HWTACACS Technology White Paper

Transcription

1 S Series Switches HWTACACS Technology White Paper Issue 1.0 Date HUAWEI TECHNOLOGIES CO., LTD.

2 2015. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd. Trademarks and Permissions and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd. All other trademarks and trade names mentioned in this document are the property of their respective holders. Notice The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied. The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute a warranty of any kind, express or implied. Huawei Technologies Co., Ltd. Address: Website: Huawei Industrial Base Bantian, Longgang Shenzhen People's Republic of China support@huawei.com i

3 About This Document About This Document Abstract: HWTACACS is a security protocol to implement the AAA function through communications between the HWTACACS client and server. Keywords: HWTACACS, TACACS, RADIUS, AAA, device management, command-line authorization Acronyms and Abbreviations Acronym/Abbreviation HWTACACS TACACS TACACS+ RADIUS AAA NAS ACS BRAS EXEC Full Name HUAWEI Terminal Access Controller Access Control System Terminal Access Controller Access Control System Terminal Access Controller Access Control System plus Remote Authentication Dial-In User Service Authentication, Authorization, Accounting Network Access Server Access Control Server Broadband Remote Access Server Executable ii

4 Contents Contents About This Document... ii 1 Introduction to HWTACACS HWTACACS Overview Technology Advantages Principle Description Basic Concepts Network Components HWTACACS Packets Working Principle HWTACACS Workflow HWTACACS Authentication HWTACACS Authorization HWTACACS Accounting Application Scenario HWTACACS Authentication, Authorization, and Accounting Command-Line Authorization Changing Passwords and Setting Aging Time for Administrator Accounts on the HWTACACS Server Administrator User Level Improvement Reference Standards and Protocols Appendix iii

5 1 Introduction to HWTACACS 1 Introduction to HWTACACS 1.1 HWTACACS Overview AAA is short for authentication, authorization, and accounting and is a management mechanism for network security. HWTACACS is a security protocol to implement the AAA function. Similar to RADIUS, the HWTACACS client uses the client/server model to communicate with the HWTACACS server, implementing AAA for users. HWTACACS is an enhancement to TACACS (RFC 1492) and uses a public key to encrypt user information to be transmitted. HWTACACS provides good flexibility and scalability. It uses the Transmission Control Protocol (TCP) (port number 49) for transmission, which is more reliable than RADIUS transmission over the User Datagram Protocol (UDP). HWTACACS can be used to authenticate common users logging in through 802.1x, Portal, and PPP as well as administrator users logging in through the serial port, Telnet, SSH, and FTP. Similarly, HWTACACS can be used to authorize common access users and login administrator users. Each command entered by the administrator can also be authorized by HWTACACS. HWTACACS can charge common users based on their online duration, and record the stay time of administrator users after login, user operations, and the executed commands. HWTACACS is compatible with Cisco's TACACS+. Huawei switch can work as an HWTACACS client to communicate with a TACACS+ server to implement the AAA function Technology Advantages Compared with RADIUS, HWTACACS has the following advantages: Flexible deployment of the AAA function The authentication, authorization, and accounting functions are independent of each other. That is, the device can implement only one of the functions for users. Secure and flexible device management HWTACACS can be used to authorize command lines entered by administrator users logging in to the device. When a user enters a command, the command is executed only after being authorized by HWTACACS. The command line use is restricted by command level and AAA. HWTACACS implements refined command-line authorization on administrator users of different privilege levels, making device management more secure and flexible. 4

6 1 Introduction to HWTACACS Reliable network transmission HWTACACS uses the connection-oriented TCP protocol for packet transmission, which is more reliable than RADIUS packet transmission over the UDP protocol. More secure transmission HWTACACS encrypts the entire packet except for the standard HWTACACS header. This ensures high packet transmission security. Conclusively, HWTACACS is more applicable to device control and management, and RADIUS is more applicable to user management. Table 1-1 lists their comparisons. Table 1-1 Comparisons between HWTACACS and RADIUS HWTACACS Transmits data through TCP, which is more reliable. Encrypts the entire packet except for the standard HWTACACS header. Separates authentication from authorization so that authentication and authorization can be implemented on different security servers. For example, an HWTACACS server can perform authentication and the other one can perform authorization. Supports command line authorization. The command line use is restricted by command level and AAA. When a user enters a command, the command is executed only after being authorized by the HWTACACS server. HWTACACS is Huawei proprietary protocol and compatible with TACACS+. HWTACACS has competitive advantages in device control, such as command-line authorization and administrator password modification on the servers, and therefore is more suitable for device and user management. RADIUS Transmits data through UDP, which is more efficient. Encrypts only the password field in the packet. Combines authentication and authorization. Does not support command line authorization. The commands that a user can use depend on the user level. A user can only use the commands of the same level as or lower level than the user level. RADIUS is a standard protocol and supported by devices from all the mainstream vendors. RADIUS attributes include standard RADIUS attributes and proprietary RADIUS attributes. Device vendors can expand the proprietary attributes to implement new functions. RADIUS has good extensibility and high transmission efficiency and performance. It is supported by servers from most vendors and most widely used in actual network planning. 5

7 2 Principle Description 2 Principle Description 2.1 Basic Concepts Network Components HWTACACS is used to perform authentication, authorization, and accounting for access users, such as the 802.1x, Portal, and PPP users, as well as administrator users logging in through Telnet, SSH, and FTP to operate the device. As shown in Figure 2-1, the AAA network is composed of the user, HWTACACS client, and HWTACACS server. The HWTACACS client is also called the NAS. A switch can serve as a NAS to control user access to network resources. The NAS and HWTACACS server implement AAA based on HWTACACS. Active and standby HWTACACS servers can be deployed. When the active server fails, the NAS switches to the standby server for authentication, authorization, and accounting, ensuring nonstop user services. Figure 2-1 HWTACACS-based AAA networking 6

8 2 Principle Description HWTACACS Packets HWTACACS authentication packets are available in three types: Authentication Start packet: When authentication starts, the client sends an Authentication Start packet to the server. The packet carries the authentication type and may carry the user name and some authentication data. Authentication Continue packet: Upon receiving an authentication reply from the server, the client replies with an Authentication Continue packet if the authentication process is not finished yet. Authentication Reply packet: After receiving an Authentication Start or Authentication Continue packet from the client, the server responds with an Authentication Reply packet to notify the client of the current authentication status. HWTACACS authorization packets are available in two types: Authorization Request packet: HWTACACS authentication and authorization are separated. Users can use the HWTACACS protocol for authentication and a different protocol for authorization. If HWTACACS is needed for authorization, the client sends an Authorization Request packet to the server. The packet contains all information required for authorization. Authorization Response packet: After receiving the Authorization Request packet, the server replies an Authorization Response packet which contains the authorization result. HWTACACS accounting packets are available in two types: Accounting Request packet: The packet contains information required for accounting. Accounting Response packet: After the server receives and records the accounting request packet, it replies with an Accounting Response packet. 2.2 Working Principle HWTACACS Workflow The following example uses a Telnet administrator user to illustrate how HWTACACS is used to implement authentication, authorization, and accounting on users. Figure 2-2 shows the message exchanges. 7

9 2 Principle Description Figure 2-2 HWTACACS message exchanges HWTACACS Authentication Authentication on access users and administrator users HWTACACS user authentication methods are available in three types, namely, non-authentication, local authentication, and remote authentication. Non-authentication completely trusts users and does not check their validity. Generally, this method is not recommended. Local authentication configures user information such as user name and password on the NAS without deploying extra HWTACACS servers, thereby reducing costs. Since the NAS can only store limited user information, this method is applied to scenarios with a small number of users. Remote authentication configures user information such as user name and password on remote the HWTACACS server for centralized management. This method is applied to scenarios with a large number of users. 8

10 2 Principle Description HWTACACA authentication supports use of one or more authorization methods at the same time. The network may experience server failures or link failures between the NAS and authentication server. If the authentication server does not respond in the authentication process, users cannot be successfully authenticated or access the network. To prevent this situation, HWTACACS authentication supports mixed use of multiple authentication methods. The authentication methods are implemented according to the configuration order. A new authentication method can be used only when no response is received from the authentication server in the current authentication. If the current authentication method fails, the user fails the authentication and a new authentication method cannot be used. If multiple authentication methods are configured, non-authentication can only be the last one to use. Authentication on administrator level improvement The system grants users different privilege levels to restrict their access rights. Users' privilege levels correspond to command levels. Users can use only the commands at the same or lower level than their privilege levels. However, under some circumstances, users need to improve their privilege levels to obtain higher command operation rights without logging out or terminating the current connection. Authentication is required for user level improvement. Users can be granted new rights only after being authenticated. No authentication is required when a user switches to a lower privilege level. If the maintenance personnel log in to the device with a low privilege level to check its operating status, they may wish to switch to a higher level temporarily for configuration and maintenance operations. Such level switching takes effect only for the current login. The user level will be restored on the next login. Authentication modes for user level improvement are also available in three types, namely, non-authentication, local authentication, and remote authentication. Mixed use of multiple authentication methods is also supported, with the working principle similar to that of user authentication. As shown in the following, all maintenance personnel in a network management department log in to the device using HWTACACS authentication with a zero user level (VISIT level). They can only run some basic commands for network diagnosis, such as ping and tracert. The maintenance personnel can upgrade their user levels using the super command. The core maintenance personnel in the department have the highest operation rights for the device. After the correct password is entered, the user level will be raised to level 3 (MANAGE level). In this way, the maintenance personnel have the rights to run all commands on the device. <HUAWEI>super 3 Password: < Enter the password for user level switching. Now user privilege is 3 level, and only those commands whose level is equal to or less than this level can be used. Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE Administrator password modification on the HWTACACS server To improve the security of device management, the HWTACACS server allows users to change administrator passwords. Additionally, the password validity period and alarm period for password aging can to be set. Users can change the passwords only when the user names and passwords do not expire. When a user whose password has expired logs in to the device, the HWTACACS server does not allow the user to change the password and displays a message indicating that the authentication fails. When a user password is within the validity period and reaches the final alarm period, the device will notify the administrator user that the password is about to expire and ask the user to change the password promptly every time he logs in to the device. After the password change function is enabled on the HWTACACS server, the administrator can change the password on the device after logging in using Telnet or Secure Shell (SSH), without the need of logging in to the HWTACACS server. In this way, there is no need for all device administrators to have the rights to log in to the 9

11 2 Principle Description HWTACACS server. As shown in the following information, users passing HWTACACS authentication can change the password. <HUAWEI> hwtacacs-user change-password hwtacacs-server huawei Info: EXEC is in an interactive process, please wait... Old Password: < Enter the old password. New Password: < Enter the new password. Re-enter New password: < Confirm the password. Info: The password has been changed successfully HWTACACS Authorization Authorization on access users and EXEC authorization on administrator users Access user authorization indicates that the HWTACACS server controls rights of 802.1X and Portal access users. Administrator EXEC authorization indicates rights control on administrator users logging in through Telnet, SSH, and FTP through the HWTACACS server. User authorization is implemented by exchanging authorization packets carrying HWTACACS attributes between the NAS and HWTACACS server. For detailed HWTACACS attributes, see the appendix. Through access user authorization, the server can deliver the upstream/downstream committed information rate (CIR) and peak information rate (PIR), IP address, and DNS address to users. Through administrator EXEC authorization, the server can deliver attributes such as idle-time, privilege-level, ftp-directory, and auto-cmd to the administrator users. The idle-time attribute specifies how long an administrator user is disconnected if the user does not perform any operation after logging in to the device. The privilege-level attribute authorizes the level of a login administrator. The ftp-directory attribute authorizes the local directory for an FTP user. The auto-cmd attribute automatically runs specified command lines after an authorized administrator logs in to the device. HWTACACS supports non-authorization, local authorization, remote authorization, and a combination of these authorization modes. The working principle of the combined authorization modes is similar to that of the combination of authentication modes. If HWTACACS remote authorization fails because the remote server does not respond, local authorization starts. Command-line authorization for administrator users HWTACACS can authorize privilege levels and command lines for administrator users. Administrator users logging in through Telnet, SSH, and FTP are classified into four user levels: the visit (0), monitoring (1), system (2), and management (3) levels. Users of different levels have different rights. Users at the management level have the highest rights and can run all commands. Users with a lower level can enter fewer views and run fewer command lines. High-level users have the low-level users' rights to run command lines. Users at the visit level only have the rights to run diagnostic commands such as ping and tracert commands and access external devices with Telnet and SSH. Users at the monitoring level have the system maintenance rights, for example, running the display commands. Users at the system level have the rights for running service configuration commands. Users at the management level have the highest rights. In addition to the rights for running service configuration commands, they have the rights for running system management commands (such as file system, FTP, and TFTP download), user management commands, command level configuration commands, and debugging commands for service fault diagnosis. 10

12 2 Principle Description The application mode is still inflexible despite the fact that administrator users have four user levels and different administrator users at the same level have the same command operation rights. Command-line authorization can be implemented to provide administrator users at the same level with different command-line operation rights. Command-line authorization authorizes each command line based on the user level. Users at a certain level can see all command lines at the level but can only execute the command that is authorized. As shown in the following figure, command-line authorization is enabled on the NAS device. An authorized command line set is created on the HWTACACS server and bound to users requiring authorization. The administrator logs in to the NAS. If command-line authorization is not enabled for the user level of the administrator, command lines are run immediately and successfully. If command-line authorization is enabled, the NAS needs to send a command line authorization request packet to the HWTACACS server for each command entered. The HWTACACS server will check whether the administrator is authorized to execute the command line. If so, the server will respond with an authorization success message, and then the command will be run on the NAS. If not, the server will respond with an authorization failure message, and then the command cannot be run on the NAS. Figure 2-3 Command-line authorization for administrator users HWTACACS Accounting Access user accounting 11

13 2 Principle Description HWTACACS can charge common users accessing the network through 802.1X, Portal, and PPP. Accounting-start packets are sent when the user logs in. Real-time accounting packets are sent periodically for online users. Accounting-stop packets are sent when the user logs out. HWTACACS accounting has two modes, namely, time-based and traffic-based accounting. In the time-based accounting mode, users are charged according to online duration. In the traffic-based accounting mode, users are charged according to traffic used after login. Administrator record auditing As shown in the following figure, accounting-start packets are sent when the administrator user logs in, and accounting-stop packets are sent when the administrator user logs out. The HWTACACS server records user login information, namely, the login and logout time. Generally, administrator users do not need to be charged. Instead, their login information is recorded and audited. HWTACACS accounting packets can record two types of administrator login information on the HWTACACS server. One type is the information about users logging in to the NAS device through Telnet and FTP, and the other is the information about users logging in to the remote server by taking the NAS device as a Telnet or FTP client. After logging in to the NAS device, the user enters the command to set up a connection with the remote server and access files on the remote host. Login records of information in the two types are called connection information records. Figure 2-4 Administrator connection information records 12

14 2 Principle Description As shown in the following figure, HWTACACS accounting packets can also carry any command line configured by the administrator on the device, and the configured command line will be recorded on the HWTACACS server. The information records, also called command records, can be used to track historical commands for service interruptions caused by configuration errors. Additionally, the device can record system events (such as card reset) by sending HWTACACS accounting packets. Such information records, also called system information records, can help the administrator locate faults. Figure 2-5 Administrator command records and system information records 13

15 3 Application Scenario 3 Application Scenario 3.1 HWTACACS Authentication, Authorization, and Accounting Networking requirements As shown in Figure 3-1, the switch performs HWTACACS authentication and authorization on the access users first. If the HWTACACS server does not respond, the switch performs local authentication and authorization. The switch performs real-time HWTACACS accounting on the access users every 3 minutes. The IP addresses of primary and secondary HWTACACS servers are /24 and /24, respectively. The port number for authentication, accounting, and authorization is 49. Figure 3-1 HWTACACS authentication, authorization, and accounting on access users 14

16 3 Application Scenario Procedure 1. Enable HWTACACS. [Switch] hwtacacs enable 2. Configure the HWTACACS server template named ht and set the IP addresses and port numbers of the primary and secondary HWTACACS authentication, authorization, and accounting servers. [Switch] hwtacacs-server template ht [Switch-hwtacacs-ht] hwtacacs-server authentication [Switch-hwtacacs-ht] hwtacacs-server authorization [Switch-hwtacacs-ht] hwtacacs-server accounting [Switch-hwtacacs-ht] hwtacacs-server authentication secondary [Switch-hwtacacs-ht] hwtacacs-server authorization secondary [Switch-hwtacacs-ht] hwtacacs-server accounting secondary 3. Configure the shared key of the HWTACACS server. [Switch-hwtacacs-ht] hwtacacs-server shared-key cipher [Switch-hwtacacs-ht] quit 4. Create an authentication scheme named l-h. In the authentication scheme, configure the system to perform HWTACACS authentication first, and then local authentication if HWTACACS authentication fails. [Switch] aaa [Switch-aaa] authentication-scheme l-h [Switch-aaa-authen-l-h] authentication-mode hwtacacs local [Switch-aaa-authen-l-h] quit 5. Create an authorization scheme named hwtacacs. In the authorization scheme, configure the system to perform HWTACACS authorization first, and then local authorization if HWTACACS authorization fails. [Switch-aaa] authorization-scheme hwtacacs [Switch-aaa-author-hwtacacs] authorization-mode hwtacacs local [Switch-aaa-author-hwtacacs] quit 6. Create an accounting scheme named hwtacacs. In the accounting scheme, set the accounting mode to HWTACACS and allow users to still go online after an accounting-start failure. [Switch-aaa] accounting-scheme hwtacacs [Switch-aaa-accounting-hwtacacs] accounting-mode hwtacacs [Switch-aaa-accounting-hwtacacs] accounting start-fail online 7. Set the interval of real-time accounting to 3 minutes. [Switch-aaa-accounting-hwtacacs] accounting realtime 3 [Switch-aaa-accounting-hwtacacs] quit 8. Configure a domain huawei, and apply the authentication scheme l-h, authorization scheme hwtacacs, accounting scheme hwtacacs, and the HWTACACS server template ht to the domain. [Switch-aaa] domain huawei [Switch-aaa-domain-huawei] authentication-scheme l-h [Switch-aaa-domain-huawei] authorization-scheme hwtacacs [Switch-aaa-domain-huawei] accounting-scheme hwtacacs [Switch-aaa-domain-huawei] hwtacacs-server ht [Switch-aaa-domain-huawei] quit [Switch-aaa] quit [Switch] quit 15

17 3 Application Scenario 3.2 Command-Line Authorization Networking requirements As shown in Figure 3-2, Cisco Secure ACS server runs the TACACS+ protocol. Huawei switch serves as a NAS to communicate with the TACACS+ server, and the ACS server is used to authorize command lines. This example uses system view commands and OSPF commands. The authorized command lines can be successfully executed. When the administrator executes command lines that are not authorized, the command lines are visible but cannot be executed. Figure 3-2 Remote HWTACACS server authorization Procedure 1. Server configuration: (1) Add a user name and password using User Setup on the ACS server, as shown in Figure

18 3 Application Scenario Figure 3-3 Adding a user name on the HWTACACS server (2) Set the privilege level for users on the server, as shown in Figure

19 3 Application Scenario Figure 3-4 Setting the privilege level on the HWTACACS server (3) Configure the IP address for the NAS device and set the authentication mode to TACACS+ authentication, as shown in Figure

20 3 Application Scenario Figure 3-5 Setting the NAS address and authentication mode on the server (4) Edit the authorized command line set. The commands to be authorized include only system view commands and OSPF commands, as shown in Figure

21 3 Application Scenario Figure 3-6 Editing the authorized command line set on the HWTACACS server (5) Bind the command line set in Group Setup, and then submit and restart the service. After that, all settings on the server are completed successfully, as shown in Figure

22 3 Application Scenario Figure 3-7 Binding the command line set in Group Setup on the HWTACACS server 2. Device Configuration (1) Configure the authentication and authorization server and enable command-line authorization for users at level 2. hwtacacs-server template acs hwtacacs-server authentication hwtacacs-server authorization hwtacacs-server shared-key Huawei aaa authentication-scheme huawei authentication-mode hwtacacs authorization-scheme huawei authorization-cmd 2 hwtacacs < Enable command-line authorization for users at level 2. authorization-mode hwtacacs domain huawei authentication-scheme huawei authorization-scheme huawei hwtacacs-server acs 21

23 3 Application Scenario user-interface vty 0 4 authentication-mode aaa user privilege level 15 < When authorization is not enabled, the login administrator has the privilege level 15. idle-timeout 0 0 [HUAWEI]dis authorization-scheme huawei Authorization-scheme-name Authorization-method Authorization-method Authorization-cmd level 0 Authorization-cmd level 1 Authorization-cmd level 2 : huawei : HWTACACS : Local : Disabled : Disabled command-line authorization for users at level 2. Authorization-cmd level 3 Authorization-cmd level 4 Authorization-cmd level 5 Authorization-cmd level 6 Authorization-cmd level 7 Authorization-cmd level 8 Authorization-cmd level 9 Authorization-cmd level 10 Authorization-cmd level 11 Authorization-cmd level 12 Authorization-cmd level 13 Authorization-cmd level 14 Authorization-cmd level 15 : Enabled ( HWTACACS ) < Enable HWTACACS : Disabled : Disabled : Disabled : Disabled : Disabled : Disabled : Disabled : Disabled : Disabled : Disabled : Disabled : Disabled : Disabled Authorization-cmd no-response-policy : Online (2) The authorized commands can be executed successfully, and the unauthorized commands fail to be executed. Login authentication Username:test@huawei Password: Note: The max number of VTY users is 5, and the current number of VTY users on line is 4. <S >display user-interface vty 3 Idx Type Tx/Rx Modem Privi ActualPrivi Auth Int + 37 VTY A - + : Current user-interface is active. F : Current user-interface is active and work in async mode. Idx : Absolute index of user-interface. Type : Type and relative index of user-interface. Privi: The privilege of user-interface. ActualPrivi: The actual privilege of user-interface. Auth : The authentication mode of user-interface. Int : The physical location of UIs. 22

24 3 Application Scenario A: Authenticate use AAA. N: Current user-interface need not authentication. P: Authenticate use current UI's password. <HUAWEI> system-view < Authorized command Enter system view, return user view with Ctrl+Z. [HUAWEI]ospf 1 < Authorized command [HUAWEI -ospf-1]dis this < Unauthorized command Error: This command failed to pass the authorization. [HUAWEI -ospf-1]q [HUAWEI]isis 1 < Unauthorized command Error: This command failed to pass the authorization. 3.3 Changing Passwords and Setting Aging Time for Administrator Accounts on the HWTACACS Server Networking requirements As shown in the following figure, Huawei switch works as a NAS to communicate with Cisco Secure ACS server. You can directly change the password for administrator accounts saved on the server on the NAS. Users can configure password aging by time or by login count on the server. In this example, password aging by login count is configured. The system generates an alarm when a password is used for login the first time and prompts the users to change the password when the password is used for login the second time. Users can also proactively change the password for the administrators. Procedure 1. Server configuration: (1) Configure the server to allow users to change the password through Telnet. Click Local Password Management in System Configuration on the ACS server, as shown in Figure

25 3 Application Scenario Figure 3-8 Local Password Management on the HWTACACS server On the Local Password Management page, deselect Disable TELNET Change Password in Remote Change Password, as shown in Figure

26 3 Application Scenario Figure 3-9 Enabling Telnet change password on the HWTACACS server (2) On the Group Setup page, set password aging by time or by login count in Password Aging Rules, as shown in Figure In this example, password aging by login count is configured. 25

27 3 Application Scenario Figure 3-10 Set password aging on the HWTACACS server (3) Add the user account that requires password aging to the preceding group, as shown in Figure

28 3 Application Scenario Figure 3-11 Adding a user account to the preceding group on the HWTACACS server 2. Device configuration: (1) Configure the authentication server. hwtacacs-server template acs hwtacacs-server authentication hwtacacs-server authorization hwtacacs-server shared-key Huawei (2) Set the domain for the user that requires password aging, use the authentication server that is configured in the preceding step, and set the authentication mode to hwtacacs. aaa authentication-scheme default 27

29 3 Application Scenario authentication-scheme huawei authentication-mode hwtacacs authorization-scheme default authorization-scheme huawei authorization-mode hwtacacs accounting-scheme default domain huawei authentication-scheme huawei authorization-scheme huawei hwtacacs-server acs (3) Log in to the device using Telnet and set password aging or change the password. Login authentication< First login Username: Enter the login user name. Password: Warning: Your password will expire in 1 more logins Info: The max number of VTY users is 5, and the number of current VTY users on line is 1. < HUAWEI > Loginauthentication< Exitfromthelogininterfaceandperformthesecond login. Username: test@huawei< Enter the login user name. Password: < Enter the old password. Your password has expired. Enter a new one now. NewPassword: < Thepasswordexpires,andyouneedtoenteranewpassword. Re-enter New password: < Confirm the new password. Warning: Password Changed Info: The max number of VTY users is 5, and the number of current VTY users on line is 1. < HUAWEI > < HUAWEI >hwtacacs-user change-password hwtacacs-server acs < Change the password. Info: EXEC is in an interactive process, please wait... Username: test@huawei < Enter the login user name. Old Password: < Enter the old password. New Password: < Enter a new password. Re-enter New password: < Confirm the new password. Info: The password has been changed successfully. 28

30 3 Application Scenario 3.4 Administrator User Level Improvement Networking requirements As shown in the following figure, a Huawei switch works as the NAS to interconnect with the Cisco Secure ACS server. An administrator user logs in to the device through the remote HWTACACS authentication server. If the login administrator has a low user level and needs to improve the user level, run the super command to change the user level in none, super, or hwtacacs mode. Procedure 1. Improve the user level in none authentication mode. aaa authentication-scheme huawei authentication-mode hwtacacs authentication-super none< None authentication user-interface con 0 idle-timeout 0 0 user-interface vty 0 4 authentication-mode aaa user privilege level 15 idle-timeout 0 0 Login authentication Username:test@huawei Password: Note: The max number of VTY users is 5, and the current number of VTY users on line is 4. < HUAWEI >dis user-interface vty 4 Idx Type Tx/Rx Modem Privi ActualPrivi Auth Int + 38 VTY N - < HUAWEI >super Password: < Enter any password. The user level is improved to level 3. Now user privilege is 3 level, and only those commands whose level is equal to or less than this level can be used. Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE < HUAWEI > < HUAWEI >super 15 Password: < Enter any password. The user level is improved to level 15. Now user privilege is 15 level, and only those commands whose level is equal to or less than this level can be used. Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE < HUAWEI > 29

31 3 Application Scenario 2. Improve the user level in local authentication mode. aaa authentication-scheme huawei authentication-mode hwtacacs authentication-super super< Default authentication mode: super local authentication super password level 5 simple test1 < The user level can only be improved to a configured local level. super password level 10 simple test2 super password level 15 simple test3 Login authentication Username: test@huawei Password: Note: The max number of VTY users is 5, and the current number of VTY users on line is 4. < HUAWEI >dis user-interface vty 1 Idx Type Tx/Rx Modem Privi ActualPrivi Auth Int + 35 VTY A - < HUAWEI >super 5 Password: Now user privilege is 5 level, and only those commands whose level is equal to or less than this level can be used. Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE < HUAWEI >super 8 < The local user level 8 is not configured. User level improvement fails. The user level is still level 5. Password: Access Denied Password: Access Denied Password: Access Denied < HUAWEI >super 10 Password: Now user privilege is 10 level, and only those commands whose level is equal to or less than this level can be used. Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE 3. Improve the user level using the HWTACACS server. (1) On the server, enable user level improvement authentication and set the maximum user level to 10, as shown in Figure 3-12 and Figure

32 3 Application Scenario Figure 3-12 Enabling user level improvement authentication on the HWTACACS server Figure 3-13 Setting user level improvement on the HWTACACS server 31

33 3 Application Scenario (2) Configure HWTACACS authentication on the device. aaa authentication-scheme huawei authentication-mode hwtacacs authentication-super hwtacacs < hwtacacs authentication Login authentication Username: Password: Note: The max number of VTY users is 5, and the current number of VTY users on line is 4. < HUAWEI >dis user-interface vty 1 Idx Type Tx/Rx Modem Privi ActualPrivi Auth Int + 35 VTY A - < HUAWEI >super 7 < Improve the user level to level 7 through HWTACACS authentication. Password: Now user privilege is 7 level, and only those commands whose level is equal to or less than this level can be used. Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE < HUAWEI >super 11 < User level can only be improved to level 10 on the TACACS server. Password: Access Denied Password: < HUAWEI >super 6 < No authentication is required when the user level decreases. Now user privilege is 6 level, and only those commands whose level is equal to or less than this level can be used. Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE 32

34 4 Reference Standards and Protocols 4 Reference Standards and Protocols Table 4-1 HWTACACS standards Standard Number Document Name Remarks RFC 1492 draft-grant-tacacs-02 An Access Control Protocol, Sometimes Called TACACS The TACACS+ Protocol Version 1.78 TACACS protocol TACACS+ protocol. It is a draft Internet protocol and often cited as Cisco proprietary protocol. HWTACACS is compatible with TACACS+ V

35 5 Appendix 5 Appendix Table 5-1 Common HWTACACS attributes Attribute Name acl addr autocmd bytes_in bytes_out callback-line cmd cmd-arg disc_cause Description Authorized ACL ID. User IP address. Command automatically executed after user login. Number of bytes received by the device. K, M, and G indicate KB, MB, and GB, respectively. If no unit is specified, the unit of the attribute is byte. Number of bytes sent by the device. K, M, and G indicate KB, MB, and GB, respectively. If no unit is specified, the unit of the attribute is byte. Call number, that is the information sent from the server and to be displayed to a user, such as the mobile number. First keyword of the command encapsulated during command line authorization. Parameters of the command line requesting to be authorized. Offline reason. The attribute is supported only by accounting-stop packets. The reasons include: User requested termination of service (1). Data interruption (2). Service interruption (3). Idle timer expired (4). Session timeout (5). The administrator requested the user to go offline (7). NAS fault (9). NAS requested the user to go offline (10). The interface is disabled (12). Incorrect user information (17). 34

36 5 Appendix Attribute Name disc_cause_ext dnaverage dnpeak dns-servers elapsed_time ftpdir gw-password idletime l2tp-hello-interval l2tp-hidden-avp l2tp-nosession-timeout l2tp-group-num l2tp-tos-reflect Description Host requested to go offline (18). Extended offline reason. The attribute is supported only by accounting-stop packets. The reasons include: Unknown reason (1022). EXEC terminal connection termination (1020). Other online Telnet users forced the user offline (1022). The remote end has no IP address, causing the user unable to switch to the SLIP/PPP client (1023). PPP PAP authentication failure (1042). PPP received termination packets from the remote end (1045). The upper-layer device required PPP disconnection (1046). PPP handshake failure (1063). Session timeout (1100). Downlink average rate, in bit/s. Downlink peak rate, in bit/s. Primary DNS server address. How long a user has been online, in seconds. Initial directory of an FTP user. Tunnel password, which is a character string. Idle period. That is, the server automatically disconnects the user if no operation is performed in the idle period. Interval for sending L2TP Hello packets. Currently, the device does not support this attribute. Hidden Attribute Value Pair (AVP) of L2TP. Currently, the device does not support this attribute. Idle period of the L2TP session. When there is no L2TP session, the L2TP tunnel will be torn down after the period. Currently, the device does not support this attribute. L2TP group number. Only after this attribute is delivered, other L2TP attributes can take effect; if this attribute is not delivered, other L2TP attributes are ignored. TOS value of L2TP. Currently, the device does not support this attribute. l2tp-tunnel-authen Whether L2TP tunnel authentication is implemented. The value 0 indicates that tunnel authentication is not implemented while the value 1 indicates that tunnel authentication is implemented. l2tp-udp-checksum nocallback-verify UDP packet checksum of L2TP. No verification after the callback. 35

37 5 Appendix Attribute Name nohangup paks_in paks_out priv-lvl protocol task_id timezone tunnel-id tunnel-type service source-ip upaverage uppeak Description Whether the device automatically cuts off the user connection. The value is true or false. The attribute is attached to autocmd. After autocmd is configured, this attribute determines whether the user cuts off the user connection after running the autocmd command. true indicates that user connection is not cut off while false indicates that the user connection is cut off. Number of packets received by the device. Number of packets sent by the device. User level. Protocol type. It is a subset of the service type and takes effect for ppp and connection. Currently, the protocols pad, telnet, ip, and vpdn are supported. When the service type is connection, the protocol type can be pad or telnet. When the service type is ppp, the protocol type can be ip or vpdn. For other service types, the attribute is not encapsulated. Task ID. The task_id of the same task must be the same at the start and end. Local time zone. Tunnel ID, which is a string of characters. Indicates the type of the tunnel to be established. Service type, which can be an accounting or authorization service. IP address of the tunnel's local end. Uplink average rate, in bit/s. Uplink peak rate, in bit/s. Table 5-2 Support status of attributes in the HWTACACS authorization packets Attribute Command Line Authorization Request Packet EXEC Authorization Response Packet Access User Authorization Response Packet acl N Y N addr N N Y addr-pool N N Y autocmd N Y N callback-line N Y Y 36

38 5 Appendix Attribute Command Line Authorization Request Packet EXEC Authorization Response Packet Access User Authorization Response Packet cmd Y N N cmd-arg Y N N dnaverage N N Y dnpeak N N Y dns-servers N N Y ftpdir N Y N gw-password N N Y idletime N Y N ip-addresses N N Y l2tp-group-num N N Y l2tp-tunnel-authen N N Y nocallback-verify N Y N nohangup N Y N priv-lvl N Y N source-ip N N Y tunnel-type N N Y tunnel-id N N Y upaverage N N Y 37

39 S Series Switches HWTACACS Technology White Paper 5 Appendix Table 5-3 Support status of attributes in the HWTACACS accounting packets Attribute Network Accounting- Start Request Packet Network Accounting- Stop Request Packet Network Accounting Real-Time Request Packet Connection Accounting- Start Request Packet Connection Accounting- Stop Request Packet EXEC Accounting- Start Request Packet EXEC Accounting- Stop Request Packet EXEC Accounting Real-Time Request Packet System Accounting- Stop Request Packet Command Accounting-Stop packet command addr Y Y Y Y Y N N N N N bytes_in N Y Y N Y N Y Y N N bytes_out N Y Y N Y N Y Y N N cmd N N N Y Y N N N N Y disc_cause N Y N N N N Y Y N N disc_cause_ex t N Y N N N N Y Y N N elapsed_time N Y Y N Y N Y Y Y N paks_in N Y Y N Y N Y Y N N paks_out N Y Y N Y N Y Y N N priv-lvl N N N N N N N N N Y protocol Y Y Y Y Y N N N N N service Y Y Y Y Y Y Y Y Y Y task_id Y Y Y Y Y Y Y Y Y Y timezone Y Y Y Y Y Y Y Y Y Y tunnel-id N N N N N N N N N N tunnel-type Y N N N N N N N N N Copyright Huawei Technologies Co., Ltd. 38

40 S Series Switches HWTACACS Technology White Paper 5 Appendix Y: Supported N: Not supported Copyright Huawei Technologies Co., Ltd. 39