacacs-ht] hwtacacs-server accounting 192.168.66.67 49 secondary

    # Configure the key of the HWTACACS server.

    [*HUAWEI-hwtacacs-ht] hwtacacs-server shared-key cipher it-is-my-secret123
[*HUAWEI-hwtacacs-ht] commit
[~HUAWEI-hwtacacs-ht] quit

  2. Configure the authentication scheme, the authorization scheme, and the accounting scheme.

    # Enter the AAA view.

    [~HUAWEI] aaa

    # Configure the authentication scheme 1-h. The authentication is first implemented in local mode and then in HWTACACS mode.

    [~HUAWEI-aaa] authentication-scheme l-h
[*HUAWEI-aaa-authen-l-h] authentication-mode local hwtacacs
[*HUAWEI-aaa-authen-l-h] commit
[*HUAWEI-aaa-authen-l-h] quit

    # Configure the authorization scheme scheme2, with the authorization mode as HWTACACS.

    [~HUAWEI-aaa] authorization-scheme scheme2
[*HUAWEI-aaa-author-scheme2] authorization-mode hwtacacs
[*HUAWEI-aaa-author-scheme2] authorization-cmd hwtacacs
[*HUAWEI-aaa-author-scheme2] commit
[~HUAWEI-aaa-author-scheme2] quit

    # Configure the accounting scheme scheme3, with the accounting mode as HWTACACS.

    [~HUAWEI-aaa] accounting-scheme scheme3
[*HUAWEI-aaa-accounting-scheme3] accounting-mode hwtacacs
[*HUAWEI-aaa-author-scheme3] commit
[~HUAWEI-aaa-author-scheme3] quit

  3. Configure the huawei domain. Apply the HWTACACS authentication scheme l-h, the HWTACACS authorization scheme scheme2, the HWTACACS accounting scheme scheme3, and the HWTACACS template ht to the domain.

    [~HUAWEI-aaa] domain huawei
[*HUAWEI-aaa-domain-huawei] authentication-scheme l-h
[*HUAWEI-aaa-domain-huawei] authorization-scheme scheme2
[*HUAWEI-aaa-domain-huawei] accounting-scheme scheme3
[*HUAWEI-aaa-domain-huawei] hwtacacs-server ht
[*HUAWEI-aaa-domain-huawei] commit
[~HUAWEI-aaa-domain-huawei] quit
[~HUAWEI-aaa] quit

  4. Verify the configuration.

    After running the display hwtacacs-server template command on the router, you can check whether the configuration of the template on the HWTACACS server matches the requirements.

    <HUAWEI> display hwtacacs-server template ht
-------------------------------------------------
 Template Name                  :  ht
 Template ID                    :  0
 Primary Authentication Server  :  192.168.66.66-49:-
 Primary Authorization Server   :  192.168.66.66-49:-
 Primary Accounting Server      :  192.168.66.66-49:- 
 Primary Common Server          :  192.168.66.66-49:-
 Current Authentication Server  :  192.168.66.66-49:-
 Current Authorization Server   :  192.168.66.66-49:-
 Current Accounting Server      :  192.168.66.66-49:-
 Source IP Address              :  0.0.0.0
 Shared Key                     :  ****************
 Quiet-interval (min)           :  5
 Response-timeout-Interval (sec):  5
 Domain-included                :  Yes
 Secondary Authen Server Count  :  1
 Secondary Author Server Count  :  1
 Secondary Account Server Count :  1 
 Secondary Common Server Count  :  1
-------------------------------------------------

    After running the display domain command on the router, you can check whether the configuration of the domain matches the requirements.

    <HUAWEI>display domain huawei
---------------------------------------------------------------
Domain-name                 : huawei
Domain-state                : Active
Authentication-scheme-name  : l-h
Authorization-scheme-name   : scheme2
Accounting-scheme-name      : scheme3
User-access-limit           : No
Online-number               : 0
HWTACACS-server-template    : ht
RADIUS-server-template      : -
---------------------------------------------------------------

Configuration Files

#
Sysname HUAWEI
#
hwtacacs enable
#
hwtacacs-server template ht
 hwtacacs-server authentication 192.168.66.66
 hwtacacs-server authentication 192.168.66.67 secondary
 hwtacacs-server authorization 192.168.66.66
 hwtacacs-server authorization 192.168.66.67 secondary
 hwtacacs-server accounting 192.168.66.66
 hwtacacs-server accounting 192.168.66.67 secondary
 hwtacacs-server shared-key cipher %#%#pbft&Zu2$Z<,,g4=vX~7958dF@U%YGfREMUAQA{:%#%#
#
aaa
 #
 authentication-scheme default
 #
 authentication-scheme l-h
  authentication-mode local hwtacacs
 #
 authorization-scheme default
 #
 authorization-scheme scheme2
  authorization-mode hwtacacs
  authorization-cmd hwtacacs
 #
 accounting-scheme default
 #
 accounting-scheme scheme3
  accounting-mode hwtacacs
 #
 domain default
 #
 domain huawei
  authentication-scheme l-h
  authorization-scheme scheme2
  accounting-scheme scheme3
  hwtacacs-server ht
 #
return
Parent Topic: Configuration Examples for AAA and User Management
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >