Privilege Level Switching Authentication Technology White Paper

Similar documents
Login management commands

Table of Contents 1 Commands for Access Controller Switch Interface Board 1-1

Operation Manual Login and User Interface. Table of Contents

Table of Contents 1 Basic Configuration Commands 1-1

Table of Contents 1 SSH Configuration 1-1

PT Activity: Configure AAA Authentication on Cisco Routers

HP 6125 Blade Switch Series

Logging in to the CLI

HP 5500 EI & 5500 SI Switch Series

HP 6125G & 6125G/XG Blade Switches

HP A5830 Switch Series Fundamentals. Configuration Guide. Abstract

H3C WA Series WLAN Access Points. Fundamentals Command Reference

SSH H3C Low-End Ethernet Switches Configuration Examples. Table of Contents

Console Port, Telnet, and SSH Handling

HWTACACS Technology White Paper

HP Load Balancing Module

Examples of Cisco APE Scenarios

Table of Contents 1 Basic Configuration Commands 1-1

Configuring Basic AAA on an Access Server

H3C S5120-EI Switch Series

SSH Configuration Examples H3C S7500 Series Ethernet Switches Release Table of Contents

Table of Contents 1 CLI Configuration 1-1

H3C SecBlade SSL VPN Card

HP A3100 v2 Switch Series

Table of Contents 1 Basic Configuration Commands 1-1

H3C S5830V2 & S5820V2 Switch Series

HP 3600 v2 Switch Series

H3C S12500 Series Routing Switches

Logging in through SNMP from an NMS 22 Overview 22 Configuring SNMP agent 22 NMS login example 24

Configuring Local Authentication

User authentication configuration example 11 Command authorization configuration example 13 Command accounting configuration example 14

Table of Contents 1 AAA Overview AAA Configuration 2-1

Configuring Security for the ML-Series Card

TACACS Device Access Control with Cisco Active Network Abstraction

Operation Manual AAA RADIUS HWTACACS H3C S5500-EI Series Ethernet Switches. Table of Contents

Lab AAA Authorization and Accounting

Configuring TACACS+ Finding Feature Information. Prerequisites for TACACS+

Configuring the Management Interface and Security

HP 3600 v2 Switch Series

Network Configuration Example

Configuring Authentication, Authorization, and Accounting

Manage Users. About User Profiles. About User Roles

AAA Authorization and Authentication Cache

Operation Manual Security. Table of Contents

Lab 5.6b Configuring AAA and RADIUS

MAC-Based VLAN Technology White Paper

H3C Intelligent Management Center

Prerequisites for Controlling Switch Access with Terminal Access Controller Access Control System Plus (TACACS+)

Table of Contents 1 AAA Overview AAA Configuration 2-1

SYN Flood Attack Protection Technology White Paper

Technology White Paper of SQL Injection Attacks and Prevention

LAB 3 Basic Switch Configuration Commands

WLAN Location Engine 2340 Using the Command Line Interface

Configuring Secure Shell (SSH)

HP 5920 & 5900 Switch Series

Configuring Switch-Based Authentication

HPE IMC UAM Device User Authentication Configuration Examples

Using the emergency shell 1

Configuring Authorization

FSOS Getting Started Operation

Using the Command-Line Interface

Passwords and Privileges Commands

Table of Contents 1 FTP and SFTP Configuration TFTP Configuration 2-1

Configuring Local Authentication and Authorization

CHAPTER 2 ACTIVITY

Operation Manual SSH H3C S3610&S5510 Series Ethernet Switches. Table of Contents

Configuring Authorization

Overview of the Cisco NCS Command-Line Interface

CCNA 1 Chapter 2 v5.0 Exam Answers %

Xcalenets Console Setup Guide. Xcalenets Console Setup Guide (Standalone version)

H3C SR6600 Routers DVPN Configuration Example

SecBlade Firewall Cards NAT Configuration Examples

4(b): Assign the IP address on the Serial interface of Router. Console Cable

XML Transport and Event Notifications

Emergency shell commands 1

Using the Command-Line Interface

Restrictions for Secure Copy Performance Improvement

Password Strength and Management for Common Criteria

Exclusive Configuration Change Access and Access Session Locking

CISCO SWITCH BEST PRACTICES GUIDE

Configuring a Terminal/Comm Server

Configuring TACACS+ About TACACS+

XML Transport and Event Notifications

SecBlade Firewall Cards Stateful Failover Configuration Examples

RADIUS Configuration. Overview. Introduction to RADIUS. Client/Server Model

H3C imc. Branch Intelligent Management System. User Manual. Hangzhou H3C Technologies Co., Ltd.

Cisco IOS Commands. abort CHAPTER

HP MSR Router Series. Terminal Access Configuration Guide(V5) Part number: Software version: CMW520-R2509 Document version: 6PW

Telnet, Console and AUX Port Passwords on Cisco Routers Configuration Example

HP High-End Firewalls

TACACS+ Configuration Mode Commands

Access Service Security

Console Port, Telnet, and SSH Handling

SysMaster GW 7000 Digital Gateway. User Manual. version 1.0

HPE FlexFabric 5700 Switch Series

Table of Contents 1 Information Center 1-1

Logging In and Setting Up

Stateful Failover Technology White Paper

Configuring Secure Shell

Configuring Security with Passwords, Privileges, and Logins

Transcription:

Privilege Level Switching Authentication Technology White Paper Keywords: Privilege level switching authentication, RADIUS, HWTACACS Abstract: This document briefly describes the background and implementation of the privilege level switching authentication technology, and provides a typical application scenario. Acronyms: Acronym Full spelling AAA RADIUS HWTACACS Authentication, Authorization, Accounting Remote Authentication Dial-In User Service HW Terminal Access Controller Access Control System Hangzhou H3C Technologies Co., Ltd. 1/10

Table of Contents Overview 3 Background 3 Benefits 4 Implementation 5 Relevant Concepts 5 User Interface Login Authentication Mode 5 Super Authentication Modes 5 Implementation of Basic Super Authentication Modes 6 Implementation of Local Super Authentication 6 Implementation of Remote Super Authentication by a RADIUS Server 7 Implementation of Remote Super Authentication by an HWTACACS Server 7 Application of Super Authentication Modes 7 Application Scenario 9 Hangzhou H3C Technologies Co., Ltd. 2/10

Overview Background To restrict the access of different login users, the device supports assigning users privilege levels. User privilege levels correspond to command levels. Users logging in to the device can only use commands at their own and lower levels. Users can also switch their user privilege levels to higher levels temporarily without logging out and disconnecting the current connection. For example, an administrator may log in to a device by using an identity with a lower privilege level and check the device running status. To configure or maintain the device, however, the administrator needs to switch the privilege level to a higher level. This switching is implemented by the user privilege level switching function. The user privilege level switching function allows login users to execute the super command to switch to a higher privilege level. During the switching, no connection teardown and re-establishment occur and the users do not need to re-login. After the switching, users continue to use their original connections, but they can execute more commands. The switching of user privilege level is effective only for the current login; after re-login, the user privilege restores to the original level. Using the super command, a user can switch to a privilege level equal to or lower than the current one unconditionally. However, to switch to a higher privilege level, which allows for access to more commands, a user must pass the level switching authentication, which is also referred to after the super command as super authentication. Currently, two basic level switching authentication modes are supported: Local level switching authentication Remote level switching authentication Additionally, two combinations of the above two modes are supported for backup and flexibility. Local authentication if remote level switching authentication is not available Remote level switching authentication if no local authentication password is configured Local level switching authentication With local level switching authentication, the device uses locally configured passwords to authenticate users performing privilege level switching and the same password is used for users switching to the same privilege level. For example, if a login user wants to switch to privilege level 3, the user needs to input the password predefined for switching to level 3, as shown below: <Device> super 3 Password: < Input the password predefined on the device for switching to level 3 User privilege level is 3, and only those commands can be used whose level is equal or less than this. Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE Hangzhou H3C Technologies Co., Ltd. 3/10

Remote level switching authentication With remote level switching authentication, a remote RADIUS or HWTACACS server is deployed for user privilege level switching authentication. Remote AAA authentication can be deployed in a scenario where, for example, all administrators must pass RADIUS authentication before logging in to the device, and can only access commands of level 0 (visit level) and perform basic diagnostic operations such as ping after login. Only super administrators can switch to a higher level for system configuration and maintenance. As shown below, a super administrator needs to input the correct username and password for remote privilege level switching authentication when switching to privilege level 3: <Device> super 3 Username:olive@abc Password: < Input the password predefined on the server for switching to level 3 User privilege level is 3, and only those commands can be used whose level is equal or less than this. Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE Benefits Local level switching authentication features easy configuration and is easy to use, but it has the following problems: Hard to distinguish users. All users use the same level switching password to switch to a certain level higher. Local storage and management of passwords, which have limitations. Remote level switching authentication for user privilege level switching requires a remote server, incurring more complex process for user information management and maintenance as compared with local level switching authentication. However, remote level switching authentication features: Securer user privilege level switching Remote level switching authentication improves the security for user level switching. To switch to a higher level, a user provides the username and password for level switching authentication on a remote RADIUS or HWTACACS server. Different users can be provided with different level switching capabilities. Flexible device management Combination of remote level switching authentication and local level switching authentication provides reliable authentication and flexible device management. Hangzhou H3C Technologies Co., Ltd. 4/10

Implementation Relevant Concepts User Interface Login Authentication Mode The super authentication mode is closely associated with the user interface login authentication mode. Usage and configuration of super authentication may also vary with the interface authentication mode used. The following table gives a brief description of the user interface login authentication modes. The authentication modes in boldface are keywords in command authentication-mode { none password scheme }, the command for setting the user interface login authentication mode. The syntax of the command may vary with the system version. Table 1 User interface login authentication modes Authentication mode none password scheme Description No authentication is performed when users log in to the user interfaces. Password-based authentication is performed when users log in to user interfaces. Username and password are required for authentication when users log in to user interfaces. Super Authentication Modes Currently, the following level switching authentication modes are supported: Local level switching authentication Remote level switching authentication through an HWTACACS or RADIUS server Remote level switching authentication and, if remote super authentication is not available, local super authentication Local level switching authentication and, if no local level switching password is configured, remote super authentication Table 2Table 2 describes the level switching authentication modes. Hangzhou H3C Technologies Co., Ltd. 5/10

The authentication modes in boldface are keywords in command super authentication-mode { local scheme }*, the command for setting the privilege level switching authentication mode. The syntax of the command may vary with the system version. Table 2 Description of the level switching authentication modes Authentication mode local scheme scheme local local scheme Description Local level switching authentication Remote level switching authentication through an HWTACACS or RADIUS server Remote level switching authentication + local level switching authentication (backup) Local level switching authentication + remote level switching authentication (backup) Remarks The device uses the locally configured privilege level switching passwords for authentication. In other words, the device compares the input password with the locally configured one for the corresponding privilege level. The device sends the username and password to the HWTACACS or RADIUS server for remote level switching authentication. The device performs remote level switching authentication and, if the HWTACACS or RADIUS server is not available or the AAA configuration is ineffective, uses local super authentication instead. The device performs local super authentication. If no corresponding level switching password is configured on the device, the device performs remote super authentication for users logging in to the device through the AUX, TTY, or VTY user interfaces, while allowing users logging in from the console interface to switch to a higher level directly. Implementation of Basic Super Authentication Modes Implementation of Local Super Authentication With local super authentication, the device prompts a user trying to switch to a higher privilege level to input the corresponding password and compares the input password with the corresponding one locally configured. If the two passwords match, the user passes the authentication; otherwise, the device prompts the user to enter the correct password and try again. After three times of unsuccessful attempts, the user will see authentication failure prompt. Hangzhou H3C Technologies Co., Ltd. 6/10

Implementation of Remote Super Authentication by a RADIUS Server The device uses the username input by a user at login, if any, for super authentication of the user by default and prompts the user to input the password directly. If no login username is used, the device prompts the user to input the username and then the password. Because RADIUS cannot identify the privilege level that a user applies for, the RADIUS client generates an authentication request using a username in the format of $enab+level, where level specifies the privilege level to which the user wants to switch. For example, if a user wants to switch the privilege level to 3, the system uses $enab3 for authentication. When the domain name is required, $enab3@domain is used, where domain specifies the domain name. Accordingly, information about user $enab3 should be added to the RADIUS server. Upon receiving the authentication request, the RADIUS server uses the username and password for level switching authentication. If the authentication succeeds, it sends back an Access-Accept message. If the authentication fails, it returns an Access-Reject message. Users have three times for entering a correct username and password. Upon an incorrect username or password, the system prompts the user to enter the correct ones and try again. After three times of unsuccessful attempts, the user will see authentication failure prompt. Implementation of Remote Super Authentication by an HWTACACS Server The device uses the login username of a user, if any, for super authentication of the user by default and thus prompts the user to input the password directly. If no login username is used, the device prompts users to input the username and then the password. HWTACACS allows users to apply privilege level switching. The username entered by a user and the password are used for super authentication by an HWTACACS server. Upon receiving the authentication request, the HWTACACS server authenticates the username and password of the user for level switching. If the authentication succeeds, it sends back an authentication success message. If the authentication fails, it returns an authentication failure message. Users have three times for entering a correct username and password. Upon an incorrect username or password, the system prompts the user to enter the correct ones and try again. After three times of unsuccessful attempts, the user will see authentication failure prompt. Application of Super Authentication Modes The sections above have described three user interface login authentication modes and four super authentication modes. This section summarizes what information users need to input when different user interface login authentication modes and super authentication modes are combined, as shown in Table 3. Note that: The third column displays the information a user needs to input for level switching in the first authentication mode, which is specified in the second column. The fourth column displays the information a user needs to input for level switching in the second super authentication mode, which is used when the first authentication mode is not available. If no backup authentication mode is configured, a dash ( ) is displayed in the fourth column. Hangzhou H3C Technologies Co., Ltd. 7/10

Table 3 Information needed for user privilege level switching Privilege Level Switching Authentication Technology White Paper User interface login authentication mode User privilege level switching authentication mode Information needed for the first authentication mode Information needed for the second authentication mode local Password for switching to the level (configured on the device) none/password local scheme scheme Password for switching to the level (configured on the device) Username and password switching to the level Username and password for switching to the level (configured on the AAA server) scheme local Username and password switching to the level (configured on the AAA server) Password for switching to the level (configured on the device) local Password for switching to the level (configured on the device) local scheme Password for switching to the level (configured on the device) Password for switching to the level (configured on the AAA server). The system uses the username used at login as the username for privilege level switching authentication. scheme Password for switching to the level (configured on the AAA server). scheme The system uses the username used at login as the username for privilege level switching authentication. scheme local Password switching to the level (configured on the AAA server). The system uses the username used at login as the username for privilege level switching authentication. Password for switching to the level (configured on the device) Hangzhou H3C Technologies Co., Ltd. 8/10

Application Scenario Network requirements As shown in Figure 1, Device performs local authentication of the Telnet user named test@bbb, who can access only commands of level 0 after successful login. It is required that when the Telnet user switches to privilege level 3, Device uses the RADIUS server for level switching authentication of the user and, if RADIUS authentication is not available or AAA configuration is ineffective, uses local authentication instead. Figure 1 Network diagram for privilege level switching authentication RADIUS server 10.1.1.1/24 Telnet user 192.168.1.58/24 Eth1/1 192.168.1.70/24 Eth1/2 10.1.1.2/24 Device Internet Login and level switching processes 1) Telneting to Device On the user PC, launch Telnet and input the username test@bbb and the password to log in to the user interface of Device. Only commands of level 0 can be accessed. <Device> telnet 192.168.1.70 Trying 192.168.1.70... Press CTRL+K to abort Connected to 192.168.1.70... ************************************************************************** * Copyright (c) 2004-2009 Hangzhou H3C Tech. Co., Ltd. All rights reserved.* * Without the owner's prior written consent, * * no decompiling or reverse-engineering shall be allowed. * ************************************************************************** Login authentication Username:test@bbb Password: <Device>? User view commands: cluster Run cluster command Hangzhou H3C Technologies Co., Ltd. 9/10

display Display current system information ping Ping function quit Exit from current command view ssh2 Establish a secure shell client connection super Set the current user priority level telnet Establish one TELNET connection tracert Trace route function 2) Switching the user privilege level # Execute the command for switching to level 3 in the user interface and input the level switching password pass3 as prompted. After successful authentication, the privilege level changes to 3. <Device> super 3 Password: < Enter the password for RADIUS level switching authentication User privilege level is 3, and only those commands can be used whose level is equal or less than this. Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE # If the RADIUS authentication is not available, the system prompts an error and the level switching authentication mode changes to local authentication mode. The password 654321 is needed for local authentication. <Device> super 3 Password: Error: Invalid configuration or no response from the authentication server. Info: Change authentication mode to local. Password: < Enter the password for switching to level 3 to pass local privilege level switching authentication User privilege level is 3, and only those commands can be used whose level is equal or less than this. Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE Copyright 2009 Hangzhou H3C Technologies Co., Ltd. All rights reserved. No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. The information in this document is subject to change without notice. Hangzhou H3C Technologies Co., Ltd. 10/10

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback