Configuration 8

HUAWEI NetEngine5000E Core Router V300R007C00

Configuration Guide - SecurityIssue Date 02 2009-12-10

HUAWEI TECHNOLOGIES CO., LTD.

Copyright Huawei Technologies Co., Ltd. 2009. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.

Trademarks and Permissionsand other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd. All other trademarks and trade names mentioned in this document are the property of their respective holders.

NoticeThe purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied. The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.Address: Huawei Industrial Base Bantian, Longgang Shenzhen 518129 People's Republic of China http://www.huawei.com [email protected]

Website: Email:

Issue 02 (2009-12-10)

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

i

HUAWEI NetEngine5000E Core Router Configuration Guide - Security

About This Document

About This DocumentPurposeThis document introduces AAA and user management, ARP security, URPF, local attack defense, mirroring functions supported by the NE5000E, describes principles, configurations, and applications of these functions; introduces security defense policies supported by the NE5000E.

CAUTIONFor the NE5000E, the interface is numbered as slot number/card number/interface number. For the NE5000E cluster, the interface is numbered as chassis ID/slot number/card number/interface number. The slot number is chassis ID/slot ID.

Related VersionsThe following table lists the product versions related to this document. Product Name HUAWEI NetEngine5000E Core Router Version V300R007C00

Intended AudienceThis document is intended for:l l l l

Commissioning engineer Data configuration engineer Network monitoring engineer System maintenance engineer

Issue 02 (2009-12-10)


iii

About This Document


OrganizationThis document is organized as follows. Chapter 1 AAA and User Management Configurations Description This chapter introduces Authentication, Authorization and Accounting (AAA) security services including RADIUS, HWTACACS, domain-based user management, local user management and their configuration steps, along with typical examples. This chapter describes the type of the security that NE5000E supported, and it also describes the configuration and applications of ARP Security, along with typical examples. This chapter describes concepts and configuration steps of URPF. This chapter describes the principle, configuration, and application of Local Attack Defense. This chapter describes the mirroring configuration based on port and traffic classifier, along with typical examples. This appendix covers the attribute of RADIUS and HWTACACS. This appendix collates frequently used glossaries in this document. This appendix collates frequently used acronyms and abbreviations in this document.

2 ARP Security Configuration

3 URPF Configuration 4 Configuration of Local Attack Defense 5 Mirroring Configuration A Attributes List of RADIUS and HWTACACS B Glossary C Acronyms and Abbreviations

ConventionsSymbol ConventionsThe symbols that may be found in this document are defined as follows. Symbol Description Indicates a hazard with a high level of risk, which if not avoided, will result in death or serious injury.

Indicates a hazard with a medium or low level of risk, which if not avoided, could result in minor or moderate injury.

iv


Issue 02 (2009-12-10)


About This Document

Symbol

Description Indicates a potentially hazardous situation, which if not avoided, could result in equipment damage, data loss, performance degradation, or unexpected results. Indicates a tip that may help you solve a problem or save time. Provides additional information to emphasize or supplement important points of the main text.

General ConventionsThe general conventions that may be found in this document are defined as follows. Convention Times New Roman Boldface Italic Courier New Description Normal paragraphs are in Times New Roman. Names of files, directories, folders, and users are in boldface. For example, log in as user root. Book titles are in italics. Examples of information displayed on the screen are in Courier New.

Command ConventionsThe command conventions that may be found in this document are defined as follows. Convention Boldface Italic [] { x | y | ... } [ x | y | ... ] { x | y | ... }* Description The keywords of a command line are in boldface. Command arguments are in italics. Items (keywords or arguments) in brackets [ ] are optional. Optional items are grouped in braces and separated by vertical bars. One item is selected. Optional items are grouped in brackets and separated by vertical bars. One item is selected or no item is selected. Optional items are grouped in braces and separated by vertical bars. A minimum of one item or a maximum of all items can be selected. Optional items are grouped in brackets and separated by vertical bars. Several items or no item can be selected.Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. v

[ x | y | ... ]*

Issue 02 (2009-12-10)

About This Document


Convention & #

Description The parameter before the & sign can be repeated 1 to n times. A line starting with the # sign is comments.

GUI ConventionsThe GUI conventions that may be found in this document are defined as follows. Convention Boldface > Description Buttons, menus, parameters, tabs, window, and dialog titles are in boldface. For example, click OK. Multi-level menus are in boldface and separated by the ">" signs. For example, choose File > Create > Folder.

Keyboard OperationsThe keyboard operations that may be found in this document are defined as follows. Format Key Key 1+Key 2 Key 1, Key 2 Description Press the key. For example, press Enter and press Tab. Press the keys concurrently. For example, pressing Ctrl+Alt +A means the three keys should be pressed concurrently. Press the keys in turn. For example, pressing Alt, A means the two keys should be pressed in turn.

Mouse OperationsThe mouse operations that may be found in this document are defined as follows. Action Click Double-click Drag Description Select and release the primary mouse button without moving the pointer. Press the primary mouse button twice continuously and quickly without moving the pointer. Press and hold the primary mouse button and move the pointer to a certain position.

vi


Issue 02 (2009-12-10)


About This Document

Update HistoryUpdates between document issues are cumulative. Therefore, the latest document issue contains all updates made in previous issues.

Updates in Issue 02 (2009-12-10)Second commercial release.

Updates in Issue 01 (2009-09-05)Initial field trial release

Issue 02 (2009-12-10)


vii


Contents

ContentsAbout This Document...................................................................................................................iii 1 AAA and User Management Configurations.......................................................................1-11.1 Overview to AAA and User Management......................................................................................................1-2 1.1.1 Introduction to AAA and User Management.........................................................................................1-2 1.1.2 AAA and User Management Supported by the NE5000E.....................................................................1-3 1.2 Configuring Local User Management.............................................................................................................1-3 1.2.1 Establishing the Configuration Task......................................................................................................1-4 1.2.2 Creating a Local User Account..............................................................................................................1-4 1.2.3 Configuring the Type of the Service That the Local User Accesses......................................................1-5 1.2.4 Configuring the Local User Authority of Accessing the FTP Directory............................................... 1-5 1.2.5 Configuring Local User Status...............................................................................................................1-6 1.2.6 Configuring the Local User Level..........................................................................................................1-7 1.2.7 Setting the Maximum Number of Access Users with the Same User Name.........................................1-7 1.2.8 Local Users Changing the Passwords.................................................................................................... 1-8 1.2.9 Cutting Off Online Users Forcibly.........................................................................................................1-8 1.2.10 Checking the Configuration.................................................................................................................1-9 1.3 Configuring AAA Schemes............................................................................................................................ 1-9 1.3.1 Establishing the Configuration Task....................................................................................................1-10 1.3.2 (Optional) Enabling RADIUS/HWTACACS Functions......................................................................1-11 1.3.3 Configuring the Authentication Scheme..............................................................................................1-11 1.3.4 (Optional) Configuring the Authorization Scheme..............................................................................1-12 1.3.5 Configuring the Accounting Scheme...................................................................................................1-13 1.3.6 (Optional) Configuring the Recording Scheme...................................................................................1-15 1.3.7 Allocating IP Addresses to Users.........................................................................................................1-15 1.3.8 Checking the Configuration.................................................................................................................1-17 1.4 Configuring Server Templates......................................................................................................................1-19 1.4.1 Establishing the Configuration Task....................................................................................................1-19 1.4.2 Configuring the RADIUS Server Template.........................................................................................1-20 1.4.3 Configuring the HWTACACS Server Template.................................................................................1-23 1.4.4 Checking the Configuration.................................................................................................................1-28 1.5 Configuring Domains....................................................................................................................................1-29 1.5.1 Establishing the Configuration Task....................................................................................................1-30 1.5.2 Creating a Domain...............................................................................................................................1-30 Issue 02 (2009-12-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. ix

Contents

HUAWEI NetEngine5000E Core Router Configuration Guide - Security 1.5.3 Configuring the Authentication, Authorization and Accounting Schemes of the Domain..................1-31 1.5.4 Configuring the RADIUS Server Template.........................................................................................1-32 1.5.5 Configuring the HWTACACS Server Template.................................................................................1-32 1.5.6 Configuring the Address-related Attributes of the Domain.................................................................1-33 1.5.7 Configuring the Domain State..............................................................................................................1-34 1.5.8 Configuring the Maximum of Access Users Allowed by the Domain................................................1-34 1.5.9 Configuring the Idle-Cut Parameters for a Domain.............................................................................1-35 1.5.10 Checking the Configuration...............................................................................................................1-36

1.6 Maintaining AAA and User Management....................................................................................................1-36 1.6.1 Clearing the Statistics of AAA and User Management........................................................................1-36 1.6.2 Debugging AAA and User Management.............................................................................................1-37 1.7 Configuration Examples................................................................................................................................1-37 1.7.1 Example for Configuring the RADIUS Authentication and Accounting For Local Users..................1-38 1.7.2 Example for Configuring the HWTACACS Authentication, Authorization, and Accounting Mode .......................................................................................................................................................................1-41 1.7.3 Example of Configuring the HWTACACS Authentication and Authorization in the MPLS VPN Network .......................................................................................................................................................................1-45

2 ARP Security Configuration....................................................................................................2-12.1 Overview to ARP Security..............................................................................................................................2-2 2.1.1 Introduction to ARP Security.................................................................................................................2-2 2.1.2 ARP Security Supported by the NE5000E.............................................................................................2-2 2.2 Preventing Attacks on ARP Entries................................................................................................................2-3 2.2.1 Establishing the Configuration Task......................................................................................................2-3 2.2.2 Configuring Global Strict ARP Entry Learning.....................................................................................2-4 2.2.3 Configuring Strict ARP Entry Learning on Interfaces...........................................................................2-4 2.2.4 Checking the Destination IP Addresses of ARP Packets.......................................................................2-5 2.2.5 Configuring Speed Limit for ARP Packets............................................................................................2-6 2.2.6 Configuring Interface-based ARP Entry Restriction..............................................................................2-6 2.2.7 Checking the Configuration...................................................................................................................2-7 2.3 Maintaining the ARP Security........................................................................................................................2-8 2.3.1 Displaying Statistics About ARP Packets..............................................................................................2-8 2.3.2 Clearing Statistics About ARP Packets..................................................................................................2-8 2.3.3 Debugging ARP Packets........................................................................................................................2-9 2.4 Configuration Examples..................................................................................................................................2-9 2.4.1 Example for Preventing Attacks on ARP Entries..................................................................................2-9

3 URPF Configuration..................................................................................................................3-13.1 Overview to URPF..........................................................................................................................................3-2 3.1.1 Introduction to URPF.............................................................................................................................3-2 3.1.2 URPF Supported by the NE5000E.........................................................................................................3-4 3.2 Configuring URPF..........................................................................................................................................3-4 3.2.1 Establishing the Configuration Task......................................................................................................3-4 3.2.2 Configuring LPU-based URPF..............................................................................................................3-5 x Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-12-10)


Contents

3.2.3 Configuring URPF on an Interface........................................................................................................ 3-5 3.2.4 Configuring Flow-based URPF..............................................................................................................3-6 3.2.5 Checking the Configuration...................................................................................................................3-7 3.3 Maintaining the URPF.................................................................................................................................... 3-8 3.3.1 Resetting the Statistics of URPF............................................................................................................3-8 3.4 Configuration Example...................................................................................................................................3-8 3.4.1 Example for Configuring URPF............................................................................................................ 3-9

4 Configuration of Local Attack Defense.................................................................................4-14.1 Overview to Local Attack Defense.................................................................................................................4-2 4.1.1 Introduction to Local Attack Defense....................................................................................................4-2 4.1.2 Local Attack Defense Supported by the NE5000E................................................................................4-2 4.1.3 Applications of Local Attack Defense................................................................................................... 4-3 4.2 Configuring Attack Defense Tracing and Enabling Alarming for Packet Discarding....................................4-4 4.2.1 Establishing the Configuration Task......................................................................................................4-5 4.2.2 Creating the Attack Defense Policy.......................................................................................................4-5 4.2.3 Enabling Attack Source Tracing............................................................................................................4-6 4.2.4 Configuring Attack Source Tracing.......................................................................................................4-6 4.2.5 Configuring the Alarm on Rate for Discarding Packets.........................................................................4-7 4.2.6 Applying the Attack Defense Policy......................................................................................................4-8 4.2.7 Checking the Configuration...................................................................................................................4-8 4.3 Configuring Local URPF..............................................................................................................................4-10 4.3.1 Establishing the Configuration Task....................................................................................................4-11 4.3.2 Creating the Attack Defense Policy.....................................................................................................4-11 4.3.3 Configuring Local URPF.....................................................................................................................4-11 4.3.4 Applying the Attack Defense Policy....................................................................................................4-12 4.3.5 Checking the Configuration.................................................................................................................4-12 4.4 Configuring TCP/IP Attack Defense.............................................................................................................4-13 4.4.1 Establishing the Configuration Task....................................................................................................4-13 4.4.2 Creating the Attack Defense Policy.....................................................................................................4-13 4.4.3 Enabling Defense Against UDP Packet Attacks..................................................................................4-14 4.4.4 Enabling Defense Against Malformed Packet Attacks........................................................................4-14 4.4.5 Applying the Attack Defense Policy....................................................................................................4-15 4.4.6 Checking the Configuration.................................................................................................................4-15 4.5 Configuring CAR..........................................................................................................................................4-16 4.5.1 Establishing the Configuration Task....................................................................................................4-16 4.5.2 Creating the Attack Defense Policy.....................................................................................................4-17 4.5.3 Creating the Whitelist...........................................................................................................................4-17 4.5.4 Creating the Blacklist...........................................................................................................................4-18 4.5.5 Configuring the User-Defined Flow....................................................................................................4-18 4.5.6 Configuring Packet Matching Order....................................................................................................4-19 4.5.7 Configuring CAR.................................................................................................................................4-20 4.5.8 Configuring Packet Sending Priority...................................................................................................4-20 Issue 02 (2009-12-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. xi

Contents

HUAWEI NetEngine5000E Core Router Configuration Guide - Security 4.5.9 Applying the Attack Defense Policy....................................................................................................4-21 4.5.10 Checking the Configuration...............................................................................................................4-21

4.6 Configuring Application Layer Association.................................................................................................4-23 4.6.1 Establishing the Configuration Task....................................................................................................4-24 4.6.2 Creating the Attack Defense Policy.....................................................................................................4-24 4.6.3 Disabling Application Layer Association............................................................................................4-24 4.6.4 Configuring the Packet Processing Mode............................................................................................4-25 4.6.5 Applying the Attack Defense Policy....................................................................................................4-25 4.6.6 Checking the Configuration.................................................................................................................4-26 4.7 Configuring Management/Control Plane Protection.....................................................................................4-28 4.7.1 Establishing the Configuration Task....................................................................................................4-28 4.7.2 Configuring Global Policy for Management/Control Plane Protection...............................................4-29 4.7.3 Configuring a Slot-based Policy for Management/Control Plane Protection......................................4-29 4.7.4 Configuring Interface-level Policy for Management/Control Plane Protection...................................4-30 4.7.5 Checking the Configuration.................................................................................................................4-31 4.8 Maintainning Local Attack Defense..............................................................................................................4-32 4.8.1 Resetting the Statistics of Attack Defense...........................................................................................4-33 4.9 Configuration Example.................................................................................................................................4-33 4.9.1 Example for Local Attack Defense......................................................................................................4-33

5 Mirroring Configuration...........................................................................................................5-15.1 Overview to Mirroring....................................................................................................................................5-2 5.1.1 Introduction to Mirroring.......................................................................................................................5-2 5.1.2 Mirroring Features Supported by the NE5000E....................................................................................5-2 5.2 Configuring Local Port Mirroring...................................................................................................................5-2 5.2.1 Establishing the Configuration Task......................................................................................................5-3 5.2.2 Configuring the Observing Port.............................................................................................................5-3 5.2.3 Configuring the Observing Port for the Entire LPU..............................................................................5-4 5.2.4 Configuring Local Port Mirroring..........................................................................................................5-4 5.2.5 Checking the Configuration...................................................................................................................5-5 5.3 Configuring Local Traffic Mirroring..............................................................................................................5-6 5.3.1 Establishing the Configuration Task......................................................................................................5-6 5.3.2 Configuring the Observing Port.............................................................................................................5-7 5.3.3 Configuring the Observing Port for the Entire LPU..............................................................................5-8 5.3.4 Defining the Traffic Class......................................................................................................................5-8 5.3.5 Defining the Traffic Behavior and Enabling Local Traffic Mirroring...................................................5-9 5.3.6 Defining the Traffic Policy and Associating the Traffic Class with the Traffic Behavior....................5-9 5.3.7 Applying the Traffic Policy to the Mirrored Port................................................................................5-10 5.3.8 Checking the Configuration.................................................................................................................5-11 5.4 Configuration Examples................................................................................................................................5-12 5.4.1 Example for Local Configuring Port Mirroring...................................................................................5-12 5.4.2 Example for Local Configuring Flow Mirroring.................................................................................5-14

A Attributes List of RADIUS and HWTACACS...................................................................A-1xii Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-12-10)


Contents

A.1 RADIUS Attribute.........................................................................................................................................A-2 A.1.1 Standard RADIUS Attribute.................................................................................................................A-2 A.1.2 Huawei RADIUS Attribute..................................................................................................................A-5 A.2 HWTACACS Attribute.................................................................................................................................A-9

B Glossary......................................................................................................................................B-1 C Acronyms and Abbreviations................................................................................................C-1

Issue 02 (2009-12-10)


xiii


Figures

FiguresFigure 1-1 Networking diagram of RADIUS authentication and accounting....................................................1-38 Figure 1-2 Networking diagram of local authentication and HWTACACS authentication, authorization, and accounting...........................................................................................................................................................1-42 Figure 1-3 Diagram of configuring HWTACACS authentication and authorization of administrators............1-45 Figure 2-1 Networking diagram of preventing attacks on ARP entries.............................................................2-10 Figure 3-1 Schematic diagram of the source address spoofing attack.................................................................3-2 Figure 3-2 URPF applied on a single-homed client.............................................................................................3-2 Figure 3-3 Application environment of the URPF multi-homed client...............................................................3-3 Figure 3-4 Applicable environment of multi-homed client and multi-ISPs.........................................................3-3 Figure 3-5 Networking diagram of configuring URPF........................................................................................3-9 Figure 4-1 Networking diagram of configuring the local attack defense...........................................................4-33 Figure 5-1 Networking diagram of port mirroring.............................................................................................5-12 Figure 5-2 Networking diagram of flow mirroring............................................................................................5-15

Issue 02 (2009-12-10)


xv


1 AAA and User Management Configurations

1

AAA and User Management Configurations

About This ChapterThis chapter describes Authentication, Authorization and Accounting (AAA) security services including RADIUS, HWTACACS, domain-based user management,local user management, and their configuration steps, along with typical examples. 1.1 Overview to AAA and User Management This section describes the principle and concepts of AAA and user management. 1.2 Configuring Local User Management This section describes how to manage local users. 1.3 Configuring AAA Schemes This section describes how to configure various attributes of AAA. 1.4 Configuring Server Templates This section describes how to configure a server template. 1.5 Configuring Domains This section describes how to configure a domain. 1.6 Maintaining AAA and User Management This section describes how to the reset statistics and debug RADIUS or HWTACACS. 1.7 Configuration Examples This section provides two configuration examples of AAA and user management.

Issue 02 (2009-12-10)


1-1



1.1 Overview to AAA and User ManagementThis section describes the principle and concepts of AAA and user management. 1.1.1 Introduction to AAA and User Management 1.1.2 AAA and User Management Supported by the NE5000E

1.1.1 Introduction to AAA and User ManagementAuthentication, Authorization and Accounting (AAA) are three types of security services.l l l

Authentication: determines the users who can access the network. Authorization: authorizes the user to use some services. Accounting: records the network resource utilization of the user.

AAA adopts the Server/Client model. In this model, the client runs on the administrated resource side and the server stores the user information. This model has good extensibility and is convenient for concentrated management over user information. AAA supports three types of authentication modes: non-authentication, local authentication, and remote authentication. The remote authentication mode supports two protocols: Remote Authentication Dial In User Service (RADIUS) and Huawei Terminal Access Controller Access Control System (HWTACACS). AAA supports four types of authorization modes: direct authorization, local authorization, HWTACACS authorization, and if-authenticated authorization.NOTE

l l

RADIUS integrates authentication and authorization. Therefore, RADIUS authorization cannot be performed singly. The users that have passed HWTACACS authentication can actively modify the passwords saved on the TACACS server.

AAA supports four types of accounting modes: non-accounting, remote accounting. User authentication, authorization, and accounting should all be performed in the domain view.

Domain-based User ManagementThe NAS can manage users in two ways.l

Managing users based on domains: Configurations such as the default authorization, RADIUS or HWTACACS template, and the authentication and accounting can be performed in a domain. Managing users based on user accounts.

l

In current AAA implementations, users are categorized into different domains. The domain to which a user belongs depends on the character string that follows the "@" of a user name. For example, the user "user@hua" belongs to the domain "hua". If there is no "@" in the user name, the user belongs to the domain "default". Besides the default domain, AAA users can create up to 254 domains.1-2 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-12-10)



All the AAA users are configured in the domain view through the application of authentication scheme, authorization scheme, and accounting scheme. The corresponding modes are preconfigured respectively in the AAA view. AAA, by default, adopts local authentication, local authorization, and no accounting schemes respectively. If a domain is created but no scheme is specified for the domain, AAA adopts the default schemes for this domain. The authorization precedence configured within a domain is lower than that configured on an AAA server. In other words, the authorization attribute of the AAA server is used first. The domain authorization attribute is valid only when the AAA server does not have this authorization or does not support this authorization. In this way, you can add services flexibly when using domains regardless of the attribute limitations of the AAA server.

Local User ManagementLocal user management refers to setting up a local user database on a local router to maintain user information.

1.1.2 AAA and User Management Supported by the NE5000EThe NE5000E supports all the preceding authentication, authorization, and accounting schemes. In addition, it also supports management of users based on domains and management of local users. The NE5000E allows the user that passes local authentication to change the password. The NE5000E supports two methods of modifying passwords of users after they pass through HWTACACS authentication:l l

The TACACS server enables users to modify passwords. Users actively modify their passwords through command lines.

HWTACACS supports VPN instance-based forwarding. When the TACACS server of an operator is deployed in a private network and the routers are deployed in the public network, HWTACACS implements the authentication, authorization, and accounting for users through the interaction of VPN instances with the TACACS server.

1.2 Configuring Local User ManagementThis section describes how to manage local users. 1.2.1 Establishing the Configuration Task 1.2.2 Creating a Local User Account 1.2.3 Configuring the Type of the Service That the Local User Accesses Through this configuration procedure, service-type-based user management is realized. 1.2.4 Configuring the Local User Authority of Accessing the FTP Directory If the type of the service that the local user accesses is set to FTP, this configuration procedure is mandatory; otherwise, the FTP user cannot log in. 1.2.5 Configuring Local User Status 1.2.6 Configuring the Local User Level After the local user level is configured, the login user can run the command only when its level is equal to or higher than the command level.Issue 02 (2009-12-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-3



1.2.7 Setting the Maximum Number of Access Users with the Same User Name 1.2.8 Local Users Changing the Passwords 1.2.9 Cutting Off Online Users Forcibly If cutting off online users based on domain names is configured, all online users in the specified domain are forcibly cut off. If cutting of online users based on user names or authentication modes is configured, the connections that match the condition are cut off simultaneously. 1.2.10 Checking the Configuration

1.2.1 Establishing the Configuration TaskApplicable EnvironmentYou can create a single local user database on a Network Access Server (NAS) to manage access users. Generally, the router is used as NAS.

Pre-configuration TaskBefore configuring local user management, complete the following tasks:l

Configuring parameters of the link layer protocol and IP addresses for the interfaces and ensuring that the status of the link layer protocol on the interfaces is Up Creating an Access Control List (ACL) and set ACL rules if you need to apply the ACL to manage local users

l

Data PreparationTo configure local user management, you need the following data. No. 1 2 3 4 5 6 7 Data User name and password Type of the service that the local user accesses Name of the FTP directory that the local user can access Local user status Local user level Limited number of local access users Number of the ACL used to managing the local user

1.2.2 Creating a Local User AccountContextDo as follows on the NAS:1-4 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-12-10)



ProcedureStep 1 Run:system-view

The system view is displayed. Step 2 Run:aaa

The AAA view is displayed. Step 3 Run:local-user user-name [ password { simple | cipher } password ]

A local user account is created. If the user name contains @, the character before @ is the user name and the character after @ is the domain name. If the user name does not contain @, the whole character string represents the user name and the domain name is default. ----End

1.2.3 Configuring the Type of the Service That the Local User AccessesThrough this configuration procedure, service-type-based user management is realized.

ContextDo as follows on the NAS:



The AAA view is displayed. Step 3 Run:local-user user-name service-type { ftp | ppp | ssh | telnet | terminal }*

The type of the service that the local user accesses is configured. By default, all access types are available for local users. ----End

1.2.4 Configuring the Local User Authority of Accessing the FTP DirectoryIf the type of the service that the local user accesses is set to FTP, this configuration procedure is mandatory; otherwise, the FTP user cannot log in.Issue 02 (2009-12-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-5






The AAA view is displayed. Step 3 Run:local-user user-name ftp-directory directory

The local user authority of accessing the FTP directory is configured. By default, the FTP directory is null. ----End

1.2.5 Configuring Local User StatusContextDo as follows on the NAS:



The AAA view is displayed. Step 3 Run:local-user user-name state { active | block }

The local user status is configured. By default, the local user is in the active state. ----End

PostrequisiteDo as follows to process the local user in the active or block state:l

If the local user is in the active state, the authentication request from this user is allowed for further processing.Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-12-10)

1-6

HUAWEI NetEngine5000E Core Router Configuration Guide - Securityl


If the local user is in the block state, the authentication request from this user is denied.

1.2.6 Configuring the Local User LevelAfter the local user level is configured, the login user can run the command only when its level is equal to or higher than the command level.




The AAA view is displayed. Step 3 Run:local-user user-name level level

The local user level is configured. By default, the level of the local user is determined by the management module. ----End

PostrequisiteThe login user has the same 16 levels like the command. They are Visit, Monitoring, Configure and Management, and are marked from 0 to 15. The higher the mark is, the higher the priority is.

1.2.7 Setting the Maximum Number of Access Users with the Same User NameContextDo as follows on the NAS:



Issue 02 (2009-12-10)


1-7



The AAA view is displayed. Step 3 Run:local-user user-name access-limit access-limit-number

The local user access limit is configured. By default, the number of access users with the same user name is not restricted. ----End

1.2.8 Local Users Changing the PasswordsContextDo as follows on the router:

ProcedureStep 1 Run:local-user change-password

The password of the local user is changed. Only the user that passes local authentication can change the password.NOTE

Run the command in the user view.

----End

1.2.9 Cutting Off Online Users ForciblyIf cutting off online users based on domain names is configured, all online users in the specified domain are forcibly cut off. If cutting of online users based on user names or authentication modes is configured, the connections that match the condition are cut off simultaneously.




The AAA view is displayed. Step 3 Perform the following as required to configure to cut off online users forcibly.l

To cut off online users based on domain names, run the cut access-user domain domainname command.Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-12-10)

1-8

HUAWEI NetEngine5000E Core Router Configuration Guide - Securityl


To cut off online users based on user names, run the cut access-user username { local | hwtacacs | radius | none | all } [ user-name ] command. To cut off online users based on user IDs, run the cut access-user user-id start-num [ endnum ] command.

l

----End

1.2.10 Checking the ConfigurationPrerequisiteThe configurations of the local user management are complete.

ProcedureStep 1 Run the display local-user [ domain domain-name | user-name user-name ] [ | count ] [ | { begin | include | exclude } regular-expression ]command to check attributes of the local user. ----End

ExampleRun the display local-user command. If attributes of the local user are displayed, it means that the configuration succeeds. For example: display local-user ---------------------------------------------------------------------------Username State Type CAR Access-limit Online ---------------------------------------------------------------------------bbb Active T Dft No 1 ftp Active F Dft No 0 ---------------------------------------------------------------------------Total 2,2 printed

1.3 Configuring AAA SchemesThis section describes how to configure various attributes of AAA. 1.3.1 Establishing the Configuration Task 1.3.2 (Optional) Enabling RADIUS/HWTACACS Functions When the RADIUS/HWTACACS functions are being disabled, the packets for Authentication, Authorization, and Accounting (AAA) sent by the user are discarded. 1.3.3 Configuring the Authentication Scheme The default authentication mode is local authentication. To allow the user to pass without being authenticated, you need to create an authentication scheme, configure non-authentication mode in the scheme, and apply the authentication scheme to the specified domain. 1.3.4 (Optional) Configuring the Authorization Scheme 1.3.5 Configuring the Accounting Scheme 1.3.6 (Optional) Configuring the Recording Scheme 1.3.7 Allocating IP Addresses to UsersIssue 02 (2009-12-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-9



1.3.8 Checking the Configuration

1.3.1 Establishing the Configuration TaskApplicable EnvironmentTo provide access services for legal users and protect sensitive network devices from unauthorized access, configure AAA.NOTE

AAA is always enabled on the NAS.

Addresses, such as Class A addresses XXX.255.255.255 and XXX.0.0.0, Class B addresses XXX.XXX.255.255 and XXX.XXX.0.0, and Class C addresses XXX.XXX.XXX.255 and XXX.XXX.XXX.0, must not be configured as valid start or end addresses of the address pool. If the address pool contains these addresses, the addresses cannot be allocated.NOTE

The IP address negotiation needs to be configured on the client and the server respectively.

Pre-configuration TasksBefore configuring AAA schemes, complete the following tasks:l

Configuring parameters of the link layer protocol and IP addresses for the interfaces and ensuring that the status of the link layer protocol on the interfaces is Up

Data PreparationTo configure AAA schemes, you need the following data. No. 1 2 Data Name of the authentication scheme and the authentication mode (Optional) Name of the authorization scheme and the authorization mode, level of the HWTACACS user to be authorized through command lines, and timeout time of command-line-based authorization Name of the accounting scheme, the accounting mode, the interval of real-time accounting, accounting-start failure policy, real-time accounting failure policy, and the number of failed the real-time accounting (Optional) Name of the recording scheme, name of the HWTACACS server template related to the recording mode, and events to be recorded Interface type and interface number of the server and client, address pool ID and IP address range of the address pool, and the IP addresses to be allocated to users when no address pool is used

3

4 5

1-10


Issue 02 (2009-12-10)



1.3.2 (Optional) Enabling RADIUS/HWTACACS FunctionsWhen the RADIUS/HWTACACS functions are being disabled, the packets for Authentication, Authorization, and Accounting (AAA) sent by the user are discarded.

ContextDo as follows on the router:

ProcedureStep 1 Run the system-view command to enter the system view. Step 2 (Optional) Enable RADIUS/HWTACACS functions as required:l l

Run the radius enable command to enable RADIUS functions. Run the hwtacacs enable command to enable HWTACACS functions.

The RADIUS/HWTACACS functions are enabled by default. ----End

1.3.3 Configuring the Authentication SchemeThe default authentication mode is local authentication. To allow the user to pass without being authenticated, you need to create an authentication scheme, configure non-authentication mode in the scheme, and apply the authentication scheme to the specified domain.

ContextDo as follows on the router:



The AAA view is displayed. Step 3 Run:authentication-scheme authentication-scheme-name

An authentication scheme is created and the authentication scheme view is displayed. Step 4 Run:authentication-mode { hwtacacs | radius | local } * [ none ]

orauthentication-mode none

The authentication mode is configured.Issue 02 (2009-12-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-11



By default, the authentication mode is set to local. If one authentication scheme is configured with several authentication modes, the execution order to authentication modes is consistent with their configuration order. If the authentication mode is set to RADIUS or HWTACACS, you must configure the RADIUS or HWTACACS template and apply the template in the view of the domain to which the user belongs. Step 5 Run:authentication-super { hwtacacs | super } * [ none ]

orauthentication-super none

The authentication scheme of upgrading user level is configured. ----End

1.3.4 (Optional) Configuring the Authorization SchemeContextDo as follow on the router:NOTE

l l l

You can configure command-line-based authorization for users at a certain level only when HWTACACS is adopted. For the commands containing the indications and values, such as interface ethernet2/2/0, you need to input commands in configuration file format. Otherwise, HWTACACS authorization fails. Command line authorization of HWTACACS has no relation with the authorization mode.



The AAA view is displayed. Step 3 Run:authorization-scheme authorization-scheme-name

The authorization scheme is created and the authorization scheme view is displayed. By default, an authorization scheme named default exists. This scheme cannot be deleted but modified. Step 4 Run:authorization-mode { hwtacacs | if-authenticated | local }* [ none ]

Or Run:1-12 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-12-10)

HUAWEI NetEngine5000E Core Router Configuration Guide - Securityauthorization-mode none


The authorization mode is configured. By default, the authorization mode is set to local. If the authorization mode is set to HWTACACS, you must configure the HWTACACS template and apply the template in the view of the domain to which the user belongs. Step 5 Run:authorization-cmd privilege-level hwtacacs [ local ]

Command-line-based authorization is enabled. By default, command-line-based authorization is disabled. If command-line-based authorization is enabled, you must configure the HWTACACS template and apply the template in the view of the domain to which the user belongs. Step 6 Run:authorization-cmd no-response-policy { online | offline [ max-times max-timesvalue ] }

The policy used when the HWTACACS server is unavailable or the local user sends no response is set. Step 7 Run:quit

Back to the AAA view. Step 8 Run:quit

Back to the system view. Step 9 Run:hwtacacs-server template template-name

The HWTACACS server template view is displayed. Step 10 Run:hwtacacs-server timer response-timeout timeout-value

The timeout time of the authorization response is set. ----End

1.3.5 Configuring the Accounting SchemeContextDo as follows on the router:


The system view is displayed.Issue 02 (2009-12-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-13



Step 2 Run:aaa

The AAA view is displayed. Step 3 Run:accounting-scheme accounting-scheme-name

The accounting scheme is created and the accounting scheme view is displayed. By default, an accounting scheme named default exists. This scheme cannot be deleted but modified. Step 4 Run:accounting-mode { hwtacacs | radius | none }

The accounting mode is configured. By default, the account scheme is set to none. If the accounting mode is set to RADIUS or HWTACACS, you must configure the RADIUS or HWTACACS template and apply the template in the view of the domain to which the user belongs. Step 5 Run:accounting realtime interval

The real-time accounting is enabled and the accounting interval is set. By default, real-time accounting is enabled and the accounting interval is set to five minutes. The accounting interval depends on network situations. If the interval is too short, network traffic is increased and the device that receives the real-time accounting packets is burdened. If the interval is set too long, accounting may be inaccurate. Step 6 (Optional) Run:accounting start-fail { online | offline }

The policy for failing to start accounting at the remote end is configured. By default, users' access to the network is denied when accounting fails to be started. The policy for failing to start accounting defines the operations on users' access when accounting fails to be started. Step 7 (Optional) Run:accounting interim-fail [ max-times times ]{ online | offline }

The policy for failing real-time accounting is configured. By default, the user is cut off if real-time accounting fails for three times. The policy for failing real-time accounting defines the operations on users' access when realtime accounting fails. ----End

1-14


Issue 02 (2009-12-10)



1.3.6 (Optional) Configuring the Recording SchemeContextDo as follows on the router:



The AAA view is displayed. Step 3 Run:recording-scheme recording-scheme-name

The recording scheme is created and the recording scheme view is displayed. By default, no recording scheme exists. Step 4 Run:recording-mode hwtacacs template-name

The recording mode is configured. By default, the recording scheme is not associated with the HWTACACS template. Step 5 Run:quit

Back to the AAA view. Step 6 (Optional) Run:cmd recording-scheme recording-scheme-name

The commands run on the router are recorded. Step 7 (Optional) Run:outbound recording-scheme recording-scheme-name

The connections are recorded. Step 8 Run:system recording-scheme recording-scheme-name

The system events are recorded. ----End

1.3.7 Allocating IP Addresses to UsersContextDo as follows on the router:Issue 02 (2009-12-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-15

1 AAA and User Management ConfigurationsNOTE


It is not necessary to configure an address pool if there is only one user. Directly allocate a specific IP address to the user. In this case, Steps 2, 3, and 4 can be skipped. Commands in Steps 6 and 7 should be run on a POS interface that supports PPP. If both local and remote interfaces are encapsulated with PPP, and the local interface has no IP address while the remote interface has an IP address, you can configure IP address negotiation on the local interface. Thus, the local interface can obtain the IP address allocated by the peer through PPP negotiation. When configuring IP address negotiation, you should note the following:l l l l

The IP address negotiation can be set only when the interface supports PPP. When the PPP status is Down, the IP address generated through negotiation is deleted. No IP address needs be configured on the local interface because the IP address can be obtained through the negotiation. If the interface is already configured with an IP address, this IP address will be deleted. The IP address obtained by the earlier negotiation is deleted when the negotiation is reconfigured on this interface. The interface gets a new IP address through the negotiation. When the negotiated address is deleted, the interface has no address.



The AAA view is displayed. Step 3 Run:ip pool pool-number first-address [ last-address ]

The IP address pool of the local system is configured. Step 4 Run:quit

Back to the system view. Step 5 Run:interface interface-type interface-number

The interface view is displayed. Step 6 Run:remote address { ip-address | pool [ pool-number ] }

IP addresses are allocated to the remote users. Step 7 Run:ip address ppp-negotiate

IP address negotiation is configured on the interface. ----End1-16 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-12-10)



1.3.8 Checking the ConfigurationPrerequisiteThe configurations of the AAA schemes are complete.

Procedurel l Run the display aaa configuration [ | count ] [ | { begin | include | exclude } regularexpression ] command to check the brief information on AAA. Run the display accounting-scheme [ accounting-scheme-name ] [ | count ] [ | { begin | include | exclude } regular-expression ] command to check the configuration about the accounting scheme. Run the display authentication-scheme [ authentication-scheme-name ] [ | count ] [ | { begin | include | exclude } regular-expression ] command to check the configuration about the authentication scheme. Run the display authorization-scheme [ authorization-scheme-name ] [ | count ] [ | { begin | include | exclude } regular-expression ] command to check the configuration about the authorization scheme. Run the display recording-scheme [ recording-scheme-name ] [ | count ] [ | { begin | include | exclude } regular-expression ] command to check the configuration about the recording scheme. Run the display ip pool { global | domain domain-name } [ | count ] [ | { begin | include | exclude } regular-expression ] command to check the usage of the address pool. Run the display access-user command to check the information about all online users.

l

l

l

l l

----End

ExampleRun the display aaa configuration command. If brief information about AAA is displayed, it means that the configuration succeeds. For example: display aaa configuration --------------------------------------------------------------------------AAA configuration information : --------------------------------------------------------------------------Domain : total: 255 used: 2 Authentication-scheme : total: 16 used: 2 Authorization-scheme : total: 16 used: 2 Accounting-scheme : total: 128 used: 2 Recording-scheme : total: 128 used: 0 AAA-access-user : total: 384 used: 0 Access-user-state : authen: 0 author: 0 accounting: 0 ---------------------------------------------------------------------------

Run the display authentication-scheme command. If information about the authentication scheme is displayed, it means that the configuration succeeds. For example: display authentication-scheme scheme0 --------------------------------------------------------------------------Authentication-scheme-name : scheme0 Authentication-method : Local authentication Authentication-super method : Super authentication-super ---------------------------------------------------------------------------

Run the display authorization-scheme command. If information about the authorization scheme is displayed, it means that the configuration succeeds. For example:Issue 02 (2009-12-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-17



display authorization-scheme scheme0 --------------------------------------------------------------------------Authorization-scheme-name : scheme0 Authorization-method : Local authorization Authorization-cmd level 0 : disabled Authorization-cmd level 1 : disabled Authorization-cmd level 2 : enabled ( Hwtacacs ) Authorization-cmd level 3 : disabled Authorization-cmd level 4 : disabled Authorization-cmd level 5 : disabled Authorization-cmd level 6 : disabled Authorization-cmd level 7 : disabled Authorization-cmd level 8 : disabled Authorization-cmd level 9 : disabled Authorization-cmd level 10 : disabled Authorization-cmd level 11 : disabled Authorization-cmd level 12 : disabled Authorization-cmd level 13 : disabled Authorization-cmd level 14 : disabled Authorization-cmd level 15 : disabled Authorization-cmd no-response-policy : Online ---------------------------------------------------------------------------

Run the display accounting-scheme command. If information about the accounting scheme is displayed, it means that the configuration succeeds. For example: display accounting-scheme scheme0 --------------------------------------------------------------------------Accounting-scheme-name : scheme0 Accounting-method : RADIUS accounting Realtime-accounting-switch : Open Realtime-accounting-interval(min) : 5 Start-accounting-fail-policy : Cut user Realtime-accounting-fail-policy : Cut user Realtime-accounting-failure-retries : 3 ---------------------------------------------------------------------------

Run the display recording-scheme command. If information about the recording scheme is displayed, it means that the configuration succeeds. For example: display recording-scheme scheme0 --------------------------------------------------------------------------Recording-scheme-name : scheme0 HWTACACAS-template-name : template0 ---------------------------------------------------------------------------

Run the display ip pool global command. If brief information about all usage of the address pool is displayed, it means that the configuration succeeds. For example: display ip pool global ---------------------------------------------------------------------------Pool-number Pool-start-addr Pool-end-addr Pool-length Used-addr-number ---------------------------------------------------------------------------2 10.1.1.1 10.1.1.10 10 0 ---------------------------------------------------------------------------Total pool number: 1

Run the display access-user command. If brief information about all online users is displayed, it means that the configuration succeeds. For example: display access-user ----------------------------------------------------------------------------Total users : 2 Wait authen-ack : 0 Authentication success : 2 Accounting ready : 2 Accounting state : 0 Wait leaving-flow-query : 0 Wait accounting-start : 0

1-18


Issue 02 (2009-12-10)



Wait accounting-stop : 0 Wait authorization-client : 0 Wait authorization-server : 0 ------------------------------------------------------------------Domain-name Online-user ------------------------------------------------------------------default : 2 ------------------------------------------------------------------The used CID table are : 256 257 -----------------------------------------------------------------------------

1.4 Configuring Server TemplatesThis section describes how to configure a server template. 1.4.1 Establishing the Configuration Task 1.4.2 Configuring the RADIUS Server Template 1.4.3 Configuring the HWTACACS Server Template 1.4.4 Checking the Configuration

1.4.1 Establishing the Configuration TaskApplicable EnvironmentWhen remote authentication is adopted, you need to configure a server template (RADIUS or HWTACACS) as required. The RADIUS server template needs to be configured when RADIUS is adopted. Similarly, the HWTACACS server template needs to be configured when HWTACACS is adopted.NOTE

Most of RADIUS configuration items adopt the default settings. You can also configure them based on the actual networking. The RADIUS configuration can be modified only when the RADIUS server template is not used by any user. Note the following differences from the configurations of the RADIUS server template when you configure the HWTACACS server template:l l

Except deleting the HWTACACS server, you can modify most of attributes of the HWTACACS server template without checking whether the template is in use. By default, no authentication key is configured.

Pre-configuration TasksBefore configuring the server template, complete the following tasks:l

Configuring parameters of the link layer protocol and IP addresses for the interfaces and ensuring that the status of the link layer protocol on the interfaces is Up

Data PreparationTo configure the RADIUS server, you need the following data.Issue 02 (2009-12-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-19



No. 1

Data Name of the RADIUS server template, IP addresses and source port numbers of the primary RADIUS authentication and accounting servers, source interface number, IP addresses and source port numbers of the secondary RADIUS authentication and accounting servers, protocol version used by the RADIUS server, shared keys, user name format (with or without domain name) of the RADIUS server, traffic unit on the RADIUS server, response timeout period of the RADIUS server and retransmission times, and NAS port format the RADIUS server and the corresponding port ID format Name of the HWTACACS server template, IP addresses and source port numbers , and the VPN instances to be bound of the primary HWTACACS authentication, authorization, and accounting servers, IP addresses, and source port numbers, and the VPN instances to be bound of the secondary HWTACACS authentication, authorization, and accounting servers, retransmission times of accounting-stop packets, source IP address of the HWTACACS server, key of the HWTACACS server, user name format (with or without domain name) of the HWTACACS server, traffic unit on the HWTACACS server, response timeout period of the HWTACACS server, and the time taken by the master HWTACACS server to restore the active state

2

1.4.2 Configuring the RADIUS Server TemplateContextDo as follows on the router:

Procedurel Creating the RADIUS server template 1. Run:system-view

The system view is displayed. 2. Run:radius-server template template-name

The RADIUS server template is created and the RADIUS template view is displayed. l Configuring the RADIUS authentication server 1. Run:system-view


The RADIUS server template view is displayed. 3. Run:radius-server authentication ip-address port [ source loopback interfacenumber ]

1-20


Issue 02 (2009-12-10)



The primary RADIUS authentication server is configured. By default, the primary RADIUS authentication server is of null configurations. 4. Run:radius-server authentication ip-address port [ source loopback interfacenumber ] secondary

The secondary RADIUS server is configured. By default, the secondary RADIUS authentication server is of null configurations. l Configuring the RADIUS accounting function 1. Run:system-view


The RADIUS server template view is displayed. 3. Run:radius-server accounting ip-address port [ source loopback interfacenumber ]

The primary RADIUS accounting server is configured. By default, the primary RADIUS accounting server is of null configurations. 4. Run:radius-server accounting ip-address port [ source loopback interfacenumber ] secondary

The secondary RADIUS accounting server is configured. By default, the secondary RADIUS accounting server is of null configurations. l Configuring the protocol version of the RADIUS server 1. Run:system-view


The RADIUS server template view is displayed. 3. Run:radius-server type { standard | portal }

The protocol version of the RADIUS server is configured. By default, the NE5000E adopts standard RADIUS. If portal is specified, the NE5000E adopts RADIUS+1.1. l Configuring the shared key of the RADIUS server 1. Run:system-view

The system view is displayed.Issue 02 (2009-12-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-21



2.

Run:radius-server template template-name

The RADIUS server template view is displayed. 3. Run:radius-server shared-key key-string

The shared key of the RADIUS server is configured. By default, the shared key of the RADIUS server is huawei. l Configuring the user name format of the RADIUS server 1. Run:system-view


The RADIUS server template view is displayed. 3. Run:radius-server user-name domain-included

The user name format of the RADIUS server is configured. By default, the user name contains the domain name. If the RADIUS server does not identify the user name that contains the domain name, you can remove the domain name and then send it to the RADIUS server.NOTE

Commonly, a user name is in the format of "user name@domain name". The character string after @ indicates the domain name.

l

Configuring the traffic unit of the RADIUS server 1. Run:system-view


The RADIUS server template view is displayed. 3. Run:radius-server traffic-unit { byte | kbyte | mbyte | gbyte }

The traffic unit of the RADIUS server is configured. By default, the traffic unit is set to byte.NOTE

If the router adopts standard RADIUS, this configuration is invalid.

l

(Optional) Configuring the retransmission parameters of the RADIUS server 1. Run:system-view

1-22


Issue 02 (2009-12-10)




The RADIUS server template view is displayed. 3. Run:radius-server timeout seconds

The timeout period for the RADIUS server to send the response packet is configured. By default, the timeout period is set to 5 seconds. To check whether the RADIUS server is valid, the NE5000E periodically sends request packets to the RADIUS server. If the RADIUS server does not return a response within the timeout period, the NE5000E must retransmit request packets. 4. Run:radius-server retransmit retry-times

The retransmission times of the RADIUS server is configured. By default, the retransmission times are set to 3. After the NE5000E does not receive any response after it retransmits request packets for the configured times, it considers that the RADIUS server is unavailable. l (Optional) Configuring the NAS port of the RADIUS server 1. Run:system-view


The RADIUS server template view is displayed. 3. Run:radius-server nas-port-format { new | old }

The NAS port format is configured. By default, the NAS port format is set to new. 4. Run:radius-server nas-port-id-format { new | old }

The ID format of the NAS port of the RADIUS server is configured. By default, the ID format of the NAS port is set to new. ----End

1.4.3 Configuring the HWTACACS Server TemplateContextDo as follows on the router:Issue 02 (2009-12-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-23



Procedurel Creating the HWTACACS server template 1. Run:system-view

The system view is displayed. 2. Run:hwtacacs-server template template-name

The HWTACACS server template is created and the corresponding view is displayed. l Configuring the HWTACACS authentication server 1. Run:system-view


The HWTACACS server template view is displayed. 3. Run:hwtacacs-server authentication ip-address [ port ] [ vpn-instance vpninstance-name ]

The primary HATACACS authentication server is configured. By default, the IP address of the primary HWTACACS authentication server is 0.0.0.0, and the server is not bound with VPN instances. 4. Run:hwtacacs-server authentication ip-address [ port ] [ vpn-instance vpninstance-name ] secondary

The secondary HWTACACS authentication server is configured. By default, the IP address of the secondary HWTACACS authentication server is 0.0.0.0, and the server is not bound with VPN instances. l Configuring the HWTACACS authorization server 1. Run:system-view


The HWTACACS server template view is displayed. 3. Run:hwtacacs-server authorization ip-address [ port ] [ vpn-instance vpninstance-name ]

The primary HWTACACS authorization server is configured. By default, the IP address of the primary HWTACACS authorization server is 0.0.0.0, and the server is not bound with VPN instances. 4. Run:hwtacacs-server authorization ip-address [ port ] [ vpn-instance vpninstance-name ] secondary

1-24


Issue 02 (2009-12-10)



The secondary HWTACACS authorization server is configured. By default, the IP address of the secondary HWTACACS authorization server is 0.0.0.0, and the server is not bound with VPN instances. l Configuring the HWTACACS accounting server 1. Run:system-view


The HWTACACS server template view is displayed. 3. Run:hwtacacs-server accounting ip-address [ port ] [ vpn-instance vpn-instancename ]

The primary HWTACACS accounting server is configured. By default, the IP address of the primary HWTACACS accounting server is 0.0.0.0, and the server is not bound with VPN instances. 4. Run:hwtacacs-server accounting ip-address [ port ] [ vpn-instance vpn-instancename ] secondary

The secondary HWTACACS accounting server is configured. By default, the IP address of the secondary HWTACACS accounting server is 0.0.0.0, and the server is not bound with VPN instances. 5. Run:quit

Back to the system view. 6. Run:hwtacacs-server accounting-stop-packet resend { disable | enable number }

Retransmitting the accounting-stop packets is configured. By default, the NE5000E allows retransmitting accounting-stop packets. The number of retransmitted packets is 100. Accounting-stop packets are used to inform the server to stop charging users. If the accounting server fails to receive the accounting-stop packets, it continues to charge users. Then, the NE5000E must retransmit the accounting-stop packets until the server receives the packets or until the retransmission times reach threshold. l (Optional) Configuring the source IP address of the HWTACACS server 1. Run:system-view


Issue 02 (2009-12-10)


1-25



The HWTACACS server template view is displayed. 3. Run:hwtacacs-server source-ip ip-address

The source IP address of the packet is configured. By default, the source IP address of the packet is 0.0.0.0. That is, the NE5000E adopts the IP address of the outgoing interface as the source IP address of HWTACACS packets. After the source IP address is specified, the HWTACACS template uses this IP address to communicate with the HWTACACS server. l (Optional) Configuring the shared key of the HWTACACS server 1. Run:system-view


The HWTACACS server template view is displayed. 3. Run:hwtacacs-server shared-key key-string

The shared key of the HWTACACS server is configured. By default, the shared key of the HWTACACS server is null. Setting the shared key ensures the security of community between the NE5000E and the HWTACACS server.NOTE

To ensure identify validity of two communication ends, the shared keys configured on the router and the HWTACACS server must be the same.

l

(Optional) Configuring the user name format of the HWTACACS server 1. Run:system-view


The HWTACACS server template view is displayed. 3. Run:hwtacacs-server user-name domain-included

The user name format of the HWTACACS server is configured. By default, the user name contains the domain name. If the HWTACACS server denies the user name containing the domain name, you can configure the device to remove the domain name from the user name before delivering the user name to HWTACACS server.1-26 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-12-10)

HUAWEI NetEngine5000E Core Router Configuration Guide - SecurityNOTE


Commonly, the user name is in the format of "user name@domain name". The character string after @ indicates the domain name.

l

(Optional) Configuring the traffic unit of the HWTACACS server 1. Run:system-view


The HWTACACS server template view is displayed. 3. Run:hwtacacs-server traffic-unit { byte | kbyte | mbyte | gbyte }

The traffic unit of the HWTACACS server is configured. By default, the traffic unit is set to byte. l (Optional) Configuring the timer of the HWTACACS server 1. Run:system-view


The HWTACACS server template view is displayed. 3. Run:hwtacacs-server timer response-timeout value

The timeout period for the HWTACACS server to send the response packets is configured. By default, the timeout period is set to five seconds. If the device receives no response from the HWTACACS server during this period, it considers the HWTACACS server as unavailable. The device then tries to perform authentication, authorization, or accounting through other methods. 4. Run:hwtacacs-server timer quiet value

The time taken by the primary HWTACACS server to restore the active state is configured. By default, the primary HWTACACS server needs to wait for five minutes before restoration. l Configuring active password modification 1. Run:hwtacacs-user change-password hwtacacs-server template-name

Active password modification is configured.Issue 02 (2009-12-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-27

1 AAA and User Management ConfigurationsNOTE


l l l

The user can successfully log in to the device only after passing HWTACACS authentication and only when the HWTACACS server template has been configured. Users are allowed to actively modify passwords before the user names and passwords saved on the TACACS server expire. For the users with expired passwords, when they log in to the device, the TACACS server returns an authentication-failure message and hence these users cannot actively modify their passwords.

----End

1.4.4 Checking the ConfigurationPrerequisiteThe configurations of the server templates are complete.

Procedurel Run the display radius-server configuration [ template template-name ] [ | count ] [ | { begin | include | exclude } regular-expression ] command to check information on the RADIUS authentication/accounting server. Run the display hwtacacs-server template [ template-name [ verbose ] ] [ | count ] [ | { begin | include | exclude } regular-expression ] commands to check information on the HWTACACS server template. Run the display hwtacacs-server accounting-stop-packet { all | number | ip ipaddress } [ | count ] [ | { begin | include | exclude } regular-expression ] commands to check information on accounting-stop packet on the HWTACACS server.

l

l

----End

ExampleRun the display radius-server configuration command. If information about the RADIUS server template is displayed, it means that the configuration succeeds. For example: display radius-server configuration template test ------------------------------------------------------------------Server-template-name : test Protocol-version : standard Traffic-unit : KB Shared-secret-key : abcdef Timeout-interval(in second) : 6 Primary-authentication-server : 10.1.1.1:1812:LoopBack-1 Primary-accounting-server : 10.1.1.2:1813:LoopBack-1 Secondary-authentication-server : 10.1.1.2:1812:LoopBack-1 Secondary-accounting-server : 10.1.1.4:1813:LoopBack-1 Retransmission : 2 Domain-included : YES -------------------------------------------------------------------

Run the display hwtacacs-server template command. If information about the TACACS server template is displayed, it means that the configuration succeeds. For example: display hwtacacs-server template ----------------------------------------------------------HWTACACS-server template name : 123 Primary-authentication-server : 0.0.0.0:0:Primary-authorization-server : 0.0.0.0:0:-

1-28


Issue 02 (2009-12-10)



Primary-accounting-server : 0.0.0.0:0:Secondary-authentication-server : 0.0.0.0:0:Secondary-authorization-server : 0.0.0.0:0:Secondary-accounting-server : 0.0.0.0:0:Current-authentication-server : 0.0.0.0:0:Current-authorization-server : 0.0.0.0:0:Current-accounting-server : 0.0.0.0:0:Source-IP-address : 0.0.0.0 Shared-key : Quiet-interval(min) : 5 Response-timeout-Interval(sec) : 5 Domain-included : Yes Traffic-unit : B ---------

Documents

Configuration 8