Huawei Sx700 Switches HWTACACS Technology White Paper

S Series Switches
HWTACACS Technology White

Paper
Issue
1.0
Date
2015-08-08
HUAWEI TECHNOLOGIES CO., LTD.
Copyright Huawei Technologies Co., Ltd. 2015. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without prior
written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address:
Huawei Industrial Base

Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website:
http://www.huawei.com
Email:
support@huawei.com
Issue 1.0 (2015-08-08)
Huawei Proprietary and Confidential

Copyright Huawei Technologies Co., Ltd.
HWTACACS Technology White Paper
About This Document
About This Document

Abstract:
HWTACACS is a security protocol to implement the AAA function through communications
between the HWTACACS client and server.
Keywords:
HWTACACS, TACACS, RADIUS, AAA, device management, command-line authorization
Acronyms and Abbreviations

Acronym/Abbreviation
Full Name
HWTACACS
HUAWEI Terminal Access Controller Access Control

System
TACACS
Terminal Access Controller Access Control System
TACACS+
Terminal Access Controller Access Control System plus
RADIUS
Remote Authentication Dial-In User Service
AAA
Authentication, Authorization, Accounting
NAS
Network Access Server
ACS
Access Control Server
BRAS
Broadband Remote Access Server
EXEC
Executable
Issue 1.0 (2015-08-08)

ii
Contents
Contents
About This Document .................................................................................................................... ii
1 Introduction to HWTACACS...................................................................................................... 4
1.1 HWTACACS ................................................................................................................................................................ 4
1.1.1 Overview.................................................................................................................................................................... 4
1.1.2 Technology Advantages ............................................................................................................................................. 4
2 Principle Description ................................................................................................................... 6

2.1 Basic Concepts .............................................................................................................................................................. 6
2.1.1 Network Components ................................................................................................................................................ 6
2.1.2 HWTACACS Packets ................................................................................................................................................ 7
2.2 Working Principle ......................................................................................................................................................... 7
2.2.1 HWTACACS Workflow ............................................................................................................................................ 7
2.2.2 HWTACACS Authentication ..................................................................................................................................... 8
2.2.3 HWTACACS Authorization..................................................................................................................................... 10
2.2.4 HWTACACS Accounting ........................................................................................................................................ 11
3 Application Scenario .................................................................................................................. 14

3.1 HWTACACS Authentication, Authorization, and Accounting ................................................................................... 14
3.2 Command-Line Authorization .................................................................................................................................... 16
3.3 Changing Passwords and Setting Aging Time for Administrator Accounts on the HWTACACS Server ................... 23
3.4 Administrator User Level Improvement ..................................................................................................................... 29
4 Reference Standards and Protocols ......................................................................................... 33

5 Appendix ...................................................................................................................................... 34
Issue 1.0 (2015-08-08)

iii
1 Introduction to HWTACACS
Introduction to HWTACACS
1.1 HWTACACS
1.1.1 Overview
AAA is short for authentication, authorization, and accounting and is a management
mechanism for network security. HWTACACS is a security protocol to implement the AAA
function. Similar to RADIUS, the HWTACACS client uses the client/server model to
communicate with the HWTACACS server, implementing AAA for users. HWTACACS is an
enhancement to TACACS (RFC 1492) and uses a public key to encrypt user information to be
transmitted. HWTACACS provides good flexibility and scalability. It uses the Transmission
Control Protocol (TCP) (port number 49) for transmission, which is more reliable than
RADIUS transmission over the User Datagram Protocol (UDP).
HWTACACS can be used to authenticate common users logging in through 802.1x, Portal,
and PPP as well as administrator users logging in through the serial port, Telnet, SSH, and
FTP. Similarly, HWTACACS can be used to authorize common access users and login
administrator users. Each command entered by the administrator can also be authorized by
HWTACACS. HWTACACS can charge common users based on their online duration, and
record the stay time of administrator users after login, user operations, and the executed
commands. HWTACACS is compatible with Cisco's TACACS+. Huawei switch can work as
an HWTACACS client to communicate with a TACACS+ server to implement the AAA
function.
1.1.2 Technology Advantages

Compared with RADIUS, HWTACACS has the following advantages:
l
Flexible deployment of the AAA function

The authentication, authorization, and accounting functions are independent of each
other. That is, the device can implement only one of the functions for users.
Secure and flexible device management

HWTACACS can be used to authorize command lines entered by administrator users
logging in to the device. When a user enters a command, the command is executed only
after being authorized by HWTACACS. The command line use is restricted by command
level and AAA. HWTACACS implements refined command-line authorization on
administrator users of different privilege levels, making device management more secure
and flexible.
Issue 1.0 (2015-08-08)


l
1 Introduction to HWTACACS
Reliable network transmission

HWTACACS uses the connection-oriented TCP protocol for packet transmission, which
is more reliable than RADIUS packet transmission over the UDP protocol.
More secure transmission

HWTACACS encrypts the entire packet except for the standard HWTACACS header.
This ensures high packet transmission security.
Conclusively, HWTACACS is more applicable to device control and management, and

RADIUS is more applicable to user management. Table 1-1 lists their comparisons.
Table 1-1 Comparisons between HWTACACS and RADIUS
HWTACACS
RADIUS
Transmits data through TCP, which is

more reliable.
Transmits data through UDP, which is more

efficient.
Encrypts the entire packet except for the

standard HWTACACS header.
Encrypts only the password field in the

packet.
Separates authentication from authorization

so that authentication and authorization can
be implemented on different security
servers. For example, an HWTACACS
server can perform authentication and the
other one can perform authorization.
Combines authentication and authorization.
Supports command line authorization. The

command line use is restricted by
command level and AAA. When a user
enters a command, the command is
executed only after being authorized by the
HWTACACS server.
Does not support command line

authorization. The commands that a user can
use depend on the user level. A user can only
use the commands of the same level as or
lower level than the user level.
HWTACACS is Huawei proprietary

protocol and compatible with TACACS+.
RADIUS is a standard protocol and

supported by devices from all the
mainstream vendors. RADIUS attributes
include standard RADIUS attributes and
proprietary RADIUS attributes. Device
vendors can expand the proprietary attributes
to implement new functions.
HWTACACS has competitive advantages

in device control, such as command-line
authorization and administrator password
modification on the servers, and therefore
is more suitable for device and user
management.
RADIUS has good extensibility and high

transmission efficiency and performance. It
is supported by servers from most vendors
and most widely used in actual network
planning.
Issue 1.0 (2015-08-08)

2 Principle Description
Principle Description
2.1 Basic Concepts

2.1.1 Network Components
HWTACACS is used to perform authentication, authorization, and accounting for access
users, such as the 802.1x, Portal, and PPP users, as well as administrator users logging in
through Telnet, SSH, and FTP to operate the device. As shown in Figure 2-1, the AAA
network is composed of the user, HWTACACS client, and HWTACACS server. The
HWTACACS client is also called the NAS. A switch can serve as a NAS to control user
access to network resources. The NAS and HWTACACS server implement AAA based on
HWTACACS. Active and standby HWTACACS servers can be deployed. When the active
server fails, the NAS switches to the standby server for authentication, authorization, and
accounting, ensuring nonstop user services.
Figure 2-1 HWTACACS-based AAA networking
Issue 1.0 (2015-08-08)

2.1.2 HWTACACS Packets

l
HWTACACS authentication packets are available in three types:

Authentication Start packet: When authentication starts, the client sends an
Authentication Start packet to the server. The packet carries the authentication type and
may carry the user name and some authentication data.
Authentication Continue packet: Upon receiving an authentication reply from the server,
the client replies with an Authentication Continue packet if the authentication process is
not finished yet.
Authentication Reply packet: After receiving an Authentication Start or Authentication
Continue packet from the client, the server responds with an Authentication Reply packet
to notify the client of the current authentication status.
HWTACACS authorization packets are available in two types:

Authorization Request packet: HWTACACS authentication and authorization are
separated. Users can use the HWTACACS protocol for authentication and a different
protocol for authorization. If HWTACACS is needed for authorization, the client sends
an Authorization Request packet to the server. The packet contains all information
required for authorization.
Authorization Response packet: After receiving the Authorization Request packet, the
server replies an Authorization Response packet which contains the authorization result.
HWTACACS accounting packets are available in two types:

Accounting Request packet: The packet contains information required for accounting.
Accounting Response packet: After the server receives and records the accounting
request packet, it replies with an Accounting Response packet.
2.2 Working Principle

2.2.1 HWTACACS Workflow
The following example uses a Telnet administrator user to illustrate how HWTACACS is used
to implement authentication, authorization, and accounting on users. Figure 2-2 shows the
message exchanges.
Issue 1.0 (2015-08-08)

Figure 2-2 HWTACACS message exchanges
2.2.2 HWTACACS Authentication

l
Authentication on access users and administrator users

HWTACACS user authentication methods are available in three types, namely,
non-authentication, local authentication, and remote authentication. Non-authentication
completely trusts users and does not check their validity. Generally, this method is not
recommended. Local authentication configures user information such as user name and
password on the NAS without deploying extra HWTACACS servers, thereby reducing
costs. Since the NAS can only store limited user information, this method is applied to
scenarios with a small number of users. Remote authentication configures user
information such as user name and password on remote the HWTACACS server for
centralized management. This method is applied to scenarios with a large number of
users.
Issue 1.0 (2015-08-08)

HWTACACA authentication supports use of one or more authorization methods at the

same time. The network may experience server failures or link failures between the NAS
and authentication server. If the authentication server does not respond in the
authentication process, users cannot be successfully authenticated or access the network.
To prevent this situation, HWTACACS authentication supports mixed use of multiple
authentication methods. The authentication methods are implemented according to the
configuration order. A new authentication method can be used only when no response is
received from the authentication server in the current authentication. If the current
authentication method fails, the user fails the authentication and a new authentication
method cannot be used. If multiple authentication methods are configured,
non-authentication can only be the last one to use.
l
Authentication on administrator level improvement

The system grants users different privilege levels to restrict their access rights. Users'
privilege levels correspond to command levels. Users can use only the commands at the
same or lower level than their privilege levels. However, under some circumstances,
users need to improve their privilege levels to obtain higher command operation rights
without logging out or terminating the current connection. Authentication is required for
user level improvement. Users can be granted new rights only after being authenticated.
No authentication is required when a user switches to a lower privilege level. If the
maintenance personnel log in to the device with a low privilege level to check its
operating status, they may wish to switch to a higher level temporarily for configuration
and maintenance operations. Such level switching takes effect only for the current login.
The user level will be restored on the next login. Authentication modes for user level
improvement are also available in three types, namely, non-authentication, local
authentication, and remote authentication. Mixed use of multiple authentication methods
is also supported, with the working principle similar to that of user authentication.
As shown in the following, all maintenance personnel in a network management
department log in to the device using HWTACACS authentication with a zero user level
(VISIT level). They can only run some basic commands for network diagnosis, such as
ping and tracert. The maintenance personnel can upgrade their user levels using the
super command. The core maintenance personnel in the department have the highest
operation rights for the device. After the correct password is entered, the user level will
be raised to level 3 (MANAGE level). In this way, the maintenance personnel have the
rights to run all commands on the device.
<HUAWEI>super 3
Password: <Enter the password for user level switching.
Now user privilege is 3 level, and only those commands whose level is
equal to or less than this level can be used.
Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE
Administrator password modification on the HWTACACS server

To improve the security of device management, the HWTACACS server allows users to
change administrator passwords. Additionally, the password validity period and alarm
period for password aging can to be set. Users can change the passwords only when the
user names and passwords do not expire. When a user whose password has expired logs
in to the device, the HWTACACS server does not allow the user to change the password
and displays a message indicating that the authentication fails. When a user password is
within the validity period and reaches the final alarm period, the device will notify the
administrator user that the password is about to expire and ask the user to change the
password promptly every time he logs in to the device.
After the password change function is enabled on the HWTACACS server, the
administrator can change the password on the device after logging in using Telnet or
Secure Shell (SSH), without the need of logging in to the HWTACACS server. In this
way, there is no need for all device administrators to have the rights to log in to the
Issue 1.0 (2015-08-08)

HWTACACS server. As shown in the following information, users passing

HWTACACS authentication can change the password.
<HUAWEI> hwtacacs-user change-password hwtacacs-server huawei
Info: EXEC is in an interactive process, please wait...
Username:test@huawei
Old Password: <Enter the old password.
New Password: <Enter the new password.
Re-enter New password: <Confirm the password.
Info: The password has been changed successfully.
2.2.3 HWTACACS Authorization

l
Authorization on access users and EXEC authorization on administrator users

Access user authorization indicates that the HWTACACS server controls rights of
802.1X and Portal access users. Administrator EXEC authorization indicates rights
control on administrator users logging in through Telnet, SSH, and FTP through the
HWTACACS server. User authorization is implemented by exchanging authorization
packets carrying HWTACACS attributes between the NAS and HWTACACS server. For
detailed HWTACACS attributes, see the appendix.
Through access user authorization, the server can deliver the upstream/downstream
committed information rate (CIR) and peak information rate (PIR), IP address, and DNS
address to users. Through administrator EXEC authorization, the server can deliver
attributes such as idle-time, privilege-level, ftp-directory, and auto-cmd to the
administrator users. The idle-time attribute specifies how long an administrator user is
disconnected if the user does not perform any operation after logging in to the device.
The privilege-level attribute authorizes the level of a login administrator. The
ftp-directory attribute authorizes the local directory for an FTP user. The auto-cmd
attribute automatically runs specified command lines after an authorized administrator
logs in to the device.
HWTACACS supports non-authorization, local authorization, remote authorization, and
a combination of these authorization modes. The working principle of the combined
authorization modes is similar to that of the combination of authentication modes. If
HWTACACS remote authorization fails because the remote server does not respond,
local authorization starts.
Command-line authorization for administrator users

HWTACACS can authorize privilege levels and command lines for administrator users.
Administrator users logging in through Telnet, SSH, and FTP are classified into four user
levels: the visit (0), monitoring (1), system (2), and management (3) levels. Users of
different levels have different rights. Users at the management level have the highest
rights and can run all commands. Users with a lower level can enter fewer views and run
fewer command lines. High-level users have the low-level users' rights to run command
lines.
Users at the visit level only have the rights to run diagnostic commands such as ping and
tracert commands and access external devices with Telnet and SSH. Users at the
monitoring level have the system maintenance rights, for example, running the display
commands. Users at the system level have the rights for running service configuration
commands. Users at the management level have the highest rights. In addition to the
rights for running service configuration commands, they have the rights for running
system management commands (such as file system, FTP, and TFTP download), user
management commands, command level configuration commands, and debugging
commands for service fault diagnosis.
Issue 1.0 (2015-08-08)

10
The application mode is still inflexible despite the fact that administrator users have four
user levels and different administrator users at the same level have the same command
operation rights. Command-line authorization can be implemented to provide
administrator users at the same level with different command-line operation rights.
Command-line authorization authorizes each command line based on the user level.
Users at a certain level can see all command lines at the level but can only execute the
command that is authorized.
As shown in the following figure, command-line authorization is enabled on the NAS
device. An authorized command line set is created on the HWTACACS server and bound
to users requiring authorization. The administrator logs in to the NAS. If command-line
authorization is not enabled for the user level of the administrator, command lines are
run immediately and successfully. If command-line authorization is enabled, the NAS
needs to send a command line authorization request packet to the HWTACACS server
for each command entered. The HWTACACS server will check whether the
administrator is authorized to execute the command line. If so, the server will respond
with an authorization success message, and then the command will be run on the NAS. If
not, the server will respond with an authorization failure message, and then the command
cannot be run on the NAS.
Figure 2-3 Command-line authorization for administrator users
2.2.4 HWTACACS Accounting

l
Issue 1.0 (2015-08-08)
Access user accounting

11
HWTACACS can charge common users accessing the network through 802.1X, Portal,
and PPP. Accounting-start packets are sent when the user logs in. Real-time accounting
packets are sent periodically for online users. Accounting-stop packets are sent when the
user logs out. HWTACACS accounting has two modes, namely, time-based and
traffic-based accounting. In the time-based accounting mode, users are charged
according to online duration. In the traffic-based accounting mode, users are charged
according to traffic used after login.
l
Administrator record auditing

As shown in the following figure, accounting-start packets are sent when the
administrator user logs in, and accounting-stop packets are sent when the administrator
user logs out. The HWTACACS server records user login information, namely, the login
and logout time. Generally, administrator users do not need to be charged. Instead, their
login information is recorded and audited. HWTACACS accounting packets can record
two types of administrator login information on the HWTACACS server. One type is the
information about users logging in to the NAS device through Telnet and FTP, and the
other is the information about users logging in to the remote server by taking the NAS
device as a Telnet or FTP client. After logging in to the NAS device, the user enters the
command to set up a connection with the remote server and access files on the remote
host. Login records of information in the two types are called connection information
records.
Figure 2-4 Administrator connection information records
Issue 1.0 (2015-08-08)

12
As shown in the following figure, HWTACACS accounting packets can also carry any
command line configured by the administrator on the device, and the configured command
line will be recorded on the HWTACACS server. The information records, also called
command records, can be used to track historical commands for service interruptions caused
by configuration errors. Additionally, the device can record system events (such as card reset)
by sending HWTACACS accounting packets. Such information records, also called system
information records, can help the administrator locate faults.
Figure 2-5 Administrator command records and system information records
Issue 1.0 (2015-08-08)

13
3 Application Scenario
Application Scenario
3.1 HWTACACS Authentication, Authorization, and

Accounting
l
Networking requirements
As shown in Figure 3-1, the switch performs HWTACACS authentication and
authorization on the access users first. If the HWTACACS server does not respond, the
switch performs local authentication and authorization. The switch performs real-time
HWTACACS accounting on the access users every 3 minutes. The IP addresses of
primary and secondary HWTACACS servers are 10.7.66.66/24 and 10.7.66.67/24,
respectively. The port number for authentication, accounting, and authorization is 49.
Figure 3-1 HWTACACS authentication, authorization, and accounting on access users
Issue 1.0 (2015-08-08)

14

l
Procedure
1.
Enable HWTACACS.
[Switch] hwtacacs enable
2.
Configure the HWTACACS server template named ht and set the IP addresses and
port numbers of the primary and secondary HWTACACS authentication,
authorization, and accounting servers.
[Switch] hwtacacs-server template ht
[Switch-hwtacacs-ht] hwtacacs-server
3.
authentication 10.7.66.66 49
authorization 10.7.66.66 49
accounting 10.7.66.66 49
authentication 10.7.66.67 49 secondary
authorization 10.7.66.67 49 secondary
accounting 10.7.66.67 49 secondary
Configure the shared key of the HWTACACS server.

[Switch-hwtacacs-ht] hwtacacs-server shared-key cipher Huawei@2012
[Switch-hwtacacs-ht] quit
4.
Create an authentication scheme named l-h. In the authentication scheme, configure

the system to perform HWTACACS authentication first, and then local
authentication if HWTACACS authentication fails.
[Switch] aaa
[Switch-aaa] authentication-scheme l-h
[Switch-aaa-authen-l-h] authentication-mode hwtacacs local
[Switch-aaa-authen-l-h] quit
5.
Create an authorization scheme named hwtacacs. In the authorization scheme,

configure the system to perform HWTACACS authorization first, and then local
authorization if HWTACACS authorization fails.
[Switch-aaa] authorization-scheme hwtacacs
[Switch-aaa-author-hwtacacs] authorization-mode hwtacacs local
[Switch-aaa-author-hwtacacs] quit
6.
Create an accounting scheme named hwtacacs. In the accounting scheme, set the
accounting mode to HWTACACS and allow users to still go online after an
accounting-start failure.
[Switch-aaa] accounting-scheme hwtacacs
[Switch-aaa-accounting-hwtacacs] accounting-mode hwtacacs
[Switch-aaa-accounting-hwtacacs] accounting start-fail online
7.
Set the interval of real-time accounting to 3 minutes.

[Switch-aaa-accounting-hwtacacs] accounting realtime 3
[Switch-aaa-accounting-hwtacacs] quit
8.
Configure a domain huawei, and apply the authentication scheme l-h, authorization
scheme hwtacacs, accounting scheme hwtacacs, and the HWTACACS server
template ht to the domain.
[Switch-aaa] domain huawei
[Switch-aaa-domain-huawei]
[Switch-aaa] quit
[Switch] quit
Issue 1.0 (2015-08-08)
authentication-scheme l-h
authorization-scheme hwtacacs
accounting-scheme hwtacacs
hwtacacs-server ht
quit

15
3.2 Command-Line Authorization

l
As shown in Figure 3-2, Cisco Secure ACS server runs the TACACS+ protocol. Huawei
switch serves as a NAS to communicate with the TACACS+ server, and the ACS server
is used to authorize command lines. This example uses system view commands and
OSPF commands. The authorized command lines can be successfully executed. When
the administrator executes command lines that are not authorized, the command lines are
visible but cannot be executed.
Figure 3-2 Remote HWTACACS server authorization
Procedure
1.
Server configuration:
(1) Add a user name and password using User Setup on the ACS server, as shown
in Figure 3-3.
Issue 1.0 (2015-08-08)

16
Figure 3-3 Adding a user name on the HWTACACS server
(2) Set the privilege level for users on the server, as shown in Figure 3-4.
Issue 1.0 (2015-08-08)

17
Figure 3-4 Setting the privilege level on the HWTACACS server
(3) Configure the IP address for the NAS device and set the authentication mode to
TACACS+ authentication, as shown in Figure 3-5.
Issue 1.0 (2015-08-08)

18
Figure 3-5 Setting the NAS address and authentication mode on the server
(4) Edit the authorized command line set. The commands to be authorized include
only system view commands and OSPF commands, as shown in Figure 3-6.
Issue 1.0 (2015-08-08)

19
Figure 3-6 Editing the authorized command line set on the HWTACACS server
(5) Bind the command line set in Group Setup, and then submit and restart the
service. After that, all settings on the server are completed successfully, as
shown in Figure 3-7.
Issue 1.0 (2015-08-08)

20
Figure 3-7 Binding the command line set in Group Setup on the HWTACACS server
2.
Device Configuration
(1) Configure the authentication and authorization server and enable
command-line authorization for users at level 2.
#
hwtacacs-server template acs
hwtacacs-server authentication 10.137.222.179
hwtacacs-server authorization 10.137.222.179
hwtacacs-server shared-key Huawei
#
#
aaa
authentication-scheme huawei
authentication-mode hwtacacs
#
authorization-scheme huawei
authorization-cmd 2 hwtacacs <Enable command-line authorization for
users at level 2.
authorization-mode hwtacacs
#
domain huawei
hwtacacs-server acs
#
Issue 1.0 (2015-08-08)

21
#
user-interface vty 0 4
authentication-mode aaa
user privilege level 15 <When authorization is not enabled, the login
administrator has the privilege level 15.
idle-timeout 0 0
#
[HUAWEI]dis authorization-scheme huawei
-------------------------------------------------------------------------Authorization-scheme-name : huawei
Authorization-method
: HWTACACS
Authorization-method
: Local
Authorization-cmd level 0 : Disabled
Authorization-cmd level 2 : Enabled ( HWTACACS ) <Enable HWTACACS
command-line authorization for users at level 2.
Authorization-cmd no-response-policy
: Online
--------------------------------------------------------------------------
(2) The authorized commands can be executed successfully, and the unauthorized
commands fail to be executed.
Login authentication
Password:
Note: The max number of VTY users is 5, and the current number
of VTY users on line is 4.
<S5328-123>display user-interface vty 3
Idx Type
Tx/Rx
Modem Privi ActualPrivi Auth Int
+ 37 VTY 3
15
2
A
+
: Current user-interface is active.
F
: Current user-interface is active and work in async mode.
Idx : Absolute index of user-interface.
Type : Type and relative index of user-interface.
Privi: The privilege of user-interface.
ActualPrivi: The actual privilege of user-interface.
Auth : The authentication mode of user-interface.
Int : The physical location of UIs.
Issue 1.0 (2015-08-08)

22
A: Authenticate use AAA.
N: Current user-interface need not authentication.
P: Authenticate use current UI's password.
<HUAWEI> system-view <Authorized command

Enter system view, return user view with Ctrl+Z.
[HUAWEI]ospf 1 <Authorized command
[HUAWEI -ospf-1]dis this <Unauthorized command
Error: This command failed to pass the authorization.
[HUAWEI -ospf-1]q
[HUAWEI]isis 1 <Unauthorized command
Error: This command failed to pass the authorization.
3.3 Changing Passwords and Setting Aging Time for

Administrator Accounts on the HWTACACS Server
l
As shown in the following figure, Huawei switch works as a NAS to communicate with
Cisco Secure ACS server. You can directly change the password for administrator
accounts saved on the server on the NAS. Users can configure password aging by time or
by login count on the server. In this example, password aging by login count is
configured. The system generates an alarm when a password is used for login the first
time and prompts the users to change the password when the password is used for login
the second time. Users can also proactively change the password for the administrators.
Procedure
1.
Server configuration:
(1) Configure the server to allow users to change the password through Telnet.
Click Local Password Management in System Configuration on the ACS
server, as shown in Figure 3-8.
Issue 1.0 (2015-08-08)

23
Figure 3-8 Local Password Management on the HWTACACS server
On the Local Password Management page, deselect Disable TELNET

Change Password in Remote Change Password, as shown in Figure 3-9.
Issue 1.0 (2015-08-08)

24
Figure 3-9 Enabling Telnet change password on the HWTACACS server
(2) On the Group Setup page, set password aging by time or by login count in
Password Aging Rules, as shown in Figure 3-10. In this example, password
aging by login count is configured.
Issue 1.0 (2015-08-08)

25
Figure 3-10 Set password aging on the HWTACACS server
(3) Add the user account test@huawei that requires password aging to the
preceding group, as shown in Figure 3-11.
Issue 1.0 (2015-08-08)

26
Figure 3-11 Adding a user account to the preceding group on the HWTACACS server
2.
Device configuration:
(1) Configure the authentication server.
#
hwtacacs-server template acs
hwtacacs-server authentication 10.137.222.179
hwtacacs-server authorization 10.137.222.179
hwtacacs-server shared-key Huawei
#
(2) Set the domain for the user that requires password aging, use the authentication
server that is configured in the preceding step, and set the authentication mode
to hwtacacs.
#
aaa
authentication-scheme default
Issue 1.0 (2015-08-08)

27
#
authorization-scheme default
authorization-mode hwtacacs
#
accounting-scheme default
#
domain huawei
hwtacacs-server acs
#
#
(3) Log in to the device using Telnet and set password aging or change the
password.
Login authentication<First login
Username: test@huawei<Enter the login user name.
Password:
Warning: Your password will expire in 1 more logins
Info: The max number of VTY users is 5, and the number
of current VTY users on line is 1.
< HUAWEI >
Login authentication<Exit from the login interface and perform the second
login.
Username: test@huawei<Enter the login user name.
Password: <Enter the old password.
Your password has expired.
Enter a new one now.
New Password: <The password expires, and you need to enter a new password.
Re-enter New password: <Confirm the new password.
Warning: Password Changed
Info: The max number of VTY users is 5, and the number
of current VTY users on line is 1.
< HUAWEI >
< HUAWEI >hwtacacs-user change-password hwtacacs-server acs
the password.
Info: EXEC is in an interactive process, please wait...
Username: test@huawei <Enter the login user name.
Old Password: <Enter the old password.
New Password: <Enter a new password.
Re-enter New password: <Confirm the new password.
Info: The password has been changed successfully.
Issue 1.0 (2015-08-08)

<Change
28
3.4 Administrator User Level Improvement

l
As shown in the following figure, a Huawei switch works as the NAS to interconnect
with the Cisco Secure ACS server. An administrator user logs in to the device through
the remote HWTACACS authentication server. If the login administrator has a low user
level and needs to improve the user level, run the super command to change the user
level in none, super, or hwtacacs mode.
Procedure
1.
Improve the user level in none authentication mode.

#
aaa
authentication-super none<None authentication
#
user-interface con 0
idle-timeout 0 0
user-interface vty 0 4
authentication-mode aaa
user privilege level 15
idle-timeout 0 0
#
Password:
< HUAWEI >dis user-interface vty 4
Idx Type
Tx/Rx
+ 38 VTY 4
15
2
N
< HUAWEI >super
Password: <Enter any password. The user level is improved to level 3.
< HUAWEI >
< HUAWEI >super 15
Password: <Enter any password. The user level is improved to level 15.
< HUAWEI >
Issue 1.0 (2015-08-08)

29
2.
Improve the user level in local authentication mode.

#
aaa
authentication-super super<Default authentication mode: super local
authentication
#
super password level 5 simple test1 <The user level can only be improved
to a configured local level.
super password level 10 simple test2
super password level 15 simple test3
#
Username: test@huawei
Password:

Idx Type
Tx/Rx
+ 35 VTY 1
15
2
A
< HUAWEI >super 5
Password:
< HUAWEI >super 8 <The local user level 8 is not configured. User level
improvement fails. The user level is still level 5.
Password:
Access Denied
Password:
Access Denied
Password:
Access Denied
< HUAWEI >super 10
Password:
3.
Improve the user level using the HWTACACS server.

(1) On the server, enable user level improvement authentication and set the
maximum user level to 10, as shown in Figure 3-12 and Figure 3-13.
Issue 1.0 (2015-08-08)

30
Figure 3-12 Enabling user level improvement authentication on the HWTACACS server
Figure 3-13 Setting user level improvement on the HWTACACS server
Issue 1.0 (2015-08-08)

31
(2) Configure HWTACACS authentication on the device.

#
aaa
authentication-super hwtacacs
<hwtacacs authentication
Username: test@huawei
Password:
Idx Type
Tx/Rx
+ 35 VTY 1
15
2
A
< HUAWEI >super 7 <Improve the user level to level 7 through HWTACACS
authentication.
Password:
< HUAWEI >super 11 <User level can only be improved to level 10 on the
TACACS server.
Password:
Access Denied
Password:
< HUAWEI >super 6 <No authentication is required when the user level
decreases.
Issue 1.0 (2015-08-08)

32
4 Reference Standards and Protocols
Reference Standards and Protocols
Table 4-1 HWTACACS standards

Standard Number
Document Name
Remarks
RFC 1492
An Access Control Protocol,

Sometimes Called TACACS
TACACS protocol
draft-grant-tacacs-02
The TACACS+ Protocol

Version 1.78
TACACS+ protocol. It is a draft

Internet protocol and often cited
as Cisco proprietary protocol.
HWTACACS is compatible with
TACACS+ V1.78.
Issue 1.0 (2015-08-08)

33
5 Appendix
Appendix
Table 5-1 Common HWTACACS attributes

Attribute Name
Description
acl
Authorized ACL ID.
addr
User IP address.
autocmd
Command automatically executed after user login.
bytes_in
Number of bytes received by the device. K, M, and G indicate

KB, MB, and GB, respectively. If no unit is specified, the unit of
the attribute is byte.
bytes_out
Number of bytes sent by the device. K, M, and G indicate KB,

MB, and GB, respectively. If no unit is specified, the unit of the
attribute is byte.
callback-line
Call number, that is the information sent from the server and to be
displayed to a user, such as the mobile number.
cmd
First keyword of the command encapsulated during command line

authorization.
cmd-arg
Parameters of the command line requesting to be authorized.
disc_cause
Offline reason. The attribute is supported only by accounting-stop

packets. The reasons include:
Issue 1.0 (2015-08-08)
User requested termination of service (1).
Data interruption (2).
Service interruption (3).
Idle timer expired (4).
Session timeout (5).
The administrator requested the user to go offline (7).
NAS fault (9).
NAS requested the user to go offline (10).
The interface is disabled (12).
Incorrect user information (17).

34
Attribute Name
5 Appendix
Description
l
disc_cause_ext
Host requested to go offline (18).
Extended offline reason. The attribute is supported only by

accounting-stop packets. The reasons include:
l
Unknown reason (1022).
EXEC terminal connection termination (1020).
Other online Telnet users forced the user offline (1022).
The remote end has no IP address, causing the user unable to

switch to the SLIP/PPP client (1023).
PPP PAP authentication failure (1042).
PPP received termination packets from the remote end (1045).
The upper-layer device required PPP disconnection (1046).
PPP handshake failure (1063).
Session timeout (1100).
dnaverage
Downlink average rate, in bit/s.
dnpeak
Downlink peak rate, in bit/s.
dns-servers
Primary DNS server address.
elapsed_time
How long a user has been online, in seconds.
ftpdir
Initial directory of an FTP user.
gw-password
Tunnel password, which is a character string.
idletime
Idle period. That is, the server automatically disconnects the user
if no operation is performed in the idle period.
l2tp-hello-interval
Interval for sending L2TP Hello packets. Currently, the device

does not support this attribute.
l2tp-hidden-avp
Hidden Attribute Value Pair (AVP) of L2TP. Currently, the

device does not support this attribute.
l2tp-nosession-timeout
Idle period of the L2TP session. When there is no L2TP session,

the L2TP tunnel will be torn down after the period. Currently, the
device does not support this attribute.
l2tp-group-num
L2TP group number. Only after this attribute is delivered, other

L2TP attributes can take effect; if this attribute is not delivered,
other L2TP attributes are ignored.
l2tp-tos-reflect
TOS value of L2TP. Currently, the device does not support this
attribute.
l2tp-tunnel-authen
Whether L2TP tunnel authentication is implemented. The value 0

indicates that tunnel authentication is not implemented while the
value 1 indicates that tunnel authentication is implemented.
l2tp-udp-checksum
UDP packet checksum of L2TP.
nocallback-verify
No verification after the callback.
Issue 1.0 (2015-08-08)

35
5 Appendix
Attribute Name
Description
nohangup
Whether the device automatically cuts off the user connection.

