Professional Documents
Culture Documents
Issue
1.0
Date
2015-08-08
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Website:
http://www.huawei.com
Email:
support@huawei.com
Keywords:
HWTACACS, TACACS, RADIUS, AAA, device management, command-line authorization
Full Name
HWTACACS
TACACS
TACACS+
RADIUS
AAA
NAS
ACS
BRAS
EXEC
Executable
ii
Contents
Contents
About This Document .................................................................................................................... ii
1 Introduction to HWTACACS...................................................................................................... 4
1.1 HWTACACS ................................................................................................................................................................ 4
1.1.1 Overview.................................................................................................................................................................... 4
1.1.2 Technology Advantages ............................................................................................................................................. 4
iii
1 Introduction to HWTACACS
Introduction to HWTACACS
1.1 HWTACACS
1.1.1 Overview
AAA is short for authentication, authorization, and accounting and is a management
mechanism for network security. HWTACACS is a security protocol to implement the AAA
function. Similar to RADIUS, the HWTACACS client uses the client/server model to
communicate with the HWTACACS server, implementing AAA for users. HWTACACS is an
enhancement to TACACS (RFC 1492) and uses a public key to encrypt user information to be
transmitted. HWTACACS provides good flexibility and scalability. It uses the Transmission
Control Protocol (TCP) (port number 49) for transmission, which is more reliable than
RADIUS transmission over the User Datagram Protocol (UDP).
HWTACACS can be used to authenticate common users logging in through 802.1x, Portal,
and PPP as well as administrator users logging in through the serial port, Telnet, SSH, and
FTP. Similarly, HWTACACS can be used to authorize common access users and login
administrator users. Each command entered by the administrator can also be authorized by
HWTACACS. HWTACACS can charge common users based on their online duration, and
record the stay time of administrator users after login, user operations, and the executed
commands. HWTACACS is compatible with Cisco's TACACS+. Huawei switch can work as
an HWTACACS client to communicate with a TACACS+ server to implement the AAA
function.
1 Introduction to HWTACACS
RADIUS
2 Principle Description
Principle Description
2 Principle Description
2 Principle Description
2 Principle Description
2 Principle Description
10
2 Principle Description
The application mode is still inflexible despite the fact that administrator users have four
user levels and different administrator users at the same level have the same command
operation rights. Command-line authorization can be implemented to provide
administrator users at the same level with different command-line operation rights.
Command-line authorization authorizes each command line based on the user level.
Users at a certain level can see all command lines at the level but can only execute the
command that is authorized.
As shown in the following figure, command-line authorization is enabled on the NAS
device. An authorized command line set is created on the HWTACACS server and bound
to users requiring authorization. The administrator logs in to the NAS. If command-line
authorization is not enabled for the user level of the administrator, command lines are
run immediately and successfully. If command-line authorization is enabled, the NAS
needs to send a command line authorization request packet to the HWTACACS server
for each command entered. The HWTACACS server will check whether the
administrator is authorized to execute the command line. If so, the server will respond
with an authorization success message, and then the command will be run on the NAS. If
not, the server will respond with an authorization failure message, and then the command
cannot be run on the NAS.
Figure 2-3 Command-line authorization for administrator users
11
2 Principle Description
HWTACACS can charge common users accessing the network through 802.1X, Portal,
and PPP. Accounting-start packets are sent when the user logs in. Real-time accounting
packets are sent periodically for online users. Accounting-stop packets are sent when the
user logs out. HWTACACS accounting has two modes, namely, time-based and
traffic-based accounting. In the time-based accounting mode, users are charged
according to online duration. In the traffic-based accounting mode, users are charged
according to traffic used after login.
l
12
2 Principle Description
As shown in the following figure, HWTACACS accounting packets can also carry any
command line configured by the administrator on the device, and the configured command
line will be recorded on the HWTACACS server. The information records, also called
command records, can be used to track historical commands for service interruptions caused
by configuration errors. Additionally, the device can record system events (such as card reset)
by sending HWTACACS accounting packets. Such information records, also called system
information records, can help the administrator locate faults.
Figure 2-5 Administrator command records and system information records
13
3 Application Scenario
Application Scenario
Networking requirements
As shown in Figure 3-1, the switch performs HWTACACS authentication and
authorization on the access users first. If the HWTACACS server does not respond, the
switch performs local authentication and authorization. The switch performs real-time
HWTACACS accounting on the access users every 3 minutes. The IP addresses of
primary and secondary HWTACACS servers are 10.7.66.66/24 and 10.7.66.67/24,
respectively. The port number for authentication, accounting, and authorization is 49.
14
3 Application Scenario
Procedure
1.
Enable HWTACACS.
[Switch] hwtacacs enable
2.
Configure the HWTACACS server template named ht and set the IP addresses and
port numbers of the primary and secondary HWTACACS authentication,
authorization, and accounting servers.
[Switch] hwtacacs-server template ht
[Switch-hwtacacs-ht] hwtacacs-server
[Switch-hwtacacs-ht] hwtacacs-server
[Switch-hwtacacs-ht] hwtacacs-server
[Switch-hwtacacs-ht] hwtacacs-server
[Switch-hwtacacs-ht] hwtacacs-server
[Switch-hwtacacs-ht] hwtacacs-server
3.
authentication 10.7.66.66 49
authorization 10.7.66.66 49
accounting 10.7.66.66 49
authentication 10.7.66.67 49 secondary
authorization 10.7.66.67 49 secondary
accounting 10.7.66.67 49 secondary
4.
5.
6.
Create an accounting scheme named hwtacacs. In the accounting scheme, set the
accounting mode to HWTACACS and allow users to still go online after an
accounting-start failure.
[Switch-aaa] accounting-scheme hwtacacs
[Switch-aaa-accounting-hwtacacs] accounting-mode hwtacacs
[Switch-aaa-accounting-hwtacacs] accounting start-fail online
7.
8.
Configure a domain huawei, and apply the authentication scheme l-h, authorization
scheme hwtacacs, accounting scheme hwtacacs, and the HWTACACS server
template ht to the domain.
[Switch-aaa] domain huawei
[Switch-aaa-domain-huawei]
[Switch-aaa-domain-huawei]
[Switch-aaa-domain-huawei]
[Switch-aaa-domain-huawei]
[Switch-aaa-domain-huawei]
[Switch-aaa] quit
[Switch] quit
authentication-scheme l-h
authorization-scheme hwtacacs
accounting-scheme hwtacacs
hwtacacs-server ht
quit
15
3 Application Scenario
Networking requirements
As shown in Figure 3-2, Cisco Secure ACS server runs the TACACS+ protocol. Huawei
switch serves as a NAS to communicate with the TACACS+ server, and the ACS server
is used to authorize command lines. This example uses system view commands and
OSPF commands. The authorized command lines can be successfully executed. When
the administrator executes command lines that are not authorized, the command lines are
visible but cannot be executed.
Procedure
1.
Server configuration:
(1) Add a user name and password using User Setup on the ACS server, as shown
in Figure 3-3.
16
3 Application Scenario
(2) Set the privilege level for users on the server, as shown in Figure 3-4.
17
3 Application Scenario
(3) Configure the IP address for the NAS device and set the authentication mode to
TACACS+ authentication, as shown in Figure 3-5.
18
3 Application Scenario
Figure 3-5 Setting the NAS address and authentication mode on the server
(4) Edit the authorized command line set. The commands to be authorized include
only system view commands and OSPF commands, as shown in Figure 3-6.
19
3 Application Scenario
Figure 3-6 Editing the authorized command line set on the HWTACACS server
(5) Bind the command line set in Group Setup, and then submit and restart the
service. After that, all settings on the server are completed successfully, as
shown in Figure 3-7.
20
3 Application Scenario
Figure 3-7 Binding the command line set in Group Setup on the HWTACACS server
2.
Device Configuration
(1) Configure the authentication and authorization server and enable
command-line authorization for users at level 2.
#
hwtacacs-server template acs
hwtacacs-server authentication 10.137.222.179
hwtacacs-server authorization 10.137.222.179
hwtacacs-server shared-key Huawei
#
#
aaa
authentication-scheme huawei
authentication-mode hwtacacs
#
authorization-scheme huawei
authorization-cmd 2 hwtacacs <Enable command-line authorization for
users at level 2.
authorization-mode hwtacacs
#
domain huawei
authentication-scheme huawei
authorization-scheme huawei
hwtacacs-server acs
#
21
3 Application Scenario
#
user-interface vty 0 4
authentication-mode aaa
user privilege level 15 <When authorization is not enabled, the login
administrator has the privilege level 15.
idle-timeout 0 0
#
[HUAWEI]dis authorization-scheme huawei
-------------------------------------------------------------------------Authorization-scheme-name : huawei
Authorization-method
: HWTACACS
Authorization-method
: Local
Authorization-cmd level 0 : Disabled
Authorization-cmd level 1 : Disabled
Authorization-cmd level 2 : Enabled ( HWTACACS ) <Enable HWTACACS
command-line authorization for users at level 2.
Authorization-cmd level 3 : Disabled
Authorization-cmd level 4 : Disabled
Authorization-cmd level 5 : Disabled
Authorization-cmd level 6 : Disabled
Authorization-cmd level 7 : Disabled
Authorization-cmd level 8 : Disabled
Authorization-cmd level 9 : Disabled
Authorization-cmd level 10 : Disabled
Authorization-cmd level 11 : Disabled
Authorization-cmd level 12 : Disabled
Authorization-cmd level 13 : Disabled
Authorization-cmd level 14 : Disabled
Authorization-cmd level 15 : Disabled
Authorization-cmd no-response-policy
: Online
--------------------------------------------------------------------------
(2) The authorized commands can be executed successfully, and the unauthorized
commands fail to be executed.
Login authentication
Username:test@huawei
Password:
Note: The max number of VTY users is 5, and the current number
of VTY users on line is 4.
<S5328-123>display user-interface vty 3
Idx Type
Tx/Rx
Modem Privi ActualPrivi Auth Int
+ 37 VTY 3
15
2
A
+
: Current user-interface is active.
F
: Current user-interface is active and work in async mode.
Idx : Absolute index of user-interface.
Type : Type and relative index of user-interface.
Privi: The privilege of user-interface.
ActualPrivi: The actual privilege of user-interface.
Auth : The authentication mode of user-interface.
Int : The physical location of UIs.
22
3 Application Scenario
A: Authenticate use AAA.
N: Current user-interface need not authentication.
P: Authenticate use current UI's password.
Networking requirements
As shown in the following figure, Huawei switch works as a NAS to communicate with
Cisco Secure ACS server. You can directly change the password for administrator
accounts saved on the server on the NAS. Users can configure password aging by time or
by login count on the server. In this example, password aging by login count is
configured. The system generates an alarm when a password is used for login the first
time and prompts the users to change the password when the password is used for login
the second time. Users can also proactively change the password for the administrators.
Procedure
1.
Server configuration:
(1) Configure the server to allow users to change the password through Telnet.
Click Local Password Management in System Configuration on the ACS
server, as shown in Figure 3-8.
23
3 Application Scenario
24
3 Application Scenario
(2) On the Group Setup page, set password aging by time or by login count in
Password Aging Rules, as shown in Figure 3-10. In this example, password
aging by login count is configured.
25
3 Application Scenario
(3) Add the user account test@huawei that requires password aging to the
preceding group, as shown in Figure 3-11.
26
3 Application Scenario
Figure 3-11 Adding a user account to the preceding group on the HWTACACS server
2.
Device configuration:
(1) Configure the authentication server.
#
hwtacacs-server template acs
hwtacacs-server authentication 10.137.222.179
hwtacacs-server authorization 10.137.222.179
hwtacacs-server shared-key Huawei
#
(2) Set the domain for the user that requires password aging, use the authentication
server that is configured in the preceding step, and set the authentication mode
to hwtacacs.
#
aaa
authentication-scheme default
27
3 Application Scenario
authentication-scheme huawei
authentication-mode hwtacacs
#
authorization-scheme default
authorization-scheme huawei
authorization-mode hwtacacs
#
accounting-scheme default
#
domain huawei
authentication-scheme huawei
authorization-scheme huawei
hwtacacs-server acs
#
#
(3) Log in to the device using Telnet and set password aging or change the
password.
Login authentication<First login
Username: test@huawei<Enter the login user name.
Password:
Warning: Your password will expire in 1 more logins
Info: The max number of VTY users is 5, and the number
of current VTY users on line is 1.
< HUAWEI >
Login authentication<Exit from the login interface and perform the second
login.
Username: test@huawei<Enter the login user name.
Password: <Enter the old password.
Your password has expired.
Enter a new one now.
New Password: <The password expires, and you need to enter a new password.
Re-enter New password: <Confirm the new password.
Warning: Password Changed
Info: The max number of VTY users is 5, and the number
of current VTY users on line is 1.
< HUAWEI >
< HUAWEI >hwtacacs-user change-password hwtacacs-server acs
the password.
Info: EXEC is in an interactive process, please wait...
Username: test@huawei <Enter the login user name.
Old Password: <Enter the old password.
New Password: <Enter a new password.
Re-enter New password: <Confirm the new password.
Info: The password has been changed successfully.
<Change
28
3 Application Scenario
Networking requirements
As shown in the following figure, a Huawei switch works as the NAS to interconnect
with the Cisco Secure ACS server. An administrator user logs in to the device through
the remote HWTACACS authentication server. If the login administrator has a low user
level and needs to improve the user level, run the super command to change the user
level in none, super, or hwtacacs mode.
Procedure
1.
29
2.
3 Application Scenario
3.
30
3 Application Scenario
Figure 3-12 Enabling user level improvement authentication on the HWTACACS server
31
3 Application Scenario
<hwtacacs authentication
Login authentication
Username: test@huawei
Password:
Note: The max number of VTY users is 5, and the current number
of VTY users on line is 4.
< HUAWEI >dis user-interface vty 1
Idx Type
Tx/Rx
Modem Privi ActualPrivi Auth Int
+ 35 VTY 1
15
2
A
< HUAWEI >super 7 <Improve the user level to level 7 through HWTACACS
authentication.
Password:
Now user privilege is 7 level, and only those commands whose level is
equal to or less than this level can be used.
Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE
< HUAWEI >super 11 <User level can only be improved to level 10 on the
TACACS server.
Password:
Access Denied
Password:
< HUAWEI >super 6 <No authentication is required when the user level
decreases.
Now user privilege is 6 level, and only those commands whose level is
equal to or less than this level can be used.
Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE
32
Document Name
Remarks
RFC 1492
TACACS protocol
draft-grant-tacacs-02
33
5 Appendix
Appendix
Description
acl
addr
User IP address.
autocmd
bytes_in
bytes_out
callback-line
Call number, that is the information sent from the server and to be
displayed to a user, such as the mobile number.
cmd
cmd-arg
disc_cause
34
Attribute Name
5 Appendix
Description
l
disc_cause_ext
dnaverage
dnpeak
dns-servers
elapsed_time
ftpdir
gw-password
idletime
Idle period. That is, the server automatically disconnects the user
if no operation is performed in the idle period.
l2tp-hello-interval
l2tp-hidden-avp
l2tp-nosession-timeout
l2tp-group-num
l2tp-tos-reflect
TOS value of L2TP. Currently, the device does not support this
attribute.
l2tp-tunnel-authen
l2tp-udp-checksum
nocallback-verify
35
5 Appendix
Attribute Name
Description
nohangup
paks_in
paks_out
priv-lvl
User level.
protocol
Protocol type. It is a subset of the service type and takes effect for
ppp and connection. Currently, the protocols pad, telnet, ip, and
vpdn are supported.
l
task_id
Task ID. The task_id of the same task must be the same at the
start and end.
timezone
tunnel-id
tunnel-type
service
source-ip
upaverage
uppeak
Command Line
Authorization
Request Packet
EXEC
Authorization
Response Packet
Access User
Authorization
Response Packet
acl
addr
addr-pool
autocmd
callback-line
36
5 Appendix
Attribute
Command Line
Authorization
Request Packet
EXEC
Authorization
Response Packet
Access User
Authorization
Response Packet
cmd
cmd-arg
dnaverage
dnpeak
dns-servers
ftpdir
gw-password
idletime
ip-addresses
l2tp-group-num
l2tp-tunnel-authen
nocallback-verify
nohangup
priv-lvl
source-ip
tunnel-type
tunnel-id
upaverage
37
S Series Switches
HWTACACS Technology White Paper
5 Appendix
Network
Network
Network
Connection
Connection
EXEC
EXEC
EXEC
System
Command
Accounting-
Accounting-
Accounting
Accounting-
Accounting-
Accounting-
Accounting-
Accounting
Accounting-
Accounting-Stop
Start Request
Stop Request
Real-Time
Start Request
Stop Request
Start Request
Stop Request
Real-Time
Stop Request
packet command
Packet
Packet
Request
Packet
Packet
Packet
Packet
Request
Packet
Packet
Packet
addr
bytes_in
bytes_out
cmd
disc_cause
disc_cause_ex
t
elapsed_time
paks_in
paks_out
priv-lvl
protocol
service
task_id
timezone
tunnel-id
tunnel-type
38
S Series Switches
HWTACACS Technology White Paper
5 Appendix
Y: Supported
N: Not supported
39