H3C S3610 Series Operation Manual
Aaa & radius & hwtacacs
Hide thumbs
Also See for S3610 Series:
- Operation manual (175 pages) ,
- Quick start manual (84 pages) ,
- Command manual (54 pages)
Table of Contents
Advertisement
Quick Links
Operation Manual - AAA & RADIUS & HWTACACS
H3C S3610&S5510 Series Ethernet Switches
Chapter 1 AAA & RADIUS & HWTACACS Configuration .......................................................... 1-1
1.1 Overview ............................................................................................................................ 1-1
1.1.1 Introduction to AAA ................................................................................................. 1-1
1.1.2 Introduction to ISP Domain ..................................................................................... 1-2
1.1.3 Introduction to RADIUS........................................................................................... 1-2
1.1.4 Introduction to HWTACACS.................................................................................... 1-8
1.2 Configuration Tasks ......................................................................................................... 1-12
1.3 AAA Configuration ........................................................................................................... 1-14
1.3.1 Configuration Prerequisites................................................................................... 1-15
1.3.2 Creating an ISP Domain ....................................................................................... 1-15
1.3.3 Configuring the Attributes of an ISP Domain ........................................................ 1-16
1.3.4 Configuring AAA Authentication of an ISP Domain .............................................. 1-16
1.3.5 Configuring AAA Authorization of an ISP Domain ................................................ 1-18
1.3.6 Configuring AAA Accounting of an ISP Domain ................................................... 1-20
1.3.7 Configuring the Attributes of a Local User ............................................................ 1-22
1.3.8 Cutting Down User Connections Forcibly ............................................................. 1-24
1.4 RADIUS Configuration..................................................................................................... 1-25
1.4.1 Creating a RADIUS Scheme................................................................................. 1-25
1.4.2 Configuring RADIUS Authentication/Authorization Servers.................................. 1-26
1.4.3 Configuring RADIUS Accounting Servers and Related Parameters..................... 1-27
1.4.4 Configuring Shared Keys for RADIUS Packets .................................................... 1-28
1.4.6 Configuring the Supported RADIUS Server Type................................................. 1-30
1.4.7 Configuring the Status of RADIUS Servers .......................................................... 1-30
1.4.8 Configuring the Attributes for Data to be Sent to RADIUS Servers ...................... 1-31
1.4.9 Configuring a Local RADIUS Server ..................................................................... 1-32
1.4.10 Configuring the Timers of RADIUS Servers........................................................ 1-33
1.5 HWTACACS Configuration.............................................................................................. 1-34
1.5.1 Creating a HWTACACS Scheme.......................................................................... 1-34
1.5.2 Configuring HWTACACS Authentication Servers................................................. 1-35
1.5.3 Configuring HWTACACS Authorization Servers................................................... 1-36
1.5.4 Configuring HWTACACS Accounting Servers...................................................... 1-36
1.5.5 Configuring Shared Keys for RADIUS Packets .................................................... 1-37
1.5.6 Configuring the Attributes for Data to be Sent to TACACS Servers ..................... 1-38
1.5.7 Configuring the Timers of TACACS Servers......................................................... 1-39
1.6 Displaying and Maintaining AAA & RADIUS & HWTACACS Information ....................... 1-40
1.7 AAA & RADIUS & HWTACACS Configuration Examples ............................................... 1-42
1.7.1 Remote RADIUS Authentication of Telnet/SSH Users ......................................... 1-42
Table of Contents
i
Table of Contents
Advertisement
Table of Contents
Related Manuals for H3C S3610 Series
Summary of Contents for H3C S3610 Series
-
Page 1: Table Of Contents
Operation Manual – AAA & RADIUS & HWTACACS H3C S3610&S5510 Series Ethernet Switches Table of Contents Table of Contents Chapter 1 AAA & RADIUS & HWTACACS Configuration ............1-1 1.1 Overview ..........................1-1 1.1.1 Introduction to AAA ....................1-1 1.1.2 Introduction to ISP Domain ..................1-2 1.1.3 Introduction to RADIUS................... - Page 2 Operation Manual – AAA & RADIUS & HWTACACS H3C S3610&S5510 Series Ethernet Switches Table of Contents 1.7.2 Local Authentication, Authorization and Accounting for FTP/Telnet of Users ..1-44 1.7.3 TACACS Authentication/Authorization and Accounting of Telnet Users ....1-46 1.7.4 Local Authentication, HWTACACS Authorization and RADIUS Accounting of Telnet users..........................
-
Page 3: Chapter 1 Aaa & Radius & Hwtacacs Configuration
Remote authentication: Users are authenticated remotely through the RADIUS protocol or HWTACACS protocol. This device (for example, a H3C series switch) acts as the client to communicate with the RADIUS server or TACACS server. For RADIUS protocol, both standard and extended RADIUS protocols can be used. -
Page 4: Introduction To Isp Domain
Operation Manual – AAA & RADIUS & HWTACACS Chapter 1 AAA & RADIUS & HWTACAC H3C S3610&S5510 Series Ethernet Switches S Configuration bound together, and you cannot perform RADIUS authorization alone without RADIUS authentication. HWTACACS authorization: Users are authorized by TACACS server. - Page 5 Operation Manual – AAA & RADIUS & HWTACACS Chapter 1 AAA & RADIUS & HWTACAC H3C S3610&S5510 Series Ethernet Switches S Configuration Protocol: Based on the UDP/IP layer, RFC 2865 and 2866 define the frame format and message transfer mechanism of RADIUS, and define 1812 as the authentication port and 1813 as the accounting port.
- Page 6 Operation Manual – AAA & RADIUS & HWTACACS Chapter 1 AAA & RADIUS & HWTACAC H3C S3610&S5510 Series Ethernet Switches S Configuration Figure 1-2 Basic message exchange procedure of RADIUS The basic message exchange procedure of RADIUS is as follows: The user enters the user name and password.
- Page 7 Operation Manual – AAA & RADIUS & HWTACACS Chapter 1 AAA & RADIUS & HWTACAC H3C S3610&S5510 Series Ethernet Switches S Configuration III. RADIUS packet structure RADIUS uses UDP to transmit messages. It ensures the correct message exchange between RADIUS server and client through the following mechanisms: timer management, retransmission, and backup server.
- Page 8 Operation Manual – AAA & RADIUS & HWTACACS Chapter 1 AAA & RADIUS & HWTACAC H3C S3610&S5510 Series Ethernet Switches S Configuration Code Packet type Packet description Direction: server->client. The server transmits this packet to the client to notify Accounting-Res...
- Page 9 Operation Manual – AAA & RADIUS & HWTACACS Chapter 1 AAA & RADIUS & HWTACAC H3C S3610&S5510 Series Ethernet Switches S Configuration Value of Value of the Type the Type Attribute type Attribute type field field Framed-IP-Address Called-Station-Id Framed-IP-Netmask Calling-Station-Id...
-
Page 10: Introduction To Hwtacacs
Operation Manual – AAA & RADIUS & HWTACACS Chapter 1 AAA & RADIUS & HWTACAC H3C S3610&S5510 Series Ethernet Switches S Configuration 1.1.4 Introduction to HWTACACS I. What is HWTACACS HUAWEI Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol based on TACACS (RFC1492). - Page 11 Operation Manual – AAA & RADIUS & HWTACACS Chapter 1 AAA & RADIUS & HWTACAC H3C S3610&S5510 Series Ethernet Switches S Configuration HWTACACS server HWTACACS server 129.7.66.66 129.7.66.66 HWTACACS client HWTACACS client Terminal user Terminal user HWTACACS server HWTACACS server 129.7.66.67...
- Page 12 Operation Manual – AAA & RADIUS & HWTACACS Chapter 1 AAA & RADIUS & HWTACAC H3C S3610&S5510 Series Ethernet Switches S Configuration Figure 1-6 The AAA implementation procedure for a telnet user The basic message exchange procedure is as follows: A user requests access to the switch;...
- Page 13 Operation Manual – AAA & RADIUS & HWTACACS Chapter 1 AAA & RADIUS & HWTACAC H3C S3610&S5510 Series Ethernet Switches S Configuration The TACACS server sends back an authentication response indicating that the user has passed the authentication. The TACACS client sends the user authorization request packet to the TACACS server.
-
Page 14: Configuration Tasks
Operation Manual – AAA & RADIUS & HWTACACS Chapter 1 AAA & RADIUS & HWTACAC H3C S3610&S5510 Series Ethernet Switches S Configuration 1.2 Configuration Tasks Table 1-4 Configuration tasks Operation Description Related section Section 1.3.2 Create Required “Creating domain Domain”... - Page 15 Operation Manual – AAA & RADIUS & HWTACACS Chapter 1 AAA & RADIUS & HWTACAC H3C S3610&S5510 Series Ethernet Switches S Configuration Operation Description Related section Section 1.4.1 Create a RADIUS Required “Creating a RADIUS scheme Scheme” Configure Section 1.4.2 RADIUS “Configuring RADIUS...
-
Page 16: Aaa Configuration
Operation Manual – AAA & RADIUS & HWTACACS Chapter 1 AAA & RADIUS & HWTACAC H3C S3610&S5510 Series Ethernet Switches S Configuration Operation Description Related section Section 1.5.1 Create “Creating HWTACACS Required HWTACACS scheme Scheme” Section 1.5.2 Configure “Configuring HWTACACS... -
Page 17: Configuration Prerequisites
Operation Manual – AAA & RADIUS & HWTACACS Chapter 1 AAA & RADIUS & HWTACAC H3C S3610&S5510 Series Ethernet Switches S Configuration 1.3.1 Configuration Prerequisites If you want to adopt remote AAA method, you must create a RADIUS or HWTACACS scheme. -
Page 18: Configuring The Attributes Of An Isp Domain
Operation Manual – AAA & RADIUS & HWTACACS Chapter 1 AAA & RADIUS & HWTACAC H3C S3610&S5510 Series Ethernet Switches S Configuration 1.3.3 Configuring the Attributes of an ISP Domain Table 1-6 Configure the attributes of an ISP domain Operation... - Page 19 Operation Manual – AAA & RADIUS & HWTACACS Chapter 1 AAA & RADIUS & HWTACAC H3C S3610&S5510 Series Ethernet Switches S Configuration accounting. In AAA, you can use only authentication rather than authorization or accounting. Without any configuration, by default the authentication of the domain is local.
-
Page 20: Configuring Aaa Authorization Of An Isp Domain
Operation Manual – AAA & RADIUS & HWTACACS Chapter 1 AAA & RADIUS & HWTACAC H3C S3610&S5510 Series Ethernet Switches S Configuration Caution: The authentication configured by the authentication default command is applicable to all users. That is, the configuration takes effect for all users. But its priority is lower than that configured in the specified access mode. - Page 21 Operation Manual – AAA & RADIUS & HWTACACS Chapter 1 AAA & RADIUS & HWTACAC H3C S3610&S5510 Series Ethernet Switches S Configuration Table 1-8 Configure AAA authorization of an ISP Domain Operation Command Remarks Enter system view system-view — Create an ISP domain or...
-
Page 22: Configuring Aaa Accounting Of An Isp Domain
Operation Manual – AAA & RADIUS & HWTACACS Chapter 1 AAA & RADIUS & HWTACAC H3C S3610&S5510 Series Ethernet Switches S Configuration Caution The authorization configured by the authorization default command is applicable to all users. That is, the configuration takes effect for all users. But its priority is lower than that configured in the specified access mode. - Page 23 Operation Manual – AAA & RADIUS & HWTACACS Chapter 1 AAA & RADIUS & HWTACAC H3C S3610&S5510 Series Ethernet Switches S Configuration Table 1-9 Configure AAA accounting of an ISP domain Operation Command Remarks Enter system view system-view — Create an ISP domain...
-
Page 24: Configuring The Attributes Of A Local User
Operation Manual – AAA & RADIUS & HWTACACS Chapter 1 AAA & RADIUS & HWTACAC H3C S3610&S5510 Series Ethernet Switches S Configuration Caution: When charging a user, if the system does not find any available accounting server or fails to communicate with any accounting server, it will not disconnect the user as long as the accounting optional command has been executed. - Page 25 Operation Manual – AAA & RADIUS & HWTACACS Chapter 1 AAA & RADIUS & HWTACAC H3C S3610&S5510 Series Ethernet Switches S Configuration Operation Command Description Required Add a local user and enter local-user user-name By default, there is no local local user view user in the system.
-
Page 26: Cutting Down User Connections Forcibly
Operation Manual – AAA & RADIUS & HWTACACS Chapter 1 AAA & RADIUS & HWTACAC H3C S3610&S5510 Series Ethernet Switches S Configuration Caution: After the local-user password-display-mode cipher-force command is executed, all passwords will be displayed in cipher mode even through you specify to display user passwords in plain text by using the password command. -
Page 27: Radius Configuration
Operation Manual – AAA & RADIUS & HWTACACS Chapter 1 AAA & RADIUS & HWTACAC H3C S3610&S5510 Series Ethernet Switches S Configuration 1.4 RADIUS Configuration The RADIUS protocol configuration is performed on a RADIUS scheme basis. In an actual network environment, you can either use a single RADIUS server or two RADIUS servers (primary and secondary servers with the same configuration but different IP addresses) in a RADIUS scheme. -
Page 28: Configuring Radius Authentication/Authorization Servers
Operation Manual – AAA & RADIUS & HWTACACS Chapter 1 AAA & RADIUS & HWTACAC H3C S3610&S5510 Series Ethernet Switches S Configuration 1.4.2 Configuring RADIUS Authentication/Authorization Servers Table 1-13 Configure RADIUS authentication/authorization server Operation Command Description Enter system view system-view —... -
Page 29: Configuring Radius Accounting Servers And Related Parameters
Operation Manual – AAA & RADIUS & HWTACACS Chapter 1 AAA & RADIUS & HWTACAC H3C S3610&S5510 Series Ethernet Switches S Configuration 1.4.3 Configuring RADIUS Accounting Servers and Related Parameters Table 1-14 Configure RADIUS accounting server and related parameters Operation... -
Page 30: Configuring Shared Keys For Radius Packets
Operation Manual – AAA & RADIUS & HWTACACS Chapter 1 AAA & RADIUS & HWTACAC H3C S3610&S5510 Series Ethernet Switches S Configuration Caution: In an actual network environment, you can either specify two RADIUS servers as the primary and secondary accounting servers respectively, or specify only one server as both the primary and secondary accounting servers. -
Page 31: Configuring The Maximum Number Of Transmission Attempts Of Radius Packets1-29
Operation Manual – AAA & RADIUS & HWTACACS Chapter 1 AAA & RADIUS & HWTACAC H3C S3610&S5510 Series Ethernet Switches S Configuration Operation Command Description Set a shared key Required for the RADIUS key accounting string By default, no key is set for any accounting RADIUS server. -
Page 32: Configuring The Supported Radius Server Type
Operation Manual – AAA & RADIUS & HWTACACS Chapter 1 AAA & RADIUS & HWTACAC H3C S3610&S5510 Series Ethernet Switches S Configuration 1.4.6 Configuring the Supported RADIUS Server Type Table 1-17 Configure the supported RADIUS server type Operation Command Description... -
Page 33: Configuring The Attributes For Data To Be Sent To Radius Servers
Operation Manual – AAA & RADIUS & HWTACACS Chapter 1 AAA & RADIUS & HWTACAC H3C S3610&S5510 Series Ethernet Switches S Configuration Table 1-18 Set the status of RADIUS servers Operation Command Description Enter system view system-view — Required default,... -
Page 34: Configuring A Local Radius Server
Operation Manual – AAA & RADIUS & HWTACACS Chapter 1 AAA & RADIUS & HWTACAC H3C S3610&S5510 Series Ethernet Switches S Configuration Operation Command Description RADIUS scheme view Optional Set the source address nas-ip ip-address By default, no source IP used address is specified;... -
Page 35: Configuring The Timers Of Radius Servers
Operation Manual – AAA & RADIUS & HWTACACS Chapter 1 AAA & RADIUS & HWTACAC H3C S3610&S5510 Series Ethernet Switches S Configuration Table 1-20 Configure local RADIUS authentication server Operation Command Description Enter system view system-view — Optional Enable local... -
Page 36: Hwtacacs Configuration
Operation Manual – AAA & RADIUS & HWTACACS Chapter 1 AAA & RADIUS & HWTACAC H3C S3610&S5510 Series Ethernet Switches S Configuration Table 1-21 Set the timers of RADIUS server Operation Command Description Enter system view system-view — Required Create a RADIUS... -
Page 37: Configuring Hwtacacs Authentication Servers
Operation Manual – AAA & RADIUS & HWTACACS Chapter 1 AAA & RADIUS & HWTACAC H3C S3610&S5510 Series Ethernet Switches S Configuration Caution: The system supports up to 16 HWTACACS schemes. You can only delete the schemes that are not being used. -
Page 38: Configuring Hwtacacs Authorization Servers
Operation Manual – AAA & RADIUS & HWTACACS Chapter 1 AAA & RADIUS & HWTACAC H3C S3610&S5510 Series Ethernet Switches S Configuration 1.5.3 Configuring HWTACACS Authorization Servers Table 1-24 Configure TACACS authorization servers Operation Command Description Enter system view system-view —... -
Page 39: Configuring Shared Keys For Radius Packets
Operation Manual – AAA & RADIUS & HWTACACS Chapter 1 AAA & RADIUS & HWTACAC H3C S3610&S5510 Series Ethernet Switches S Configuration Operation Command Description Required Set the IP address and secondary accounting By default, the IP address of port... -
Page 40: Configuring The Attributes For Data To Be Sent To Tacacs Servers
Operation Manual – AAA & RADIUS & HWTACACS Chapter 1 AAA & RADIUS & HWTACAC H3C S3610&S5510 Series Ethernet Switches S Configuration Table 1-26 Configure shared keys for TACACS packets Operation Command Description Enter system view system-view — Required Create a HWTACACS... -
Page 41: Configuring The Timers Of Tacacs Servers
Operation Manual – AAA & RADIUS & HWTACACS Chapter 1 AAA & RADIUS & HWTACAC H3C S3610&S5510 Series Ethernet Switches S Configuration Caution: Generally, the access users are named in the userid@isp-name format. Where, isp-name behind the @ character represents the ISP domain name. If the TACACS... -
Page 42: Displaying And Maintaining Aaa & Radius & Hwtacacs Information
Operation Manual – AAA & RADIUS & HWTACACS Chapter 1 AAA & RADIUS & HWTACAC H3C S3610&S5510 Series Ethernet Switches S Configuration Caution: The setting of real-time accounting interval is indispensable to real-time accounting. After an interval value is set, the device transmits the accounting information of online users to the TACACS accounting server at intervals of this value. - Page 43 Operation Manual – AAA & RADIUS & HWTACACS Chapter 1 AAA & RADIUS & HWTACAC H3C S3610&S5510 Series Ethernet Switches S Configuration Table 1-30 Display and maintain RADIUS protocol information Operation Command Description Display statistics display local-server about local RADIUS...
-
Page 44: Aaa & Radius & Hwtacacs Configuration Examples
Operation Manual – AAA & RADIUS & HWTACACS Chapter 1 AAA & RADIUS & HWTACAC H3C S3610&S5510 Series Ethernet Switches S Configuration Operation Command Description reset hwtacacs statistics Clear the statistics about accounting the TACACS protocol authentication authorization | all }... - Page 45 Operation Manual – AAA & RADIUS & HWTACACS Chapter 1 AAA & RADIUS & HWTACAC H3C S3610&S5510 Series Ethernet Switches S Configuration Add Telnet user names and login passwords. The Telnet user name added to the RADIUS server must be in the format of userid@isp-name if you have configure the switch to include domain names in the user names to be sent to the RADIUS server.
-
Page 46: Local Authentication, Authorization And Accounting For Ftp/Telnet Of Users
Operation Manual – AAA & RADIUS & HWTACACS Chapter 1 AAA & RADIUS & HWTACAC H3C S3610&S5510 Series Ethernet Switches S Configuration # Configure a RADIUS scheme. [Sysname] radius scheme cams [Sysname-radius-cams] primary authentication 10.110.91.164 1812 [Sysname-radius-cams] primary accounting 10.110.91.164 1813... - Page 47 Operation Manual – AAA & RADIUS & HWTACACS Chapter 1 AAA & RADIUS & HWTACAC H3C S3610&S5510 Series Ethernet Switches S Configuration II. Networking diagram Figure 1-8 Local authentication, authorization and accounting configuration for Telne users III. Configuration procedure Method 1: Using local authentication, authorization and accounting.
-
Page 48: Tacacs Authentication/Authorization And Accounting Of Telnet Users
Operation Manual – AAA & RADIUS & HWTACACS Chapter 1 AAA & RADIUS & HWTACAC H3C S3610&S5510 Series Ethernet Switches S Configuration This method is similar to the remote authentication method described in section 1.7.1 The differences are as follows: You need to change the server IP address in the configuration step "Configure a... -
Page 49: Local Authentication, Hwtacacs Authorization And Radius Accounting Of Telnet Users
Operation Manual – AAA & RADIUS & HWTACACS Chapter 1 AAA & RADIUS & HWTACAC H3C S3610&S5510 Series Ethernet Switches S Configuration [Sysname] user-interface vty 0 4 [Sysname-ui-vty0-4] authentication-mode scheme [Sysname-ui-vty0-4] quit # Configure HWTACACS scheme [Sysname] hwtacacs scheme hwtac [Sysname-hwtacacs-hwtac] primary authentication 10.110.91.164 49... - Page 50 Operation Manual – AAA & RADIUS & HWTACACS Chapter 1 AAA & RADIUS & HWTACAC H3C S3610&S5510 Series Ethernet Switches S Configuration Note: For the AAA applications of users of other access types, their AAA configurations on the domain are similar to those of Telnet users, except different access types.
-
Page 51: Troubleshooting Aaa & Radius & Hwtacacs Configuration
Operation Manual – AAA & RADIUS & HWTACACS Chapter 1 AAA & RADIUS & HWTACAC H3C S3610&S5510 Series Ethernet Switches S Configuration #Create local user telnet. [Sysname] local-user telnet [Sysname-luser-telnet] service-type telnet [Sysname-luser-telnet] password simple telnet [Sysname-luser-telnet] quit # Enable Telnet. -
Page 52: Troubleshooting The Hwtacacs Protocol
Operation Manual – AAA & RADIUS & HWTACACS Chapter 1 AAA & RADIUS & HWTACAC H3C S3610&S5510 Series Ethernet Switches S Configuration The switch cannot communicate with the RADIUS server (you can determine by pinging the RADIUS server from the switch) — Take measures to make the switch communicate with the RADIUS server normally.