Saturday , November 23 2024
Home / Security / HWTACACS configuration on Huawei device

HWTACACS configuration on Huawei device

14 Mar, 2014 Security Leave a comment

Let’s look at a typical configuration of HWTACACS server on Huawei device:

#
hwtacacs-server template labnario
 hwtacacs-server authentication 172.16.10.1
 hwtacacs-server authorization 172.16.10.1
 hwtacacs-server accounting 172.16.10.1
 hwtacacs-server source-ip 172.16.10.10
 hwtacacs-server shared-key cipher %$%$;XioR#N`7=~][vLDTr2S(2.#%$%$
 undo hwtacacs-server user-name domain-included
#
aaa 
 authentication-scheme hwtacacs
  authentication-mode hwtacacs local
 authorization-scheme hwtacacs
  authorization-mode hwtacacs local
 accounting-scheme hwtacacs
  accounting-mode hwtacacs
 domain default_admin  
  authentication-scheme hwtacacs 
  accounting-scheme hwtacacs
  authorization-scheme hwtacacs
  hwtacacs-server labnario
 local-user labnario password cipher %$%$'3N&Y#>c>Ibb;f:!o4mW(7#h%$%$
 local-user labnario privilege level 15
 local-user labnario service-type telnet terminal ssh ftp
#
user-interface vty 0 4
 authentication-mode aaa
What do we have to do to configure HWTACACS AAA?
  • Configure an HWTACACS server template.
  • Configure authentication, authorization, and accounting schemes.
  • Apply the HWTACACS server template, authentication scheme, authorization scheme, and accounting scheme to the domain.

To ensure redundancy we can configure secondary HWTACAC server:

#
hwtacacs-server template labnario
 hwtacacs-server authentication 172.16.11.1 secondary
 hwtacacs-server authorization 172.16.11.1 secondary
 hwtacacs-server accounting 172.16.11.1 secondary

In such case, if primary server is not available, secondary server is used.

Let’s look at AAA schemes. As you can see the there are backups for authentication and authorization. If HWTACAC authentication fails, local authentication is used. We have the same situation for HWTACAC authorization.

But what happens if accounting fails?

There is not possible to configure backup for accounting. We have 3 options: HWTACAC, local or RADIUS. But only one of them can be selected.

Let’s assume that you use accounting like in the configuration above. After an accounting scheme is applied, if a user goes online, the device sends an accounting-start packet to an accounting server. When the network is working properly, the accounting server responds to the accounting-start packet. If a fault occurs in the network, the device may not receive the response packet from the accounting server. As a result, accounting fails. Finally, when you are trying to log in as local user labnario, you are immediately disconnected with information:

The connection was closed by the remote host.

Of course there is a way out of this situation by using “accounting start-fail online” command.

The final backup configuration of AAA should look like:

# 
aaa 
 authentication-scheme hwtacacs 
  authentication-mode hwtacacs local 
 authorization-scheme hwtacacs 
  authorization-mode hwtacacs local 
 accounting-scheme hwtacacs 
  accounting-mode hwtacacs 
  accounting start-fail online

Tags

Leave a Reply

Your email address will not be published. Required fields are marked *

Design By: ThemeTen