The value is true or false. The attribute is attached to autocmd.
After autocmd is configured, this attribute determines whether
the user cuts off the user connection after running the autocmd
command. true indicates that user connection is not cut off while
false indicates that the user connection is cut off.
paks_in
Number of packets received by the device.
paks_out
Number of packets sent by the device.
priv-lvl
User level.
protocol
Protocol type. It is a subset of the service type and takes effect for
ppp and connection. Currently, the protocols pad, telnet, ip, and
vpdn are supported.
l
When the service type is connection, the protocol type can be

pad or telnet.
When the service type is ppp, the protocol type can be ip or

vpdn.
For other service types, the attribute is not encapsulated.
task_id
Task ID. The task_id of the same task must be the same at the
start and end.
timezone
Local time zone.
tunnel-id
Tunnel ID, which is a string of characters.
tunnel-type
Indicates the type of the tunnel to be established.
service
Service type, which can be an accounting or authorization service.
source-ip
IP address of the tunnel's local end.
upaverage
Uplink average rate, in bit/s.
uppeak
Uplink peak rate, in bit/s.
Table 5-2 Support status of attributes in the HWTACACS authorization packets

Attribute
Command Line
Authorization
Request Packet
EXEC
Authorization
Response Packet
Access User
Authorization
Response Packet
acl
addr
addr-pool
autocmd
callback-line
Issue 1.0 (2015-08-08)

36
5 Appendix
Attribute
Command Line
Authorization
Request Packet
EXEC
Authorization
Response Packet
Access User
Authorization
Response Packet
cmd
cmd-arg
dnaverage
dnpeak
dns-servers
ftpdir
gw-password
idletime
ip-addresses
l2tp-group-num
l2tp-tunnel-authen
nocallback-verify
nohangup
priv-lvl
source-ip
tunnel-type
tunnel-id
upaverage
Issue 1.0 (2015-08-08)

37
S Series Switches
5 Appendix
Table 5-3 Support status of attributes in the HWTACACS accounting packets

Attribute
Network
Network
Network
Connection
Connection
EXEC
EXEC
EXEC
System
Command
Accounting-
Accounting-
Accounting
Accounting-
Accounting-
Accounting-
Accounting-
Accounting
Accounting-
Accounting-Stop
Start Request
Stop Request
Real-Time
Start Request
Stop Request
Start Request
Stop Request
Real-Time
Stop Request
packet command
Packet
Packet
Request
Packet
Packet
Packet
Packet
Request
Packet
Packet
Packet
addr
bytes_in
bytes_out
cmd
disc_cause
disc_cause_ex
t
elapsed_time
paks_in
paks_out
priv-lvl
protocol
service
task_id
timezone
tunnel-id
tunnel-type
Issue 1.0 (2015-08-08)

Copyright
38
S Series Switches
5 Appendix
Y: Supported
N: Not supported
Issue 1.0 (2015-08-08)

Copyright
39

Huawei Sx700 Switches HWTACACS Technology White Paper

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Huawei Sx700 Switches HWTACACS Technology White Paper

Uploaded by

Copyright:

Available Formats

S Series Switches

HWTACACS Technology White

HUAWEI TECHNOLOGIES CO., LTD.

Copyright Huawei Technologies Co., Ltd. 2015. All rights reserved.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Huawei Industrial Base

Issue 1.0 (2015-08-08)

Huawei Proprietary and Confidential

HWTACACS Technology White Paper

About This Document

About This Document

Acronyms and Abbreviations

HUAWEI Terminal Access Controller Access Control

Terminal Access Controller Access Control System

Terminal Access Controller Access Control System plus

Remote Authentication Dial-In User Service

Authentication, Authorization, Accounting

Network Access Server

Access Control Server

Broadband Remote Access Server

Issue 1.0 (2015-08-08)

Huawei Proprietary and Confidential

HWTACACS Technology White Paper

2 Principle Description ................................................................................................................... 6

3 Application Scenario .................................................................................................................. 14

4 Reference Standards and Protocols ......................................................................................... 33

Issue 1.0 (2015-08-08)

Huawei Proprietary and Confidential

HWTACACS Technology White Paper

1.1.2 Technology Advantages

Flexible deployment of the AAA function

Secure and flexible device management

Issue 1.0 (2015-08-08)

Huawei Proprietary and Confidential

HWTACACS Technology White Paper

Reliable network transmission

More secure transmission

Conclusively, HWTACACS is more applicable to device control and management, and

Transmits data through TCP, which is

Transmits data through UDP, which is more

Encrypts the entire packet except for the

Encrypts only the password field in the

Separates authentication from authorization

Combines authentication and authorization.

Supports command line authorization. The

Does not support command line

HWTACACS is Huawei proprietary

RADIUS is a standard protocol and

HWTACACS has competitive advantages

RADIUS has good extensibility and high

Issue 1.0 (2015-08-08)

Huawei Proprietary and Confidential

HWTACACS Technology White Paper

2.1 Basic Concepts

Issue 1.0 (2015-08-08)

Huawei Proprietary and Confidential

HWTACACS Technology White Paper

2.1.2 HWTACACS Packets

HWTACACS authentication packets are available in three types:

HWTACACS authorization packets are available in two types:

HWTACACS accounting packets are available in two types:

2.2 Working Principle

Issue 1.0 (2015-08-08)