AAA User Management

AAA is composed of three services: authentication, authorization, and accounting.

Authentication determines which users can access networks.

Authorization authorizes users before users can access some services.

Accounting records how network resources are utilized.

AAA is closely related to services and therefore its configuration is flexible.

Security Policy

  • Remote authentication and authorization are supported. User information (including the user names, passwords, and attributes of local users) is configured on an authentication server. Remote authentication and authorization are implemented using Remote Authentication Dial In User Service (RADIUS) or HWTACACS. HWTACACS is an enhancement of relevant standards.

  • Remote command authentication is supported. Remote authentication of command execution permission can be enabled for users assigned authorization levels. Information about users' command execution permission is stored on a remote server. When a user runs a command, the server determines whether the user's authorization level permits the user to execute the command. Currently, only HWTACACS can be used for remote command authentication.

  • The maximum number of consecutive authentication failures for local users (AAA users) and the unlocking period for a locked user are set to prevent unauthorized logins. Once a pre-defined number of consecutive authentication failures for local users is reached, a user account is locked out for a pre-defined period of time to prevent unauthorized logins. In this way, the attempt success rate decreases, and the device security is enhanced.

  • Local user passwords and authorization level upgrading passwords are securely stored in the system using advanced encryption algorithms.

  • The none authentication mode cannot be configured for administrator users.

Attack Methods

  • An attacker may traverse key information, such as user names and passwords, to acquire access to the system.

  • An attacker may attack the remote server to obtain key information, such as user names and passwords.

  • An attacker may attack the network between a user and a device to obtain key information, such as entered passwords. Although user information is encrypted when being transmitted over a network to a server, an attacker initiates a collision attack or traverses simple text and ciphertext dictionaries to decrypt user information.

Configuration and Maintenance Methods

  • Configure remote user authentication and authorization. HWTACACS authentication and authorization are used as an example.

    # Create an HWTACACS template, and configure an authentication server, authorization server, and shared key.

    [~HUAWEI] hwtacacs-server template 1
[*HUAWEI-hwtacacs-1] hwtacacs-server authentication 10.138.90.141 
[*HUAWEI-hwtacacs-1] hwtacacs-server authorization 10.138.90.141
[*HUAWEI-hwtacacs-1] hwtacacs-server shared-key huawei
[*HUAWEI-hwtacacs-1] commit

    # Create an authentication scheme and set the authentication mode to HWTACACS in the authentication scheme.

    [~HUAWEI] aaa
[~HUAWEI-aaa] authentication-scheme 1
[*HUAWEI-aaa-authen-1] authentication-mode hwtacacs 
[*HUAWEI-aaa-authen-1] commit

    # Set the authorization mode to HWTACACS in the authorization scheme.

    [~HUAWEI-aaa] authorization-scheme 1
[*HUAWEI-aaa-author-1] authorization-mode hwtacacs 
[*HUAWEI-aaa-author-1] commit

    # Specify the authentication scheme, authorization scheme, and HWTACACS template for the domain named dom1.

    [~HUAWEI-aaa] domain dom1
[*HUAWEI-aaa-domain-dom1] authentication-scheme 1
[*HUAWEI-aaa-domain-dom1] authorization-scheme 1
[*HUAWEI-aaa-domain-dom1] hwtacacs-server 1
[*HUAWEI-aaa-domain-dom1] commit

    # Remote HWTACACS authentication and authorization modes are used for users in dom1.

    RADIUS authentication and authorization cannot be enabled separately. After you set the authentication mode to remote RADIUS, the system automatically performs remote RADIUS authentication and authorization.

  • Set the command authentication mode to remote.

    # Set the command authentication mode to remote for level 3 users in the authorization scheme.

    [~HUAWEI] aaa
[~HUAWEI-aaa] authorization-scheme 1
[*HUAWEI-aaa-author-1] authorization-cmd 3 hwtacacs
[*HUAWEI-aaa-author-1] commit

    After the command authentication mode is set to remote, each time a user runs a command, the system sends an authentication request to the remote server, which determines whether the user is allowed to run this command. The status of the network between the device and the remote server affects the response time.

  • Set the maximum number of allowed consecutive authentication failures for a local user.

    # Set the maximum number of allowed consecutive authentication failures in 1 minute to 3 for a local user.

    [~HUAWEI] aaa
[~HUAWEI-aaa] user-block failed-times 3 period 1 
[*HUAWEI-aaa] commit

    If failed-times is set to 0, the number of consecutive authentication failures is not restricted.

    # Set the unlocking period for a locked user to 30 minutes. The system will automatically unlock the user 30 minutes after the user is locked out because the account has reached the maximum number of consecutive login failures.

    [~HUAWEI-aaa] user-block reactive 30
[*HUAWEI-aaa] commit

    If this parameter is set to 0, only the administrator can unlock the locked user.

    # Configure the administrator to unlock the locked user.

    <HUAWEI> activate aaa local-user root

  • Configure the password strength function.

    [~HUAWEI] user-security-policy enable
[*HUAWEI-aaa] commit

Configuration and Maintenance Suggestions

If the system displays a message indicating that the password needs to be changed to reduce risks, change the password as prompted.

Parent Topic: Access Authentication Security
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >