Upload
menganofulano
View
253
Download
0
Embed Size (px)
Citation preview
8/12/2019 CloudEngine 6800&5800 V100R001C00 Configuration Guide - Security 04.pdf
1/200
CloudEngine 6800&5800 Series Switches
V100R001C00
Configuration Guide - Security
Issue 04
Date 2013-07-10
HUAWEI TECHNOLOGIES CO., LTD.
8/12/2019 CloudEngine 6800&5800 V100R001C00 Configuration Guide - Security 04.pdf
2/200
Copyright Huawei Technologies Co., Ltd. 2013. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.
Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: http://enterprise.huawei.com
Issue 04 (2013-07-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
i
http://enterprise.huawei.com/8/12/2019 CloudEngine 6800&5800 V100R001C00 Configuration Guide - Security 04.pdf
3/200
About This Document
Intended Audience
This document describes the concepts and configuration procedures of security features on the
CE series switches, and provides the configuration examples.
This document provides guidance for configuring security features.
This document is intended for:
l Data configuration engineers
l Commissioning engineers
l Network monitoring engineers
l System maintenance engineers
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
DANGER
Indicates a hazard with a high level or medium level of risk
which, if not avoided, could result in death or serious injury.
WARNING
Indicates a hazard with a low level of risk which, if not
avoided, could result in minor or moderate injury.
CAUTION
Indicates a potentially hazardous situation that, if not
avoided, could result in equipment damage, data loss,
performance deterioration, or unanticipated results.
TIP Provides a tip that may help you solve a problem or save time.
NOTE Provides additional information to emphasize or supplement
important points in the main text.
CloudEngine 6800&5800 Series Switches
Configuration Guide - Security About This Document
Issue 04 (2013-07-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
ii
8/12/2019 CloudEngine 6800&5800 V100R001C00 Configuration Guide - Security 04.pdf
4/200
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention Description
Boldface The keywords of a command line are in boldface.
Italic Command arguments are in italics.
[ ] Items (keywords or arguments) in brackets [ ] are optional.
{ x | y | ... } Optional items are grouped in braces and separated by
vertical bars. One item is selected.
[ x | y | ... ] Optional items are grouped in brackets and separated by
vertical bars. One item is selected or no item is selected.
{ x | y | ... }* Optional items are grouped in braces and separated byvertical bars. A minimum of one item or a maximum of all
items can be selected.
[ x | y | ... ]* Optional items are grouped in brackets and separated by
vertical bars. You can select one or several items, or select
no item.
& The parameter before the & sign can be repeated 1 to n times.
# A line starting with the # sign is comments.
Interface Numbering Conventions
Interface numbers used in this manual are examples. In device configuration, use the existing
interface numbers on devices.
Change History
Updates between document issues are cumulative. Therefore, the latest document issue containsall updates made in previous issues.
Changes in Issue 04 (2013-07-10)
This version has the following updates:
The following information is modified:
l 2 ACL Configuration
l 2.1 ACL Overview
l 2.5.3 Configuring an Advanced ACL Rule
l 7.3 Default Configuration
CloudEngine 6800&5800 Series Switches
Configuration Guide - Security About This Document
Issue 04 (2013-07-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
iii
8/12/2019 CloudEngine 6800&5800 V100R001C00 Configuration Guide - Security 04.pdf
5/200
l 7.4.4 Configuring Rate Limit on ARP Packets (Globally or in a VLAN)
l 4.1 Local Attack Defense Overview
l 9 Traffic Suppression and Storm Control Configuration
l 8.1 MFF Overview
l 5.2 Configuration Notes
l 5.4.4 Checking the Configuration
l 6.3.1 Configuring the URPF Check Mode on an Interface
Changes in Issue 03 (2013-05-10)
This version has the following updates:
The following information is modified:
l 1.5.2 Configuring an HWTACACS Server Template
Changes in Issue 02 (2013-03-15)
This version has the following updates:
The following information is modified:
l 1.3.2 Configuring a Local User
l 9.4.1 Configuring Traffic Suppression on an Interface
l 9.4.2 Configuring Traffic Suppression in a VLAN
Changes in Issue 01 (2012-12-31)
Initial commercial release.
CloudEngine 6800&5800 Series Switches
Configuration Guide - Security About This Document
Issue 04 (2013-07-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
iv
8/12/2019 CloudEngine 6800&5800 V100R001C00 Configuration Guide - Security 04.pdf
6/200
Contents
About This Document.....................................................................................................................ii
1 AAA Configuration.......................................................................................................................1
1.1 AAA Overview...............................................................................................................................................................2
1.2 AAA Features Supported by the Device........................................................................................................................31.3 Configuring Local Authentication and Authorization....................................................................................................4
1.3.1 Configuring AAA Schemes.........................................................................................................................................4
1.3.2 Configuring a Local User............................................................................................................................................6
1.3.3 Configuring a Domain.................................................................................................................................................7
1.3.4 Checking the Configuration.........................................................................................................................................8
1.4 Configuring RADIUS AAA...........................................................................................................................................9
1.4.1 Configuring AAA Schemes.........................................................................................................................................9
1.4.2 Configuring a RADIUS Server Template.................................................................................................................11
1.4.3 Configuring a Domain...............................................................................................................................................12
1.4.4 Checking the Configuration.......................................................................................................................................14
1.5 Configuring HWTACACS AAA..................................................................................................................................14
1.5.1 Configuring AAA Schemes.......................................................................................................................................14
1.5.2 Configuring an HWTACACS Server Template........................................................................................................17
1.5.3 Configuring a Domain...............................................................................................................................................19
1.5.4 Checking the Configuration.......................................................................................................................................21
1.6 Maintaining AAA.........................................................................................................................................................21
1.6.1 ClearingAAA Statistics............................................................................................................................................21
1.7 Configuration Examples...............................................................................................................................................22
1.7.1 Examplefor Configuring RADIUS Authentication and Accounting........................................................................22
1.7.2 Examplefor Configuring HWTACACS Authentication, Accounting, and Authorization.......................................25
2 ACL Configuration......................................................................................................................29
2.1 ACL Overview.............................................................................................................................................................30
2.2 ACL Features Supported by the device........................................................................................................................30
2.3 Default Configuration...................................................................................................................................................32
2.4 Configuring a Basic ACL.............................................................................................................................................32
2.4.1 (Optional) Configuring the Validity Time Range of a Rule......................................................................................32
2.4.2 Creating a Basic ACL................................................................................................................................................33
2.4.3 Configuring a Basic ACL Rule.................................................................................................................................34
CloudEngine 6800&5800 Series Switches
Configuration Guide - Security Contents
Issue 04 (2013-07-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
v
8/12/2019 CloudEngine 6800&5800 V100R001C00 Configuration Guide - Security 04.pdf
7/200
2.4.4 Applying the ACL to the Switch...............................................................................................................................35
2.4.5 Checking the Configuration.......................................................................................................................................35
2.5 Configuring an Advanced ACL....................................................................................................................................35
2.5.1 (Optional) Configuring the Validity Time Range of a Rule......................................................................................36
2.5.2 Creating an Advanced ACL......................................................................................................................................37
2.5.3 Configuring an Advanced ACL Rule........................................................................................................................37
2.5.4 Applying the ACL to the Switch...............................................................................................................................39
2.5.5 Checking the Configuration.......................................................................................................................................39
2.6 Configuring a Layer 2 ACL..........................................................................................................................................39
2.6.1 (Optional) Configuring the Validity Time Range of a Rule......................................................................................40
2.6.2 Creatinga Layer 2 ACL............................................................................................................................................41
2.6.3 Configuring a Layer 2 ACL Rule..............................................................................................................................41
2.6.4 Applying the ACL to the Switch...............................................................................................................................42
2.6.5 Checking the Configuration.......................................................................................................................................43
2.7 Configuring a User-defined ACL.................................................................................................................................43
2.7.1 (Optional) Configuring the Validity Time Range of a Rule......................................................................................43
2.7.2 Creatinga User-defined ACL....................................................................................................................................44
2.7.3 Configuring a User-defined ACL Rule.....................................................................................................................45
2.7.4 Applying the ACL to the Switch...............................................................................................................................46
2.7.5 Checking the Configuration.......................................................................................................................................46
2.8 Maintaining an ACL.....................................................................................................................................................46
2.8.1 ClearingACL Statistics.............................................................................................................................................46
2.9 Configuration Examples...............................................................................................................................................472.9.1 Examplefor Configuring a Basic ACL to Limit Access to the FTP Server..............................................................47
2.9.2 Examplefor Using an Advanced ACL to Configure Traffic Classifiers...................................................................49
2.9.3 Examplefor Using a Layer 2 ACL to Configure a Traffic Classifier.......................................................................53
3 DHCP Snooping Configuration...............................................................................................56
3.1 DHCP Snooping Overview..........................................................................................................................................57
3.2 DHCP Snooping Features Supported by the Device....................................................................................................57
3.3 Default Configuration...................................................................................................................................................58
3.4 ConfigureBasic Functions of DHCP Snooping...........................................................................................................59
3.4.1 Enabling DHCP Snooping.........................................................................................................................................593.4.2 Configuring an Interface as the Trusted Interface.....................................................................................................60
3.4.3 (Optional) Disabling Location Fixation for a DHCP Snooping User.................................................................61
3.4.4 (Optional) Configuring Association Between ARP and DHCP Snooping................................................................62
3.4.5 (Optional) Configuring the Device to Clear the MAC Address Entry Immediately When the User Is Disconnected
............................................................................................................................................................................................62
3.4.6 Checking the Configuration.......................................................................................................................................63
3.5 Configuring DHCP Snooping Attack Defense.............................................................................................................63
3.5.1 Configuring Defense Against Bogus DHCP Server Attacks.....................................................................................63
3.5.2 Configuring Defense Against Attacks from Non-DHCP Users................................................................................64
3.5.3 Configuring Defense Against DHCP Flood Attacks.................................................................................................65
CloudEngine 6800&5800 Series Switches
Configuration Guide - Security Contents
Issue 04 (2013-07-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
vi
8/12/2019 CloudEngine 6800&5800 V100R001C00 Configuration Guide - Security 04.pdf
8/200
3.5.4 Configuring Defense Against Bogus DHCP Message Attacks.................................................................................66
3.5.5 Configuring Defense Against DHCP Server DoS Attacks........................................................................................69
3.5.6 Checking the Configuration.......................................................................................................................................71
3.6 Inserting the Option 82 Field to a DHCP Message......................................................................................................71
3.7 Maintaining DHCP Snooping.......................................................................................................................................73
3.7.1 ClearingDHCP Snooping Statistics..........................................................................................................................73
3.7.2 ClearingDynamic DHCP Snooping Binding Entries................................................................................................73
3.7.3 Backing Up DHCP Snooping Binding Entries..........................................................................................................74
3.8 Configuration Examples...............................................................................................................................................74
3.8.1 Example for Configuring DHCP Snooping Attack Defense.....................................................................................74
4 Local Attack Defense Configuration.......................................................................................79
4.1 Local Attack Defense Overview...................................................................................................................................80
4.2 Local Attack Defense Features Supported by the Switch............................................................................................82
4.3 Default Configuration...................................................................................................................................................83
4.4 Configuring Attack Source Tracing.............................................................................................................................84
4.4.1 Creatingan Attack Defense Policy............................................................................................................................84
4.4.2 Configuring the Threshold for Attack Source Tracing..............................................................................................85
4.4.3 Setting the Packet Sampling Ratio for Attack Source Tracing..................................................................................86
4.4.4 Configuring an Attack Source Tracing Mode...........................................................................................................86
4.4.5 Configuring the Types of Traced Packets.................................................................................................................87
4.4.6 Configuring a Whitelist for Attack Source Tracing..................................................................................................88
4.4.7 Configuring the Alarm Function for Attack Source Tracing.....................................................................................89
4.4.8 Configuring Attack Source Punishment....................................................................................................................904.4.9 Applying an Attack Defense Policy..........................................................................................................................91
4.4.10 Checking the Configuration.....................................................................................................................................91
4.5 Configuring CPU Attack Defense ...............................................................................................................................91
4.5.1 Creatingan Attack Defense Policy............................................................................................................................92
4.5.2 Configuring a Blacklist..............................................................................................................................................92
4.5.3 Configuring a Rule for Sending Packets to the CPU.................................................................................................93
4.5.4 Applying an Attack Defense Policy..........................................................................................................................94
4.5.5 Checking the Configuration.......................................................................................................................................95
4.6 Maintaining Local Attack Defense...............................................................................................................................95
4.6.1 ClearingAttack Source Information..........................................................................................................................95
4.6.2 ClearingStatistics About Packets Sent to the CPU...................................................................................................96
4.7 Configuration Examples...............................................................................................................................................96
4.7.1 Examplefor Configuring Local Attack Defense.......................................................................................................96
4.8 Common Configuration Errors.....................................................................................................................................99
4.8.1 Attack Source Tracing Does Not Take Effect...........................................................................................................99
4.8.2 Protocol Packets Are Not Sent to the CPU..............................................................................................................100
4.8.3 The Blacklist Does Not Take Effect........................................................................................................................100
5 IPSG Configuration..................................................................................................................102
5.1 IPSG Overview...........................................................................................................................................................103
CloudEngine 6800&5800 Series Switches
Configuration Guide - Security Contents
Issue 04 (2013-07-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
vii
8/12/2019 CloudEngine 6800&5800 V100R001C00 Configuration Guide - Security 04.pdf
9/200
5.2 Configuration Notes...................................................................................................................................................103
5.3 Default Configuration.................................................................................................................................................104
5.4 Configuring IPSG.......................................................................................................................................................104
5.4.1 Configuring a Binding Table...................................................................................................................................105
5.4.2 Configuring IP Packet Check..................................................................................................................................106
5.4.3 (Optional) Configuring the Alarm Function of IP Packet Check............................................................................107
5.4.4 Checking the Configuration.....................................................................................................................................108
5.5 Configuration Examples.............................................................................................................................................108
5.5.1 Examplefor Configuring IPSG...............................................................................................................................108
6 URPF Configuration.................................................................................................................111
6.1 URPF Overview.........................................................................................................................................................112
6.2 Default Configuration.................................................................................................................................................112
6.3 Configuring URPF......................................................................................................................................................112
6.3.1 Configuring the URPF Check Mode on an Interface..............................................................................................113
6.3.2 Enabling URPF on an Interface...............................................................................................................................114
6.3.3 (Optional) Disabling URPF for Specified Traffic...................................................................................................114
6.3.4 Checking the Configuration.....................................................................................................................................115
6.4 Configuration Examples.............................................................................................................................................115
6.4.1 Examplefor Configuring URPF..............................................................................................................................115
7 ARP Security Configuration....................................................................................................117
7.1 ARP Security Overview.............................................................................................................................................118
7.2 ARP Security Features Supported by the Device.......................................................................................................118
7.3 Default Configuration.................................................................................................................................................121
7.4 Configuring Defense Against ARP Flood Attacks.....................................................................................................122
7.4.1 Configuring Rate Limit on ARP Packets based on the Source MAC Address.......................................................122
7.4.2 Configuring Rate Limit on ARP Packets based on the Source IP Address.............................................................123
7.4.3 Configuring Rate Limit on ARP Packets based on the Destination IP Address.....................................................124
7.4.4 Configuring Rate Limit on ARP Packets (Globally or in a VLAN).......................................................................125
7.4.5 Configuring Rate Limit on ARP Miss Messages based on the Source IP Address.................................................125
7.4.6 Configuring Rate Limit on ARP Miss Messages Globally or in a VLAN..............................................................126
7.4.7 Setting the Aging Time of Temporary ARP Entries...............................................................................................127
7.4.8 Configuring Gratuitous ARP Packet Discarding.....................................................................................................1287.4.9 Configuring Strict ARP Learning............................................................................................................................129
7.4.10 Configuring Interface-based ARP Entry Limit.....................................................................................................131
7.4.11 Checking the Configuration...................................................................................................................................131
7.5 Configuring Defense Against ARP Spoofing Attacks...............................................................................................132
7.5.1 Configuring ARP Entry Fixing................................................................................................................................132
7.5.2 Configuring DAI......................................................................................................................................................133
7.5.3 Configuring Gratuitous ARP Packet Discarding.....................................................................................................134
7.5.4 Configuring MAC address Consistency Check in an ARP Packet.........................................................................135
7.5.5 Configuring Strict ARP Learning............................................................................................................................136
7.5.6 Checking the Configuration.....................................................................................................................................138
CloudEngine 6800&5800 Series Switches
Configuration Guide - Security Contents
Issue 04 (2013-07-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
viii
8/12/2019 CloudEngine 6800&5800 V100R001C00 Configuration Guide - Security 04.pdf
10/200
7.6 ARP Security Maintenance........................................................................................................................................138
7.6.1 Monitoring ARP Running Status.............................................................................................................................138
7.6.2 Clearing ARP Security Statistics.............................................................................................................................138
7.6.3 Configuring the Alarm Function for Potential ARP Attacks..................................................................................139
7.7 Configuration Examples.............................................................................................................................................139
7.7.1 Examplefor Configuring ARP Security Functions.................................................................................................140
7.7.2 Examplefor Configuring Defense Against ARP MITM Attacks...........................................................................144
8 MFF Configuration....................................................................................................................148
8.1 MFF Overview...........................................................................................................................................................149
8.2 MFF Features Supported by the Switch.....................................................................................................................149
8.3 Default Configuration.................................................................................................................................................151
8.4 Configuring MFF........................................................................................................................................................151
8.4.1 Enabling Global MFF..............................................................................................................................................151
8.4.2 Configuring a Network Interface.............................................................................................................................152
8.4.3 Enabling MFF in a VLAN.......................................................................................................................................152
8.4.4 (Optional) Configuring a Static Gateway Address..................................................................................................153
8.4.5 (Optional) Enabling Timed Gateway Detection......................................................................................................154
8.4.6 (Optional) Configuring the Application Server IP Address....................................................................................154
8.4.7 (Optional) Configuring the Switch to Transparently Transmit ARP Request Packets...........................................155
8.4.8 (Optional) Configuring an Isolated Interface..........................................................................................................156
8.4.9 (Optional) Configuring MFF Security.....................................................................................................................156
8.4.10 Checking the Configuration...................................................................................................................................157
8.5 Configuration Examples.............................................................................................................................................158
8.5.1 Example for Configuring MFF................................................................................................................................158
8.6 Common Configuration Errors...................................................................................................................................163
8.6.1 Users Fail to Access the Internet After MFF Is Configured....................................................................................163
9 Traffic Suppression and Storm Control Configuration.....................................................166
9.1 Traffic Suppression and Storm Control Overview.....................................................................................................167
9.2 Traffic Suppression and Storm Control Features Supported by the Device...............................................................167
9.3 Default Configuration.................................................................................................................................................168
9.4 Configuring Traffic Suppression................................................................................................................................168
9.4.1 Configuring Traffic Suppression on an Interface....................................................................................................168
9.4.2 Configuring Traffic Suppression in a VLAN..........................................................................................................169
9.4.3 Configuring Traffic Suppression for ICMP Packets...............................................................................................170
9.4.4 Checking the Configuration.....................................................................................................................................171
9.5 Configuring Storm Control.........................................................................................................................................171
9.6 Example for Configuring Traffic Suppression and Storm Control............................................................................173
9.6.1 Examplefor Configuring Traffic Suppression........................................................................................................173
9.6.2 Examplefor Configuring Storm Control.................................................................................................................174
10 Keychain Configuration.........................................................................................................176
10.1 KeychainOverview..................................................................................................................................................177
CloudEngine 6800&5800 Series Switches
Configuration Guide - Security Contents
Issue 04 (2013-07-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
ix
8/12/2019 CloudEngine 6800&5800 V100R001C00 Configuration Guide - Security 04.pdf
11/200
10.2 Keychain Features Supported by the device.............................................................................................................177
10.3 Configuring a Keychain............................................................................................................................................177
10.3.1 Creating a Keychain..............................................................................................................................................178
10.3.2 Configuring a Key.................................................................................................................................................179
10.3.3 Applying the Keychain..........................................................................................................................................181
10.3.4 Checking the Configuration...................................................................................................................................182
10.4 Example for Configuring a Keychain.......................................................................................................................182
10.4.1 Example for Applying the Keychain to RIP..........................................................................................................182
10.4.2 Example for Applying the Keychain to BGP........................................................................................................185
CloudEngine 6800&5800 Series Switches
Configuration Guide - Security Contents
Issue 04 (2013-07-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
x
8/12/2019 CloudEngine 6800&5800 V100R001C00 Configuration Guide - Security 04.pdf
12/200
1AAA ConfigurationAbout This Chapter
The AAA-capable device checks validity of users and assigns rights to authorized users to ensure
network security.
1.1 AAA Overview
Authentication, Authorization, and Accounting (AAA) is a security technology.
1.2 AAA Features Supported by the Device
The device supports RADIUS or HWTACACS authentication, authorization, and accounting,
and local authentication and authorization.
1.3 Configuring Local Authentication and Authorization
After local authentication and authorization are configured, the deviceauthenticates and
authorizes access users based on the local user information.
1.4 Configuring RADIUS AAA
RADIUS is often used to implement authentication, authorization, and accounting (AAA).
1.5 Configuring HWTACACS AAA
Compared with RADIUS, HWTACACS is more reliable in transmission and encryption, and is
more suitable for security control.
1.6 Maintaining AAA
AAA maintenance includes clearing AAA statistics.
1.7 Configuration Examples
This section provides several AAA configuration examples, including networking requirements,
configuration notes, and configuration roadmap.
CloudEngine 6800&5800 Series Switches
Configuration Guide - Security 1 AAA Configuration
Issue 04 (2013-07-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
1
8/12/2019 CloudEngine 6800&5800 V100R001C00 Configuration Guide - Security 04.pdf
13/200
1.1 AAA Overview
Authentication, Authorization, and Accounting (AAA) is a security technology.
Security Functions Provided by AAA
l Authentication: verifies whether users are authorized for network access.
l Authorization: authorizes users to use particular services.
l Accounting: records the network resources used by users.
Users can only use one or two security services provided by AAA. For example, if a company
wants to authenticate employees that access certain network resources, the network administrator
only needs to configure an authentication server. If the company also wants to record operations
performed by employees on the network, an accounting server is needed.
AAA Architecture
AAA uses the client/server model, as shown in Figure 1-1. AAA architecture features good
scalability and facilitates centralized user information management.
Figure 1-1AAA architecture
Access user AAA client AAA server
The AAA client authenticates a user who wants to access the network through the AAA client.
The AAA client then sends the user's authentication, authorization, and accounting information
to the AAA server.
Domain-based User Management
The device uses domains to manage users. You can apply the authentication, authorization, and
accounting schemes to a domain so that the device can authenticate, authorize, or charge users
in the domain using the schemes.
Each user of the device belongs to a domain. The domain to which a user belongs is determined
by the character string suffixed to the domain name delimiter that can be @, |, or %. For example,
if the user name is user@huawei, the user belongs to the huaweidomain. If the user name does
not contain @, the user belongs to the default domain named defaultin the system.
Authorization information configured in a domain has a lower priority than authorization
information delivered by an AAA server. That is, the authorization information delivered by an
AAA server is used preferentially. When the AAA server does not have or does not support
authorization, the authorization attributes configured in a domain take effect. In this manner,
you can increase services flexibly by means of domain management, regardless of the
authorization attributes provided by the AAA server.
CloudEngine 6800&5800 Series Switches
Configuration Guide - Security 1 AAA Configuration
Issue 04 (2013-07-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
2
8/12/2019 CloudEngine 6800&5800 V100R001C00 Configuration Guide - Security 04.pdf
14/200
1.2 AAA Features Supported by the DeviceThe device supports RADIUS or HWTACACS authentication, authorization, and accounting,
and local authentication and authorization.
The device supports the combination of local, RADIUS, and HWTACACS authentication,
authorization, and accounting. For example, the device provides local authentication, local
authorization, and RADIUS accounting. In practice, the following schemes are used separately:
l Local authentication and authorization
If users need to be authenticated or authorized but no RADIUS server or HWTACACS
server is deployed on the network, use local authentication and authorization. Local
authentication and authorization feature fast processing and low operation cost, whereas
the amount of information that can be stored is limited by the device hardware capacity.
Local authentication and authorization are often used for administrators.
l RADIUS authentication and accounting
RADIUS protects a network from unauthorized access, which is often used on the networks
demanding high security and remote user access control.
l HWTACACS authentication, authorization, and accounting
HWTACACS protects a network from unauthorized access and supports command-line
authorization. Compared with RADIUS, HWTACACS is more reliable in transmission and
encryption, and is more suitable for security control.
Multiple authentication or authorization modes can be used in a scheme. For example, local
authentication is used as a backup of RADIUS authentication and HWTACACS authentication,
and local authorization is used as a backup of HWTACACS authorization.
Configuration Process
Figure 1-2shows the three AAA configuration processes.
Figure 1-2AAA configuration process
Configure a service
scheme
Configuring localauthentication and
authorization
Configure AAA
schemes
Configure a local user
Mandatory
Optional
Apply AAA schemes fora domain
Configuring HWTACACS
authentication, authorization,
and accounting
Configure AAA
schemes
Configure the
HWTACACS server
template
Apply AAA schemes for
a domain
Configure AAA
schemes
Configure the RADIUS
server template
Configuring RADIUSauthentication and
accounting
Apply AAA schemes for
a domain
Configure a servicescheme
Configure a servicescheme
CloudEngine 6800&5800 Series Switches
Configuration Guide - Security 1 AAA Configuration
Issue 04 (2013-07-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
3
8/12/2019 CloudEngine 6800&5800 V100R001C00 Configuration Guide - Security 04.pdf
15/200
1.3 Configuring Local Authentication and Authorization
After local authentication and authorization are configured, the device authenticates and
authorizes access users based on the local user information.
Local Authentication and Authorization
In local authentication and authorization, user information including the local user name,
password, and attributes is configured on the device. Local authentication and authorization
feature fast processing and low operation cost, whereas the amount of information that can be
stored is limited by the device hardware capacity.
Pre-configuration Tasks
Before configuring local authentication and authorization, completing the following task:
l Configuring physical attributes for interfaces to ensure that the physical layer status of the
interfaces is Up
1.3.1 Configuring AAA Schemes
Context
To use local authentication and authorization, set the authentication mode in an authentication
scheme to local authentication and the authorization mode in an authorization scheme to localauthorization.
By default, the device performs local authentication and authorization for access users.
Procedure
l Configuring an authentication scheme
1. Run:
system-view
The system view is displayed.
2. Run:aaa
The AAA view is displayed.
3. Run:
authentication-schemeauthentication-scheme-name
An authentication scheme is created, and the corresponding authentication scheme
view or an existing authentication scheme view is displayed.
By default, there is an authentication scheme nameddefaulton the device. This default
scheme can be modified but cannot be deleted.
4. Run:authentication-modelocal
CloudEngine 6800&5800 Series Switches
Configuration Guide - Security 1 AAA Configuration
Issue 04 (2013-07-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
4
8/12/2019 CloudEngine 6800&5800 V100R001C00 Configuration Guide - Security 04.pdf
16/200
The authentication mode is set to local authentication.
5. Run:
commit
The configuration is committed.
l Configuring an authorization scheme
1. Run:
system-view
The system view is displayed.
2. Run:
aaa
The AAA view is displayed.
3. Run:
authorization-schemeauthorization-scheme-name
An authorization scheme is created, and the corresponding authorization scheme view
or an existing authorization scheme view is displayed.
By default, there is a default authorization scheme named defaulton the device. This
default authorization scheme can be modified but cannot be deleted.
4. Run:
authorization-modelocal[ none]
The authorization mode is configured.
5. Run:
quit
The AAA view is displayed.
6. (Optional) Run:
task-grouptask-group-name
A task group is created and the task group view is displayed.
7. (Optional) Run:
tasktask-name{ debug| execute| read|write} *
The task group right is configured.
8. (Optional) Run:
quit
The AAA view is displayed.
9. (Optional) Run:
user-groupuser-group-name
A user group is created and the user group view is displayed.
10. (Optional) Run:
task-grouptask-group-name
The task group is bound to the user group.
11. Run:commit
CloudEngine 6800&5800 Series Switches
Configuration Guide - Security 1 AAA Configuration
Issue 04 (2013-07-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
5
8/12/2019 CloudEngine 6800&5800 V100R001C00 Configuration Guide - Security 04.pdf
17/200
The configuration is committed.
----End
1.3.2 Configuring a Local User
Context
When local authentication and authorization are configured, configure authentication and
authorization information on the device, including the user name, password, and user level.
Procedure
Step 1 Run:system-view
The system view is displayed.
Step 2 Run:aaa
The AAA view is displayed.
Step 3 Run:local-useruser-namepassword[ irreversible-cipherirreversible-cipher-password]
A local user is created and the user password is configured.
NOTE
If the user name contains a domain name delimiter such as @, |, and %, the character string before the
delimiter is the user name and the character string behind the delimiter is the domain name. If the user
name does not contain a domain name delimiter, the entire character string is the user name and the domain
name is default.
Step 4 (Optional) Configure the level of the local user or the group to which the local user belongs to.
l Run the local-useruser-namelevellevelcommand to configure the level of the local user.
l Run the local-useruser-nameuser-groupgroup-namecommand to add the local user to the
specified user group.
Step 5 (Optional) Run:
local-useruser-nameservice-type{ [ terminal| telnet| ftp| ssh] *| all}
The access type is configured for the local user.
By default, a local user can use any access type.
Step 6 (Optional) Run:local-useruser-nameftp-directorydirectory
The FTP directory right of the local user is configured.
By default, the FTP directory of the local user is empty.
NOTE
If the access type of the local user is set to FTP, the FTP directory of the local user must be configured andthe level of local user cannot be lower than management level. Otherwise, FTP user login will fail.
CloudEngine 6800&5800 Series Switches
Configuration Guide - Security 1 AAA Configuration
Issue 04 (2013-07-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
6
8/12/2019 CloudEngine 6800&5800 V100R001C00 Configuration Guide - Security 04.pdf
18/200
Step 7 (Optional) Run:
local-useruser-namestate{ active|block}
The state of the local user is configured.
By default, a local user is in active state.
The device processes requests from users in different states as follows:
l If a local user is in active state, the device accepts and processes the authentication request
from the user.
l If a local user is in blocking state, the device rejects the authentication request from the user.
Step 8 (Optional) Run:
local-useruser-nameaccess-limitmax-number
The maximum number of connections that can be established by the local user is configured.
By default, the number of connections established by a user is not limited.
Step 9 (Optional) Run:
local-user authentication lock times
The maximum times of continuous authentication failures for the local user are configured.
NOTE
If a local user is in the locked state, you need to unlock it. Two ways are available for you to choose:
l In the AAA view, run the local-user authentication lock durationcommand to configure the interval
at which a user will be automatically unlocked. If the locking time for a user exceeds the time set inthe configuration, the user will be automatically unlocked.
l In the user view, run the activate aaa local-usercommand to manually unlock the specified local user.
Step 10 Run:
commit
The configuration is committed.
Step 11 Run the returncommand to return to the user view.
Step 12 (Optional) Run:
local-user change-password
The password of the local user is changed.
----End
1.3.3 Configuring a Domain
Context
The created authentication and authorization schemes take effect only after being applied to a
domain. When local authentication and authorization are used, non-accounting is used bydefault.
CloudEngine 6800&5800 Series Switches
Configuration Guide - Security 1 AAA Configuration
Issue 04 (2013-07-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
7
8/12/2019 CloudEngine 6800&5800 V100R001C00 Configuration Guide - Security 04.pdf
19/200
Procedure
Step 1 Run:system-view
The system view is displayed.
Step 2 Run:aaa
The AAA view is displayed.
Step 3 Run:domaindomain-name
A domain is created, and the corresponding domain view or an existing domain view is displayed.
The system has one default domain named default. This default domain can be modified but
cannot be deleted.
Step 4 Run:authentication-schemeauthentication-scheme-name
An authentication scheme is applied to the domain.
By default, the authentication scheme named defaultis applied to a domain.
Step 5 Run:authorization-schemeauthorization-scheme-name
An authorization scheme is applied to the domain.
By default, the authorization scheme named defaultis applied to a domain and the default
authorization mode is local authorization.
Step 6 (Optional) Run:block
The domain state is configured.
When a domain is in blocking state, users in this domain cannot log in. By default, a domain is
in active state after being created.
Step 7 (Optional) Run:
access-limitmax-number
The maximum number of access users for the domain is set.
By default, the number of access users is not limited.
Step 8 Run:commit
The configuration is committed.
----End
1.3.4 Checking the Configuration
CloudEngine 6800&5800 Series Switches
Configuration Guide - Security 1 AAA Configuration
Issue 04 (2013-07-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
8
8/12/2019 CloudEngine 6800&5800 V100R001C00 Configuration Guide - Security 04.pdf
20/200
Procedure
l Run the display aaa configurationcommand to check the AAA summary.
l Run the display aaa authentication-scheme[ authentication-scheme-name] command to
check the authentication scheme configuration.
l Run the display aaa authorization-scheme[ authorization-scheme-name] command to
check the authorization scheme configuration.
l Run the display aaa access-user[ domaindomain-name| user-iduserid| usernameuser-
name] command to check the summary of all online wired users.
l Run the display aaa domain[ domain-name] command to check the domain configuration.
l Run the display aaa local-usercommand to check the brief information about local users.
----End
1.4 Configuring RADIUS AAARADIUS is often used to implement authentication, authorization, and accounting (AAA).
RADIUS Authentication, Authorization, and Accounting
RADIUS uses the client/server model and protects a network from unauthorized access. It is
often used in network environments that require high security and control remote user access.
Pre-configuration Tasks
Before configuring RADIUS AAA, completing the following task:
l Configuring physical attributes for interfaces to ensure that the physical layer status of the
interfaces is Up
1.4.1 Configuring AAA Schemes
Context
To use RADIUS AAA, set the authentication mode in an authentication scheme to RADIUS and
the accounting mode in an accounting scheme to RADIUS.
If RADIUS authentication is configured, you can also configure local authentication or non-
authentication as the backup. This allows local authentication or non-authentication to be
implemented if RADIUS authentication fails. Similarly, if RADIUS accounting is configured,
you can also configure non-accounting as the backup.
Procedure
l Configuring an authentication scheme
1. Run:
system-view
The system view is displayed.
2. Run:aaa
CloudEngine 6800&5800 Series Switches
Configuration Guide - Security 1 AAA Configuration
Issue 04 (2013-07-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
9
8/12/2019 CloudEngine 6800&5800 V100R001C00 Configuration Guide - Security 04.pdf
21/200
The AAA view is displayed.
3. Run:
authentication-schemeauthentication-scheme-name
Create an authentication scheme and enter its view, or directly enter the view of an
existing authentication scheme.
By default, there is an authentication scheme named defaulton the device. The default
authentication scheme can only be modified, but cannot be deleted.
4. Run:
authentication-moderadius
RADIUS authentication is configured.
By default, local authentication is used.
To use local authentication as the backup authentication mode, run the
authentication-moderadiuslocalcommand to configure local authentication.
NOTE
If multiple authentication modes are configured in an authentication scheme, these
authentication modes are used according to the sequence in which they were configured. The
device uses the authentication mode that was configured later only when it does not receive
any response in the current authentication. The device stops the authentication if the current
authentication fails.
5. Run:
commit
The configuration is committed.
l Configuring an accounting scheme
1. Run:
system-view
The system view is displayed.
2. Run:
aaa
The AAA view is displayed.
3. Run:
accounting-schemeaccounting-scheme-name
An accounting scheme is created and the accounting scheme view is displayed.
There is a default accounting scheme named defaulton the device. The default
accounting scheme can only be modified, but cannot be deleted.
4. Run:
accounting-moderadius
The accounting mode is configured.
By default, non-accounting is used.
5. Run:
commit
The configuration is committed.
----End
CloudEngine 6800&5800 Series Switches
Configuration Guide - Security 1 AAA Configuration
Issue 04 (2013-07-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
10
8/12/2019 CloudEngine 6800&5800 V100R001C00 Configuration Guide - Security 04.pdf
22/200
1.4.2 Configuring a RADIUS Server Template
Context
In a RADIUS server template, you must specify the IP address, port number, and shared key of
a specified RADIUS server. Other settings such as the RADIUS user name format, traffic unit,
and number of times RADIUS request packets are retransmitted have default values and can be
changed based on network requirements.
The RADIUS server template settings such as the RADIUS user name format and shared key
must be the same as those on the RADIUS server.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 (Optional) Run:radius server authorizationip-address[ vpn-instancevpn-instance-name]{ { shared-keykey-string| shared-key-cipherkey-string} | ack-reserved-intervalinterval}
A RADIUS authorization server is configured.
By default, no RADIUS authorization server is configured.
Step 3 Run:
radius server groupgroup-name
The RADIUS server template view is displayed.
Step 4 Run:radius server authenticationip-addressport[ vpn-instancevpn-instance-name|sourceinterface-typeinterface-number| shared-keykey-string| shared-key-cipher
cipher-string] *
The primary RADIUS authentication server is configured.
By default, the IP address of the primary RADIUS authentication server is 0.0.0.0 and the port
number is 0.
Step 5 (Optional) Run:radius server authenticationip-addressport[ vpn-instancevpn-instance-name|sourceinterface-typeinterface-number| shared-keykey-string| shared-key-cipher
cipher-string] *secondary
The secondary RADIUS authentication server is configured.
By default, the IP address of the secondary RADIUS authentication server is 0.0.0.0 and the port
number is 0.
Step 6 Run:radius server accountingip-addressport[ vpn-instancevpn-instance-name|sourceinterface-typeinterface-number| shared-keykey-string| shared-key-cipher
cipher-string] *
The primary RADIUS accounting server is configured.
CloudEngine 6800&5800 Series Switches
Configuration Guide - Security 1 AAA Configuration
Issue 04 (2013-07-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
11
8/12/2019 CloudEngine 6800&5800 V100R001C00 Configuration Guide - Security 04.pdf
23/200
By default, the IP address of the primary RADIUS accounting server is 0.0.0.0 and the port
number is 0.
Step 7 (Optional) Run:
radius server accountingip-addressport[ vpn-instancevpn-instance-name| source
interface-typeinterface-number| shared-keykey-string| shared-key-ciphercipher-string] *secondary
The secondary RADIUS accounting server is configured.
By default, the IP address of the secondary RADIUS accounting server is 0.0.0.0 and the port
number is 0.
Step 8 (Optional) Run:
radius server shared-key
The RADIUS shared key is set.
By default, the RADIUS shared key is huaweiand the password is in plain text.
Step 9 (Optional) Run:
radius server user-name domain-excluded
The RADIUS user name format is set.
By default, the device sends the user name containing the domain name and delimiter to a
RADIUS server for authentication.
If the RADIUS server does not accept the user name with the domain name, run the undo radius
server user-name domain-excludedcommand to delete the domain name from the user name.
Step 10 (Optional) Run:
radius server{ retransmitretry-times| timeouttime-value} *
The number of times that RADIUS request packets are retransmitted and timeout interval are
set.
By default, the number of retransmission times is 3 and the timeout interval is 5 seconds.
Step 11 (Optional) Run:
mode load-balance
The server mode is changed from the primary/secondary mode to the load balancing mode.
Step 12 Run:
commit
The configuration is committed.
----End
1.4.3 Configuring a Domain
Context
The created authentication scheme, accounting scheme, and RADIUS server template take effectonly after being applied to a domain.
CloudEngine 6800&5800 Series Switches
Configuration Guide - Security 1 AAA Configuration
Issue 04 (2013-07-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
12
8/12/2019 CloudEngine 6800&5800 V100R001C00 Configuration Guide - Security 04.pdf
24/200
Procedure
Step 1 Run:system-view
The system view is displayed.
Step 2 Run:aaa
The AAA view is displayed.
Step 3 Run:domaindomain-name
A domain is created and the domain view is displayed.
The system has one default domain named default. This default domain can be modified but
cannot be deleted.
Step 4 Run:authentication-schemeauthentication-scheme-name
An authentication scheme is applied to the domain.
By default, the authentication scheme named defaultis applied to a domain.
Step 5 (Optional) Run:accounting-schemeaccounting-scheme-name
An accounting scheme is applied to the domain.
By default, the accounting scheme named defaultis applied to a domain. In this default
accounting scheme, non-accounting is used and the real-time accounting function is disabled.
Step 6 Run:radius server grouptemplate-name
A RADIUS server template is configured for the domain.
By default, no RADIUS server template is applied to a domain.
Step 7 (Optional) Run:block
The domain state is configured.
When a domain is in blocking state, users in this domain cannot log in. By default, a domain isin active state after being created.
Step 8 (Optional) Run:access-limitmax-number
The maximum number of access users for the domain is set.
By default, the number of access users is not limited.
Step 9 Run:commit
The configuration is committed.
----End
CloudEngine 6800&5800 Series Switches
Configuration Guide - Security 1 AAA Configuration
Issue 04 (2013-07-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
13
8/12/2019 CloudEngine 6800&5800 V100R001C00 Configuration Guide - Security 04.pdf
25/200
1.4.4 Checking the Configuration
Procedure
l Run the display aaa configurationcommand to check the AAA summary.
l Run the display aaa authentication-scheme[ authentication-scheme-name] command to
check the authentication scheme configuration.
l Run the display aaa accounting-scheme[ accounting-scheme-name] command to check
the accounting scheme configuration.
l Run the display radius server configuration[ groupgroup-name] command to check
the RADIUS server template configuration.
l Run the display aaa domain[ domain-name] command to check the domain configuration.
----End
1.5 Configuring HWTACACS AAA
Compared with RADIUS, HWTACACS is more reliable in transmission and encryption, and is
more suitable for security control.
HWTACACS Authentication, Authorization, and Accounting
Similar to RADIUS, HWTACACS uses the client/server model to implement AAA for access
users by communicating with the HWTACACS server.
HWTACACS protects a network from unauthorized access and supports command-line
authorization. Compared with RADIUS, HWTACACS is more suitable for security control.
Pre-configuration Tasks
Before configuring HWTACACS AAA, completing the following task:
l Configuring physical attributes for interfaces to ensure that the physical layer status of the
interfaces is Up
1.5.1 Configuring AAA Schemes
Context
To use HWTACACS authentication, authorization, and accounting, set the authentication mode
in an authentication scheme to HWTACACS, the authorization mode in an authorization scheme
to HWTACACS, and the accounting mode in an accounting scheme to HWTACACS.
When HWTACACS authentication is used, you can configure local authentication or non-
authentication as a backup. This allows local authentication or non-authentication to be
implemented if HWTACACS authentication fails. When HWTACACS authorization is used,
you can configure local authorization or non-authorization as a backup.
CloudEngine 6800&5800 Series Switches
Configuration Guide - Security 1 AAA Configuration
Issue 04 (2013-07-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
14
8/12/2019 CloudEngine 6800&5800 V100R001C00 Configuration Guide - Security 04.pdf
26/200
Procedure
l Configuring an authentication scheme
1. Run:
system-view
The system view is displayed.
2. Run:
aaa
The AAA view is displayed.
3. Run:
authentication-schemeauthentication-scheme-name
An authentication scheme is created, and the corresponding authentication scheme
view or an existing authentication scheme view is displayed.
By default, there is an authentication scheme nameddefaulton the device. This default
scheme can be modified but cannot be deleted.
4. Run:
authentication-modehwtacacs
HWTACACS authentication is configured.
By default, local authentication is used.
To use local authentication as the backup authentication mode, run the
authentication-modehwtacacslocalcommand to configure local authentication.
NOTE
If multiple authentication modes are configured in an authentication scheme, these
authentication modes are used according to the sequence in which they were configured. The
device uses the authentication mode that was configured later only when it does not receive
any response in the current authentication. The device stops the authentication if the current
authentication fails.
5. Run:
commit
The configuration is committed.
l Configuring an authorization scheme
1. Run:
system-view
The system view is displayed.
2. Run:
aaa
The AAA view is displayed.
3. Run:
authorization-schemeauthorization-scheme-name
An authorization scheme is created, and the corresponding authorization scheme viewor an existing authorization scheme view is displayed.
CloudEngine 6800&5800 Series Switches
Configuration Guide - Security 1 AAA Configuration
Issue 04 (2013-07-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
15
8/12/2019 CloudEngine 6800&5800 V100R001C00 Configuration Guide - Security 04.pdf
27/200
By default, there is a default authorization scheme named defaulton the device. This
default authorization scheme can be modified but cannot be deleted.
4. Run:
authorization-mode{ hwtacacs| if-authenticated| local} *[ none]
The authorization mode is configured.
By default, local authorization is used.
If HWTACACS authorization is configured, you must configure an HWTACACS
server template and apply the template to the corresponding user domain.
NOTE
If multiple authorization modes are configured in an authorization scheme, authorization modes
are used in the sequence in which they were configured. The device uses the authorization
mode that was configured later only after the current authorization fails.
5. (Optional) Run:
authorization-cmd[privilege-level] { local| hwtacacs} *
Command-line authorization is enabled for users at a certain level.
By default, command-line authorization is disabled for users of levels 0 to 15.
If command line authorization is enabled, you must configure an HWTACACS server
template and apply the template to the corresponding user domain.
6. Run:
quit
The AAA view is displayed.
7. (Optional) Run:task-grouptask-group-name
A task group is created and the task group view is displayed.
8. (Optional) Run:
tasktask-name{ debug| execute| read|write}
The task group right is configured.
9. (Optional) Run:
quit
The AAA view is displayed.
10. (Optional) Run:
user-groupuser-group-name
A user group is created and the user group view is displayed.
11. (Optional) Run:
task-grouptask-group-name
The task group is bound to the user group.
12. Run:
commit
The configuration is committed.
l Configuring an accounting scheme
CloudEngine 6800&5800 Series Switches
Configuration Guide - Security 1 AAA Configuration
Issue 04 (2013-07-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
16
8/12/2019 CloudEngine 6800&5800 V100R001C00 Configuration Guide - Security 04.pdf
28/200
1. Run:
system-view
The system view is displayed.
2. Run:
aaa
The AAA view is displayed.
3. Run:
accounting-schemeaccounting-scheme-name
An accounting scheme is created, and the corresponding accounting scheme view or
an existing accounting scheme view is displayed.
There is a default accounting scheme named defaulton the device. This default
accounting scheme can be modified but cannot be deleted.
4. Run:accounting-modehwtacacs
The accounting mode is configured.
By default, non-accounting is used.
5. Run:
commit
The configuration is committed.
----End
1.5.2 Configuring an HWTACACS Server Template
Context
In an HWTACACS server template, you must specify the IP address, port number, and shared
key of a specified HWTACACS server. Other settings such as the HWTACACS user name
format and traffic unit have default values and can be changed based on network requirements.
The HWTACACS server template settings such as the HWTACACS user name format and
shared key must be the same as those on the HWTACACS server.
Procedure
Step 1 Run:system-view
The system view is displayed.
Step 2 Run:hwtacacs enable
HWTACACS is enabled.
Step 3 Run:hwtacacs server templatetemplate-name
CloudEngine 6800&5800 Series Switches
Configuration Guide - Security 1 AAA Configuration
Issue 04 (2013-07-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
17
8/12/2019 CloudEngine 6800&5800 V100R001C00 Configuration Guide - Security 04.pdf
29/200
An HWTACACS server template is created and the HWTACACS server template view is
displayed.
Step 4 Run:hwtacacs server authenticationip-address[port] [ vpn-instancevpn-instance-
name| shared-key{ key-string| ciphercipher-string} |mux-mode]*
The IP address of the primary HWTACACS authentication server is set.
By default, the IP address of the primary HWTACACS authentication server is 0.0.0.0 and its
port number is 0, and the server is not bound to any VPN instance.
Step 5 (Optional) Run:hwtacacs server authenticationip-address[port] [ vpn-instancevpn-instance-
name| shared-key{ key-string| ciphercipher-string} |mux-mode]*secondary
The IP address of the secondary HWTACACS authentication server is set.
By default, the IP address of the secondary HWTACACS authentication server is 0.0.0.0 and
its port number is 0, and the server is not bound to any VPN instance.
Step 6 Run:hwtacacs server authorizationip-address[port] [ vpn-instancevpn-instance-name
| shared-key{ key-string| ciphercipher-string} |mux-mode]*
The IP address of the primary HWTACACS authorization server is set.
By default, the IP address of the primary HWTACACS authorization server is 0.0.0.0 and its
port number is 0, and the server is not bound to any VPN instance.
Step 7 (Optional) Run:hwtacacs server authorizationip-address[port] [ vpn-instancevpn-instance-name
| shared-key{ key-string| ciphercipher-string} |mux-mode]*secondary
The IP address of the secondary HWTACACS authorization server is set.
By default, the IP address of the secondary HWTACACS authorization server is 0.0.0.0 and its
port number is 0, and the server is not bound to any VPN instance.
Step 8 Run:hwtacacs server accountingip-address[port] [ vpn-instancevpn-instance-name|
shared-key{ key-string| ciphercipher-string} |mux-mode] *
The primary HWTACACS accounting server is configured.
By default, the IP address of the primary HWTACACS accounting server is 0.0.0.0 and its port
number is 0, and the server is not bound to any VPN instance.
Step 9 (Optional) Run:hwtacacs server accountingip-address[port] [ vpn-instancevpn-instance-name|
shared-key{ key-string| ciphercipher-string} |mux-mode] *secondary
The secondary HWTACACS accounting server is configured.
By default, the IP address of the secondary HWTACACS accounting server is 0.0.0.0 and its
port number is 0, and the server is not bound to any VPN instance.
Step 10 (Optional) Run:hwtacacs server source-ipip-address
The HWTACACS source IP address is set.
CloudEngine 6800&5800 Series Switches
Configuration Guide - Security 1 AAA Configuration
Issue 04 (2013-07-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
18
8/12/2019 CloudEngine 6800&5800 V100R001C00 Configuration Guide - Security 04.pdf
30/200
By default, the HWTACACS source IP address is 0.0.0.0. The device uses the IP address of the
actual outbound interface as the source IP address in HWTACACS packets.
After you set the source IP address of HWTACACS packets on the device, this IP address is
used by the device to communicate with the HWTACACS server. The HWTACACS server also
uses a specified IP address to communicate with the device.
Step 11 (Optional) Run:hwtacacs server shared-key[ cipher] key-string
The HWTACACS shared key is configured.
By default, no HWTACACS shared key is configured.
Step 12 (Optional) Run:hwtacacs server user-name domain-excluded
The HWTACACS user name format is configured.
By default, the device sends the user name containing the domain name and delimiter to an
HWTACACS server for authentication.
Step 13 (Optional) Run:hwtacacs server timer response-timeoutinterval
The response timeout interval for the HWTACACS server is set.
By default, the response timeout interval for an HWTACACS server is 5 seconds.
If the device does not receive the response from the HWTACACS server within the timeout
period, the HWTACACS server is faulty. The device then uses other authentication and
authorization methods.
Step 14 (Optional) Run:hwtacacs server timer quietinterval
The interval for the primary HWTACACS server to return to the active state is set.
By default, the interval for the primary HWTACACS server to return to the active state is 5
minutes.
Step 15 Run:commit
The configuration is committed.
Step 16 Run:return
The user view is displayed.
Step 17 (Optional) Run:hwtacacs-user change-password hwtacacs servertemplate-name
The password saved on the HWTACACS server is changed.
----End
1.5.3 Configuring a Domain
CloudEngine 6800&5800 Series Switches
Configuration Guide - Security 1 AAA Configuration
Issue 04 (2013-07-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
19
8/12/2019 CloudEngine 6800&5800 V100R001C00 Configuration Guide - Security 04.pdf
31/200
Context
The created authentication scheme, authorization scheme, accounting scheme, and
HWTACACS server template take effect only after being applied to a domain.
Procedure
Step 1 Run:system-view
The system view is displayed.
Step 2 Run:aaa
The AAA view is displayed.
Step 3 Run:domaindomain-name
A domain is created, and the corresponding domain view or an existing domain view is displayed.
The system has one default domain named default. This default domain can be modified but
cannot be deleted.
Step 4 Run:authentication-schemeauthentication-scheme-name
An authentication scheme is applied to the domain.
By default, the authentication scheme named defaultis applied to a domain.
Step 5 (Optional) Run:authorization-schemeauthorization-scheme-name
An authorization scheme is applied to the domain.
By default, the authorization scheme named defaultis applied to a domain and the default
authorization mode is local authorization.
Step 6 (Optional) Run:accounting-schemeaccounting-scheme-name
An accounting scheme is applied to the domain.
By default, the accounting scheme named defaultis applied to a domain. In this default
accounting scheme, non-accounting is used and the real-time accounting function is disabled.
Step 7 Run:hwtacacs servertemplate-name
An HWTACACS server template is applied to the domain.
By default, no HWTACACS server template is applied to a domain.
Step 8 (Optional) Run:block
The domain state is configured.
CloudEngine 6800&5800 Series Switches
Configuration Guide - Security 1 AAA Configuration
Issue 04 (2013-07-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
20
8/12/2019 CloudEngine 6800&5800 V100R001C00 Configuration Guide - Security 04.pdf
32/200
When a domain is in blocking state, users in this domain cannot log in. By default, a domain is
in active state after being created.
Step 9 (Optional) Run:access-limitmax-number
The maximum number of access users for the domain is set.
By default, the number of access users is not limited.
Step 10 Run:commit
The configuration is committed.
----End
1.5.4 Checking the Configuration
Procedure
l Run the display aaa configurationcommand to check the AAA summary.
l Run the display aaa authentication-scheme[ authentication-scheme-name] command to
check the authentication scheme configuration.
l Run the display aaa authorization-scheme[ authorization-scheme-name] command to
check the authorization scheme configuration.
l Run the display aaa accounting-scheme[ accounting-scheme-name] command to check
the accounting scheme configuration.
l Run the display hwtacacs server template[ template-name[ verbose] ] command to
check the HWTACACS server template configuration.
l Run the display aaa domain[ domain-name] command to check the domain configuration.
----End
1.6 Maintaining AAA
AAA maintenance includes clearing AAA statistics.
1.6.1 Clearing AAA Statistics
Context
CAUTION
The AAA statistics cannot be restored after being cleared. Confirm your operation before
clearing the AAA statistics.
Run the following commands to clear the statistics.
CloudEngine 6800&5800 Series Switches
Configuration Guide - Security 1 AAA Configuration
Issue 04 (2013-07-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
21
8/12/2019 CloudEngine 6800&5800 V100R001C00 Configuration Guide - Security 04.pdf
33/200
Procedure
l Run the reset aaa{ offline-record| online-fail-record} command to clear the offline
records and login failures statistics.
l Run the reset hwtacacs server statistics{ accounting| all| authentication|
authorization} command to clear the HWTACACS statistics.
----End