CloudEngine 6800&5800 V100R001C00 Configuration Guide - Security 04.pdf

8/12/2019 CloudEngine 6800&5800 V100R001C00 Configuration Guide - Security 04.pdf

1/200

CloudEngine 6800&5800 Series Switches

V100R001C00

Configuration Guide - Security

Issue 04

Date 2013-07-10

HUAWEI TECHNOLOGIES CO., LTD.


2/200

Copyright Huawei Technologies Co., Ltd. 2013. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without prior written

consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.

All other trademarks and trade names mentioned in this document are the property of their respective holders.

Notice

The purchased products, services and features are stipulated by the contract made between Huawei and the

customer. All or part of the products, services and features described in this document may not be within the

purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,and recommendations in this document are provided "AS IS" without warranties, guarantees or representations

of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in the

preparation of this document to ensure accuracy of the contents, but all statements, information, and

recommendations in this document do not constitute a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base

Bantian, Longgang

Shenzhen 518129

People's Republic of China

Website: http://enterprise.huawei.com

Issue 04 (2013-07-10) Huawei Proprietary and Confidential

Copyright Huawei Technologies Co., Ltd.

i
http://enterprise.huawei.com/


3/200

About This Document

Intended Audience

This document describes the concepts and configuration procedures of security features on the

CE series switches, and provides the configuration examples.

This document provides guidance for configuring security features.

This document is intended for:

l Data configuration engineers

l Commissioning engineers

l Network monitoring engineers

l System maintenance engineers

Symbol Conventions

The symbols that may be found in this document are defined as follows.

Symbol Description

DANGER

Indicates a hazard with a high level or medium level of risk

which, if not avoided, could result in death or serious injury.

WARNING

Indicates a hazard with a low level of risk which, if not

avoided, could result in minor or moderate injury.

CAUTION

Indicates a potentially hazardous situation that, if not

avoided, could result in equipment damage, data loss,

performance deterioration, or unanticipated results.

TIP Provides a tip that may help you solve a problem or save time.

NOTE Provides additional information to emphasize or supplement

important points in the main text.


Configuration Guide - Security About This Document



ii


4/200

Command Conventions

The command conventions that may be found in this document are defined as follows.

Convention Description

Boldface The keywords of a command line are in boldface.

Italic Command arguments are in italics.

[ ] Items (keywords or arguments) in brackets [ ] are optional.

{ x | y | ... } Optional items are grouped in braces and separated by

vertical bars. One item is selected.

[ x | y | ... ] Optional items are grouped in brackets and separated by

vertical bars. One item is selected or no item is selected.

{ x | y | ... }* Optional items are grouped in braces and separated byvertical bars. A minimum of one item or a maximum of all

items can be selected.

[ x | y | ... ]* Optional items are grouped in brackets and separated by

vertical bars. You can select one or several items, or select

no item.

& The parameter before the & sign can be repeated 1 to n times.

# A line starting with the # sign is comments.

Interface Numbering Conventions

Interface numbers used in this manual are examples. In device configuration, use the existing

interface numbers on devices.

Change History

Updates between document issues are cumulative. Therefore, the latest document issue containsall updates made in previous issues.

Changes in Issue 04 (2013-07-10)

This version has the following updates:

The following information is modified:

l 2 ACL Configuration

l 2.1 ACL Overview

l 2.5.3 Configuring an Advanced ACL Rule

l 7.3 Default Configuration





iii


5/200

l 7.4.4 Configuring Rate Limit on ARP Packets (Globally or in a VLAN)

l 4.1 Local Attack Defense Overview

l 9 Traffic Suppression and Storm Control Configuration

l 8.1 MFF Overview

l 5.2 Configuration Notes

l 5.4.4 Checking the Configuration

l 6.3.1 Configuring the URPF Check Mode on an Interface




l 1.5.2 Configuring an HWTACACS Server Template




l 1.3.2 Configuring a Local User

l 9.4.1 Configuring Traffic Suppression on an Interface

l 9.4.2 Configuring Traffic Suppression in a VLAN


Initial commercial release.





iv


6/200

Contents

About This Document.....................................................................................................................ii

1 AAA Configuration.......................................................................................................................1

1.1 AAA Overview...............................................................................................................................................................2

1.2 AAA Features Supported by the Device........................................................................................................................31.3 Configuring Local Authentication and Authorization....................................................................................................4

1.3.1 Configuring AAA Schemes.........................................................................................................................................4

1.3.2 Configuring a Local User............................................................................................................................................6

1.3.3 Configuring a Domain.................................................................................................................................................7

1.3.4 Checking the Configuration.........................................................................................................................................8

1.4 Configuring RADIUS AAA...........................................................................................................................................9

1.4.1 Configuring AAA Schemes.........................................................................................................................................9

1.4.2 Configuring a RADIUS Server Template.................................................................................................................11

1.4.3 Configuring a Domain...............................................................................................................................................12

1.4.4 Checking the Configuration.......................................................................................................................................14

1.5 Configuring HWTACACS AAA..................................................................................................................................14

1.5.1 Configuring AAA Schemes.......................................................................................................................................14

1.5.2 Configuring an HWTACACS Server Template........................................................................................................17

1.5.3 Configuring a Domain...............................................................................................................................................19


1.6 Maintaining AAA.........................................................................................................................................................21

1.6.1 ClearingAAA Statistics............................................................................................................................................21

1.7 Configuration Examples...............................................................................................................................................22

1.7.1 Examplefor Configuring RADIUS Authentication and Accounting........................................................................22

1.7.2 Examplefor Configuring HWTACACS Authentication, Accounting, and Authorization.......................................25

2 ACL Configuration......................................................................................................................29

2.1 ACL Overview.............................................................................................................................................................30

2.2 ACL Features Supported by the device........................................................................................................................30

2.3 Default Configuration...................................................................................................................................................32

2.4 Configuring a Basic ACL.............................................................................................................................................32

2.4.1 (Optional) Configuring the Validity Time Range of a Rule......................................................................................32

2.4.2 Creating a Basic ACL................................................................................................................................................33

2.4.3 Configuring a Basic ACL Rule.................................................................................................................................34


Configuration Guide - Security Contents



v


7/200

2.4.4 Applying the ACL to the Switch...............................................................................................................................35


2.5 Configuring an Advanced ACL....................................................................................................................................35


2.5.2 Creating an Advanced ACL......................................................................................................................................37

2.5.3 Configuring an Advanced ACL Rule........................................................................................................................37



2.6 Configuring a Layer 2 ACL..........................................................................................................................................39


2.6.2 Creatinga Layer 2 ACL............................................................................................................................................41

2.6.3 Configuring a Layer 2 ACL Rule..............................................................................................................................41



2.7 Configuring a User-defined ACL.................................................................................................................................43


2.7.2 Creatinga User-defined ACL....................................................................................................................................44

2.7.3 Configuring a User-defined ACL Rule.....................................................................................................................45



2.8 Maintaining an ACL.....................................................................................................................................................46

2.8.1 ClearingACL Statistics.............................................................................................................................................46

2.9 Configuration Examples...............................................................................................................................................472.9.1 Examplefor Configuring a Basic ACL to Limit Access to the FTP Server..............................................................47

2.9.2 Examplefor Using an Advanced ACL to Configure Traffic Classifiers...................................................................49

2.9.3 Examplefor Using a Layer 2 ACL to Configure a Traffic Classifier.......................................................................53

3 DHCP Snooping Configuration...............................................................................................56

3.1 DHCP Snooping Overview..........................................................................................................................................57

3.2 DHCP Snooping Features Supported by the Device....................................................................................................57


3.4 ConfigureBasic Functions of DHCP Snooping...........................................................................................................59

3.4.1 Enabling DHCP Snooping.........................................................................................................................................593.4.2 Configuring an Interface as the Trusted Interface.....................................................................................................60

3.4.3 (Optional) Disabling Location Fixation for a DHCP Snooping User.................................................................61

3.4.4 (Optional) Configuring Association Between ARP and DHCP Snooping................................................................62

3.4.5 (Optional) Configuring the Device to Clear the MAC Address Entry Immediately When the User Is Disconnected

............................................................................................................................................................................................62


3.5 Configuring DHCP Snooping Attack Defense.............................................................................................................63

3.5.1 Configuring Defense Against Bogus DHCP Server Attacks.....................................................................................63

3.5.2 Configuring Defense Against Attacks from Non-DHCP Users................................................................................64

3.5.3 Configuring Defense Against DHCP Flood Attacks.................................................................................................65





vi


8/200

3.5.4 Configuring Defense Against Bogus DHCP Message Attacks.................................................................................66

3.5.5 Configuring Defense Against DHCP Server DoS Attacks........................................................................................69


3.6 Inserting the Option 82 Field to a DHCP Message......................................................................................................71

3.7 Maintaining DHCP Snooping.......................................................................................................................................73

3.7.1 ClearingDHCP Snooping Statistics..........................................................................................................................73

3.7.2 ClearingDynamic DHCP Snooping Binding Entries................................................................................................73

3.7.3 Backing Up DHCP Snooping Binding Entries..........................................................................................................74


3.8.1 Example for Configuring DHCP Snooping Attack Defense.....................................................................................74

4 Local Attack Defense Configuration.......................................................................................79

4.1 Local Attack Defense Overview...................................................................................................................................80

4.2 Local Attack Defense Features Supported by the Switch............................................................................................82


4.4 Configuring Attack Source Tracing.............................................................................................................................84

4.4.1 Creatingan Attack Defense Policy............................................................................................................................84

4.4.2 Configuring the Threshold for Attack Source Tracing..............................................................................................85

4.4.3 Setting the Packet Sampling Ratio for Attack Source Tracing..................................................................................86

4.4.4 Configuring an Attack Source Tracing Mode...........................................................................................................86

4.4.5 Configuring the Types of Traced Packets.................................................................................................................87

4.4.6 Configuring a Whitelist for Attack Source Tracing..................................................................................................88

4.4.7 Configuring the Alarm Function for Attack Source Tracing.....................................................................................89

4.4.8 Configuring Attack Source Punishment....................................................................................................................904.4.9 Applying an Attack Defense Policy..........................................................................................................................91

4.4.10 Checking the Configuration.....................................................................................................................................91

4.5 Configuring CPU Attack Defense ...............................................................................................................................91

4.5.1 Creatingan Attack Defense Policy............................................................................................................................92

4.5.2 Configuring a Blacklist..............................................................................................................................................92

4.5.3 Configuring a Rule for Sending Packets to the CPU.................................................................................................93

4.5.4 Applying an Attack Defense Policy..........................................................................................................................94


4.6 Maintaining Local Attack Defense...............................................................................................................................95

4.6.1 ClearingAttack Source Information..........................................................................................................................95

4.6.2 ClearingStatistics About Packets Sent to the CPU...................................................................................................96


4.7.1 Examplefor Configuring Local Attack Defense.......................................................................................................96

4.8 Common Configuration Errors.....................................................................................................................................99

4.8.1 Attack Source Tracing Does Not Take Effect...........................................................................................................99

4.8.2 Protocol Packets Are Not Sent to the CPU..............................................................................................................100

4.8.3 The Blacklist Does Not Take Effect........................................................................................................................100

5 IPSG Configuration..................................................................................................................102

5.1 IPSG Overview...........................................................................................................................................................103





vii


9/200

5.2 Configuration Notes...................................................................................................................................................103

5.3 Default Configuration.................................................................................................................................................104

5.4 Configuring IPSG.......................................................................................................................................................104

5.4.1 Configuring a Binding Table...................................................................................................................................105

5.4.2 Configuring IP Packet Check..................................................................................................................................106

5.4.3 (Optional) Configuring the Alarm Function of IP Packet Check............................................................................107


5.5 Configuration Examples.............................................................................................................................................108

5.5.1 Examplefor Configuring IPSG...............................................................................................................................108

6 URPF Configuration.................................................................................................................111

6.1 URPF Overview.........................................................................................................................................................112


6.3 Configuring URPF......................................................................................................................................................112

6.3.1 Configuring the URPF Check Mode on an Interface..............................................................................................113

6.3.2 Enabling URPF on an Interface...............................................................................................................................114

6.3.3 (Optional) Disabling URPF for Specified Traffic...................................................................................................114



6.4.1 Examplefor Configuring URPF..............................................................................................................................115

7 ARP Security Configuration....................................................................................................117

7.1 ARP Security Overview.............................................................................................................................................118

7.2 ARP Security Features Supported by the Device.......................................................................................................118


7.4 Configuring Defense Against ARP Flood Attacks.....................................................................................................122

7.4.1 Configuring Rate Limit on ARP Packets based on the Source MAC Address.......................................................122

7.4.2 Configuring Rate Limit on ARP Packets based on the Source IP Address.............................................................123

7.4.3 Configuring Rate Limit on ARP Packets based on the Destination IP Address.....................................................124

7.4.4 Configuring Rate Limit on ARP Packets (Globally or in a VLAN).......................................................................125

7.4.5 Configuring Rate Limit on ARP Miss Messages based on the Source IP Address.................................................125

7.4.6 Configuring Rate Limit on ARP Miss Messages Globally or in a VLAN..............................................................126

7.4.7 Setting the Aging Time of Temporary ARP Entries...............................................................................................127

7.4.8 Configuring Gratuitous ARP Packet Discarding.....................................................................................................1287.4.9 Configuring Strict ARP Learning............................................................................................................................129

7.4.10 Configuring Interface-based ARP Entry Limit.....................................................................................................131

7.4.11 Checking the Configuration...................................................................................................................................131

7.5 Configuring Defense Against ARP Spoofing Attacks...............................................................................................132

7.5.1 Configuring ARP Entry Fixing................................................................................................................................132

7.5.2 Configuring DAI......................................................................................................................................................133

7.5.3 Configuring Gratuitous ARP Packet Discarding.....................................................................................................134

7.5.4 Configuring MAC address Consistency Check in an ARP Packet.........................................................................135

7.5.5 Configuring Strict ARP Learning............................................................................................................................136






viii


10/200

7.6 ARP Security Maintenance........................................................................................................................................138

7.6.1 Monitoring ARP Running Status.............................................................................................................................138

7.6.2 Clearing ARP Security Statistics.............................................................................................................................138

7.6.3 Configuring the Alarm Function for Potential ARP Attacks..................................................................................139


7.7.1 Examplefor Configuring ARP Security Functions.................................................................................................140

7.7.2 Examplefor Configuring Defense Against ARP MITM Attacks...........................................................................144

8 MFF Configuration....................................................................................................................148

8.1 MFF Overview...........................................................................................................................................................149

8.2 MFF Features Supported by the Switch.....................................................................................................................149


8.4 Configuring MFF........................................................................................................................................................151

8.4.1 Enabling Global MFF..............................................................................................................................................151

8.4.2 Configuring a Network Interface.............................................................................................................................152

8.4.3 Enabling MFF in a VLAN.......................................................................................................................................152

8.4.4 (Optional) Configuring a Static Gateway Address..................................................................................................153

8.4.5 (Optional) Enabling Timed Gateway Detection......................................................................................................154

8.4.6 (Optional) Configuring the Application Server IP Address....................................................................................154

8.4.7 (Optional) Configuring the Switch to Transparently Transmit ARP Request Packets...........................................155

8.4.8 (Optional) Configuring an Isolated Interface..........................................................................................................156

8.4.9 (Optional) Configuring MFF Security.....................................................................................................................156



8.5.1 Example for Configuring MFF................................................................................................................................158

8.6 Common Configuration Errors...................................................................................................................................163

8.6.1 Users Fail to Access the Internet After MFF Is Configured....................................................................................163

9 Traffic Suppression and Storm Control Configuration.....................................................166

9.1 Traffic Suppression and Storm Control Overview.....................................................................................................167

9.2 Traffic Suppression and Storm Control Features Supported by the Device...............................................................167


9.4 Configuring Traffic Suppression................................................................................................................................168

9.4.1 Configuring Traffic Suppression on an Interface....................................................................................................168

9.4.2 Configuring Traffic Suppression in a VLAN..........................................................................................................169

9.4.3 Configuring Traffic Suppression for ICMP Packets...............................................................................................170


9.5 Configuring Storm Control.........................................................................................................................................171

9.6 Example for Configuring Traffic Suppression and Storm Control............................................................................173

9.6.1 Examplefor Configuring Traffic Suppression........................................................................................................173

9.6.2 Examplefor Configuring Storm Control.................................................................................................................174

10 Keychain Configuration.........................................................................................................176

10.1 KeychainOverview..................................................................................................................................................177





ix


11/200

10.2 Keychain Features Supported by the device.............................................................................................................177

10.3 Configuring a Keychain............................................................................................................................................177

10.3.1 Creating a Keychain..............................................................................................................................................178

10.3.2 Configuring a Key.................................................................................................................................................179

10.3.3 Applying the Keychain..........................................................................................................................................181


10.4 Example for Configuring a Keychain.......................................................................................................................182

10.4.1 Example for Applying the Keychain to RIP..........................................................................................................182

10.4.2 Example for Applying the Keychain to BGP........................................................................................................185





x


12/200

1AAA ConfigurationAbout This Chapter

The AAA-capable device checks validity of users and assigns rights to authorized users to ensure

network security.

1.1 AAA Overview

Authentication, Authorization, and Accounting (AAA) is a security technology.

1.2 AAA Features Supported by the Device

The device supports RADIUS or HWTACACS authentication, authorization, and accounting,

and local authentication and authorization.

1.3 Configuring Local Authentication and Authorization

After local authentication and authorization are configured, the deviceauthenticates and

authorizes access users based on the local user information.

1.4 Configuring RADIUS AAA

RADIUS is often used to implement authentication, authorization, and accounting (AAA).

1.5 Configuring HWTACACS AAA

Compared with RADIUS, HWTACACS is more reliable in transmission and encryption, and is

more suitable for security control.

1.6 Maintaining AAA

AAA maintenance includes clearing AAA statistics.

1.7 Configuration Examples

This section provides several AAA configuration examples, including networking requirements,

configuration notes, and configuration roadmap.


Configuration Guide - Security 1 AAA Configuration



1


13/200

1.1 AAA Overview

Authentication, Authorization, and Accounting (AAA) is a security technology.

Security Functions Provided by AAA

l Authentication: verifies whether users are authorized for network access.

l Authorization: authorizes users to use particular services.

l Accounting: records the network resources used by users.

Users can only use one or two security services provided by AAA. For example, if a company

wants to authenticate employees that access certain network resources, the network administrator

only needs to configure an authentication server. If the company also wants to record operations

performed by employees on the network, an accounting server is needed.

AAA Architecture

AAA uses the client/server model, as shown in Figure 1-1. AAA architecture features good

scalability and facilitates centralized user information management.

Figure 1-1AAA architecture

Access user AAA client AAA server

The AAA client authenticates a user who wants to access the network through the AAA client.

The AAA client then sends the user's authentication, authorization, and accounting information

to the AAA server.

Domain-based User Management

The device uses domains to manage users. You can apply the authentication, authorization, and

accounting schemes to a domain so that the device can authenticate, authorize, or charge users

in the domain using the schemes.

Each user of the device belongs to a domain. The domain to which a user belongs is determined

by the character string suffixed to the domain name delimiter that can be @, |, or %. For example,

if the user name is user@huawei, the user belongs to the huaweidomain. If the user name does

not contain @, the user belongs to the default domain named defaultin the system.

Authorization information configured in a domain has a lower priority than authorization

information delivered by an AAA server. That is, the authorization information delivered by an

AAA server is used preferentially. When the AAA server does not have or does not support

authorization, the authorization attributes configured in a domain take effect. In this manner,

you can increase services flexibly by means of domain management, regardless of the

authorization attributes provided by the AAA server.





2


14/200

1.2 AAA Features Supported by the DeviceThe device supports RADIUS or HWTACACS authentication, authorization, and accounting,

and local authentication and authorization.

The device supports the combination of local, RADIUS, and HWTACACS authentication,

authorization, and accounting. For example, the device provides local authentication, local

authorization, and RADIUS accounting. In practice, the following schemes are used separately:

l Local authentication and authorization

If users need to be authenticated or authorized but no RADIUS server or HWTACACS

server is deployed on the network, use local authentication and authorization. Local

authentication and authorization feature fast processing and low operation cost, whereas

the amount of information that can be stored is limited by the device hardware capacity.

Local authentication and authorization are often used for administrators.

l RADIUS authentication and accounting

RADIUS protects a network from unauthorized access, which is often used on the networks

demanding high security and remote user access control.

l HWTACACS authentication, authorization, and accounting

HWTACACS protects a network from unauthorized access and supports command-line

authorization. Compared with RADIUS, HWTACACS is more reliable in transmission and

encryption, and is more suitable for security control.

Multiple authentication or authorization modes can be used in a scheme. For example, local

authentication is used as a backup of RADIUS authentication and HWTACACS authentication,

and local authorization is used as a backup of HWTACACS authorization.

Configuration Process

Figure 1-2shows the three AAA configuration processes.

Figure 1-2AAA configuration process

Configure a service

scheme

Configuring localauthentication and

authorization

Configure AAA

schemes

Configure a local user

Mandatory

Optional

Apply AAA schemes fora domain

Configuring HWTACACS

authentication, authorization,

and accounting

Configure AAA

schemes

Configure the

HWTACACS server

template

Apply AAA schemes for

a domain

Configure AAA

schemes

Configure the RADIUS

server template

Configuring RADIUSauthentication and

accounting

Apply AAA schemes for

a domain

Configure a servicescheme

Configure a servicescheme





3


15/200

1.3 Configuring Local Authentication and Authorization

After local authentication and authorization are configured, the device authenticates and

authorizes access users based on the local user information.

Local Authentication and Authorization

In local authentication and authorization, user information including the local user name,

password, and attributes is configured on the device. Local authentication and authorization

feature fast processing and low operation cost, whereas the amount of information that can be

stored is limited by the device hardware capacity.

Pre-configuration Tasks

Before configuring local authentication and authorization, completing the following task:

l Configuring physical attributes for interfaces to ensure that the physical layer status of the

interfaces is Up

1.3.1 Configuring AAA Schemes

Context

To use local authentication and authorization, set the authentication mode in an authentication

scheme to local authentication and the authorization mode in an authorization scheme to localauthorization.

By default, the device performs local authentication and authorization for access users.

Procedure

l Configuring an authentication scheme

1. Run:

system-view

The system view is displayed.

2. Run:aaa

The AAA view is displayed.

3. Run:

authentication-schemeauthentication-scheme-name

An authentication scheme is created, and the corresponding authentication scheme

view or an existing authentication scheme view is displayed.

By default, there is an authentication scheme nameddefaulton the device. This default

scheme can be modified but cannot be deleted.

4. Run:authentication-modelocal





4


16/200

The authentication mode is set to local authentication.

5. Run:

commit

The configuration is committed.

l Configuring an authorization scheme

1. Run:

system-view


2. Run:

aaa


3. Run:

authorization-schemeauthorization-scheme-name

An authorization scheme is created, and the corresponding authorization scheme view

or an existing authorization scheme view is displayed.

By default, there is a default authorization scheme named defaulton the device. This

default authorization scheme can be modified but cannot be deleted.

4. Run:

authorization-modelocal[ none]

The authorization mode is configured.

5. Run:

quit


6. (Optional) Run:

task-grouptask-group-name

A task group is created and the task group view is displayed.

7. (Optional) Run:

tasktask-name{ debug| execute| read|write} *

The task group right is configured.

8. (Optional) Run:

quit


9. (Optional) Run:

user-groupuser-group-name

A user group is created and the user group view is displayed.

10. (Optional) Run:


The task group is bound to the user group.

11. Run:commit





5


17/200


----End

1.3.2 Configuring a Local User

Context

When local authentication and authorization are configured, configure authentication and

authorization information on the device, including the user name, password, and user level.

Procedure

Step 1 Run:system-view


Step 2 Run:aaa


Step 3 Run:local-useruser-namepassword[ irreversible-cipherirreversible-cipher-password]

A local user is created and the user password is configured.

NOTE

If the user name contains a domain name delimiter such as @, |, and %, the character string before the

delimiter is the user name and the character string behind the delimiter is the domain name. If the user

name does not contain a domain name delimiter, the entire character string is the user name and the domain

name is default.

Step 4 (Optional) Configure the level of the local user or the group to which the local user belongs to.

l Run the local-useruser-namelevellevelcommand to configure the level of the local user.

l Run the local-useruser-nameuser-groupgroup-namecommand to add the local user to the

specified user group.

Step 5 (Optional) Run:

local-useruser-nameservice-type{ [ terminal| telnet| ftp| ssh] *| all}

The access type is configured for the local user.

By default, a local user can use any access type.

Step 6 (Optional) Run:local-useruser-nameftp-directorydirectory

The FTP directory right of the local user is configured.

By default, the FTP directory of the local user is empty.

NOTE

If the access type of the local user is set to FTP, the FTP directory of the local user must be configured andthe level of local user cannot be lower than management level. Otherwise, FTP user login will fail.





6


18/200


local-useruser-namestate{ active|block}

The state of the local user is configured.

By default, a local user is in active state.

The device processes requests from users in different states as follows:

l If a local user is in active state, the device accepts and processes the authentication request

from the user.

l If a local user is in blocking state, the device rejects the authentication request from the user.


local-useruser-nameaccess-limitmax-number

The maximum number of connections that can be established by the local user is configured.

By default, the number of connections established by a user is not limited.


local-user authentication lock times

The maximum times of continuous authentication failures for the local user are configured.

NOTE

If a local user is in the locked state, you need to unlock it. Two ways are available for you to choose:

l In the AAA view, run the local-user authentication lock durationcommand to configure the interval

at which a user will be automatically unlocked. If the locking time for a user exceeds the time set inthe configuration, the user will be automatically unlocked.

l In the user view, run the activate aaa local-usercommand to manually unlock the specified local user.

Step 10 Run:

commit


Step 11 Run the returncommand to return to the user view.


local-user change-password

The password of the local user is changed.

----End

1.3.3 Configuring a Domain

Context

The created authentication and authorization schemes take effect only after being applied to a

domain. When local authentication and authorization are used, non-accounting is used bydefault.





7


19/200

Procedure



Step 2 Run:aaa


Step 3 Run:domaindomain-name

A domain is created, and the corresponding domain view or an existing domain view is displayed.

The system has one default domain named default. This default domain can be modified but

cannot be deleted.

Step 4 Run:authentication-schemeauthentication-scheme-name

An authentication scheme is applied to the domain.

By default, the authentication scheme named defaultis applied to a domain.

Step 5 Run:authorization-schemeauthorization-scheme-name

An authorization scheme is applied to the domain.

By default, the authorization scheme named defaultis applied to a domain and the default

authorization mode is local authorization.

Step 6 (Optional) Run:block

The domain state is configured.

When a domain is in blocking state, users in this domain cannot log in. By default, a domain is

in active state after being created.


access-limitmax-number

The maximum number of access users for the domain is set.

By default, the number of access users is not limited.

Step 8 Run:commit


----End

1.3.4 Checking the Configuration





8


20/200

Procedure

l Run the display aaa configurationcommand to check the AAA summary.

l Run the display aaa authentication-scheme[ authentication-scheme-name] command to

check the authentication scheme configuration.

l Run the display aaa authorization-scheme[ authorization-scheme-name] command to

check the authorization scheme configuration.

l Run the display aaa access-user[ domaindomain-name| user-iduserid| usernameuser-

name] command to check the summary of all online wired users.

l Run the display aaa domain[ domain-name] command to check the domain configuration.

l Run the display aaa local-usercommand to check the brief information about local users.

----End

1.4 Configuring RADIUS AAARADIUS is often used to implement authentication, authorization, and accounting (AAA).

RADIUS Authentication, Authorization, and Accounting

RADIUS uses the client/server model and protects a network from unauthorized access. It is

often used in network environments that require high security and control remote user access.


Before configuring RADIUS AAA, completing the following task:


interfaces is Up


Context

To use RADIUS AAA, set the authentication mode in an authentication scheme to RADIUS and

the accounting mode in an accounting scheme to RADIUS.

If RADIUS authentication is configured, you can also configure local authentication or non-

authentication as the backup. This allows local authentication or non-authentication to be

implemented if RADIUS authentication fails. Similarly, if RADIUS accounting is configured,

you can also configure non-accounting as the backup.

Procedure


1. Run:

system-view


2. Run:aaa





9


21/200


3. Run:


Create an authentication scheme and enter its view, or directly enter the view of an

existing authentication scheme.

By default, there is an authentication scheme named defaulton the device. The default

authentication scheme can only be modified, but cannot be deleted.

4. Run:

authentication-moderadius

RADIUS authentication is configured.

By default, local authentication is used.

To use local authentication as the backup authentication mode, run the

authentication-moderadiuslocalcommand to configure local authentication.

NOTE

If multiple authentication modes are configured in an authentication scheme, these

authentication modes are used according to the sequence in which they were configured. The

device uses the authentication mode that was configured later only when it does not receive

any response in the current authentication. The device stops the authentication if the current

authentication fails.

5. Run:

commit


l Configuring an accounting scheme

1. Run:

system-view


2. Run:

aaa


3. Run:

accounting-schemeaccounting-scheme-name

An accounting scheme is created and the accounting scheme view is displayed.

There is a default accounting scheme named defaulton the device. The default

accounting scheme can only be modified, but cannot be deleted.

4. Run:

accounting-moderadius

The accounting mode is configured.

By default, non-accounting is used.

5. Run:

commit


----End





10


22/200

1.4.2 Configuring a RADIUS Server Template

Context

In a RADIUS server template, you must specify the IP address, port number, and shared key of

a specified RADIUS server. Other settings such as the RADIUS user name format, traffic unit,

and number of times RADIUS request packets are retransmitted have default values and can be

changed based on network requirements.

The RADIUS server template settings such as the RADIUS user name format and shared key

must be the same as those on the RADIUS server.

Procedure

Step 1 Run:

system-view


Step 2 (Optional) Run:radius server authorizationip-address[ vpn-instancevpn-instance-name]{ { shared-keykey-string| shared-key-cipherkey-string} | ack-reserved-intervalinterval}

A RADIUS authorization server is configured.

By default, no RADIUS authorization server is configured.

Step 3 Run:

radius server groupgroup-name

The RADIUS server template view is displayed.

Step 4 Run:radius server authenticationip-addressport[ vpn-instancevpn-instance-name|sourceinterface-typeinterface-number| shared-keykey-string| shared-key-cipher

cipher-string] *

The primary RADIUS authentication server is configured.

By default, the IP address of the primary RADIUS authentication server is 0.0.0.0 and the port

number is 0.

Step 5 (Optional) Run:radius server authenticationip-addressport[ vpn-instancevpn-instance-name|sourceinterface-typeinterface-number| shared-keykey-string| shared-key-cipher

cipher-string] *secondary

The secondary RADIUS authentication server is configured.

By default, the IP address of the secondary RADIUS authentication server is 0.0.0.0 and the port

number is 0.

Step 6 Run:radius server accountingip-addressport[ vpn-instancevpn-instance-name|sourceinterface-typeinterface-number| shared-keykey-string| shared-key-cipher

cipher-string] *

The primary RADIUS accounting server is configured.





11


23/200

By default, the IP address of the primary RADIUS accounting server is 0.0.0.0 and the port

number is 0.


radius server accountingip-addressport[ vpn-instancevpn-instance-name| source

interface-typeinterface-number| shared-keykey-string| shared-key-ciphercipher-string] *secondary

The secondary RADIUS accounting server is configured.

By default, the IP address of the secondary RADIUS accounting server is 0.0.0.0 and the port

number is 0.


radius server shared-key

The RADIUS shared key is set.

By default, the RADIUS shared key is huaweiand the password is in plain text.


radius server user-name domain-excluded

The RADIUS user name format is set.

By default, the device sends the user name containing the domain name and delimiter to a

RADIUS server for authentication.

If the RADIUS server does not accept the user name with the domain name, run the undo radius

server user-name domain-excludedcommand to delete the domain name from the user name.


radius server{ retransmitretry-times| timeouttime-value} *

The number of times that RADIUS request packets are retransmitted and timeout interval are

set.

By default, the number of retransmission times is 3 and the timeout interval is 5 seconds.


mode load-balance

The server mode is changed from the primary/secondary mode to the load balancing mode.

Step 12 Run:

commit


----End


Context

The created authentication scheme, accounting scheme, and RADIUS server template take effectonly after being applied to a domain.





12


24/200

Procedure



Step 2 Run:aaa



A domain is created and the domain view is displayed.


cannot be deleted.




Step 5 (Optional) Run:accounting-schemeaccounting-scheme-name

An accounting scheme is applied to the domain.

By default, the accounting scheme named defaultis applied to a domain. In this default

accounting scheme, non-accounting is used and the real-time accounting function is disabled.

Step 6 Run:radius server grouptemplate-name

A RADIUS server template is configured for the domain.

By default, no RADIUS server template is applied to a domain.



When a domain is in blocking state, users in this domain cannot log in. By default, a domain isin active state after being created.

Step 8 (Optional) Run:access-limitmax-number



Step 9 Run:commit


----End





13


25/200


Procedure




l Run the display aaa accounting-scheme[ accounting-scheme-name] command to check

the accounting scheme configuration.

l Run the display radius server configuration[ groupgroup-name] command to check

the RADIUS server template configuration.


----End

1.5 Configuring HWTACACS AAA

Compared with RADIUS, HWTACACS is more reliable in transmission and encryption, and is

more suitable for security control.

HWTACACS Authentication, Authorization, and Accounting

Similar to RADIUS, HWTACACS uses the client/server model to implement AAA for access

users by communicating with the HWTACACS server.

HWTACACS protects a network from unauthorized access and supports command-line

authorization. Compared with RADIUS, HWTACACS is more suitable for security control.


Before configuring HWTACACS AAA, completing the following task:


interfaces is Up


Context

To use HWTACACS authentication, authorization, and accounting, set the authentication mode

in an authentication scheme to HWTACACS, the authorization mode in an authorization scheme

to HWTACACS, and the accounting mode in an accounting scheme to HWTACACS.

When HWTACACS authentication is used, you can configure local authentication or non-

authentication as a backup. This allows local authentication or non-authentication to be

implemented if HWTACACS authentication fails. When HWTACACS authorization is used,

you can configure local authorization or non-authorization as a backup.





14


26/200

Procedure


1. Run:

system-view


2. Run:

aaa


3. Run:


An authentication scheme is created, and the corresponding authentication scheme

view or an existing authentication scheme view is displayed.

By default, there is an authentication scheme nameddefaulton the device. This default

scheme can be modified but cannot be deleted.

4. Run:

authentication-modehwtacacs

HWTACACS authentication is configured.

By default, local authentication is used.

To use local authentication as the backup authentication mode, run the

authentication-modehwtacacslocalcommand to configure local authentication.

NOTE

If multiple authentication modes are configured in an authentication scheme, these

authentication modes are used according to the sequence in which they were configured. The

device uses the authentication mode that was configured later only when it does not receive

any response in the current authentication. The device stops the authentication if the current

authentication fails.

5. Run:

commit


l Configuring an authorization scheme

1. Run:

system-view


2. Run:

aaa


3. Run:

authorization-schemeauthorization-scheme-name

An authorization scheme is created, and the corresponding authorization scheme viewor an existing authorization scheme view is displayed.





15


27/200

By default, there is a default authorization scheme named defaulton the device. This

default authorization scheme can be modified but cannot be deleted.

4. Run:

authorization-mode{ hwtacacs| if-authenticated| local} *[ none]

The authorization mode is configured.

By default, local authorization is used.

If HWTACACS authorization is configured, you must configure an HWTACACS

server template and apply the template to the corresponding user domain.

NOTE

If multiple authorization modes are configured in an authorization scheme, authorization modes

are used in the sequence in which they were configured. The device uses the authorization

mode that was configured later only after the current authorization fails.

5. (Optional) Run:

authorization-cmd[privilege-level] { local| hwtacacs} *

Command-line authorization is enabled for users at a certain level.

By default, command-line authorization is disabled for users of levels 0 to 15.

If command line authorization is enabled, you must configure an HWTACACS server

template and apply the template to the corresponding user domain.

6. Run:

quit


7. (Optional) Run:task-grouptask-group-name

A task group is created and the task group view is displayed.

8. (Optional) Run:

tasktask-name{ debug| execute| read|write}

The task group right is configured.

9. (Optional) Run:

quit


10. (Optional) Run:

user-groupuser-group-name

A user group is created and the user group view is displayed.

11. (Optional) Run:


The task group is bound to the user group.

12. Run:

commit


l Configuring an accounting scheme





16


28/200

1. Run:

system-view


2. Run:

aaa


3. Run:

accounting-schemeaccounting-scheme-name

An accounting scheme is created, and the corresponding accounting scheme view or

an existing accounting scheme view is displayed.

There is a default accounting scheme named defaulton the device. This default

accounting scheme can be modified but cannot be deleted.

4. Run:accounting-modehwtacacs

The accounting mode is configured.

By default, non-accounting is used.

5. Run:

commit


----End

1.5.2 Configuring an HWTACACS Server Template

Context

In an HWTACACS server template, you must specify the IP address, port number, and shared

key of a specified HWTACACS server. Other settings such as the HWTACACS user name

format and traffic unit have default values and can be changed based on network requirements.

The HWTACACS server template settings such as the HWTACACS user name format and

shared key must be the same as those on the HWTACACS server.

Procedure



Step 2 Run:hwtacacs enable

HWTACACS is enabled.

Step 3 Run:hwtacacs server templatetemplate-name





17


29/200

An HWTACACS server template is created and the HWTACACS server template view is

displayed.

Step 4 Run:hwtacacs server authenticationip-address[port] [ vpn-instancevpn-instance-

name| shared-key{ key-string| ciphercipher-string} |mux-mode]*

The IP address of the primary HWTACACS authentication server is set.

By default, the IP address of the primary HWTACACS authentication server is 0.0.0.0 and its

port number is 0, and the server is not bound to any VPN instance.

Step 5 (Optional) Run:hwtacacs server authenticationip-address[port] [ vpn-instancevpn-instance-

name| shared-key{ key-string| ciphercipher-string} |mux-mode]*secondary

The IP address of the secondary HWTACACS authentication server is set.

By default, the IP address of the secondary HWTACACS authentication server is 0.0.0.0 and

its port number is 0, and the server is not bound to any VPN instance.

Step 6 Run:hwtacacs server authorizationip-address[port] [ vpn-instancevpn-instance-name

| shared-key{ key-string| ciphercipher-string} |mux-mode]*

The IP address of the primary HWTACACS authorization server is set.

By default, the IP address of the primary HWTACACS authorization server is 0.0.0.0 and its


Step 7 (Optional) Run:hwtacacs server authorizationip-address[port] [ vpn-instancevpn-instance-name

| shared-key{ key-string| ciphercipher-string} |mux-mode]*secondary

The IP address of the secondary HWTACACS authorization server is set.

By default, the IP address of the secondary HWTACACS authorization server is 0.0.0.0 and its


Step 8 Run:hwtacacs server accountingip-address[port] [ vpn-instancevpn-instance-name|

shared-key{ key-string| ciphercipher-string} |mux-mode] *

The primary HWTACACS accounting server is configured.

By default, the IP address of the primary HWTACACS accounting server is 0.0.0.0 and its port

number is 0, and the server is not bound to any VPN instance.

Step 9 (Optional) Run:hwtacacs server accountingip-address[port] [ vpn-instancevpn-instance-name|

shared-key{ key-string| ciphercipher-string} |mux-mode] *secondary

The secondary HWTACACS accounting server is configured.

By default, the IP address of the secondary HWTACACS accounting server is 0.0.0.0 and its


Step 10 (Optional) Run:hwtacacs server source-ipip-address

The HWTACACS source IP address is set.





18


30/200

By default, the HWTACACS source IP address is 0.0.0.0. The device uses the IP address of the

actual outbound interface as the source IP address in HWTACACS packets.

After you set the source IP address of HWTACACS packets on the device, this IP address is

used by the device to communicate with the HWTACACS server. The HWTACACS server also

uses a specified IP address to communicate with the device.

Step 11 (Optional) Run:hwtacacs server shared-key[ cipher] key-string

The HWTACACS shared key is configured.

By default, no HWTACACS shared key is configured.

Step 12 (Optional) Run:hwtacacs server user-name domain-excluded

The HWTACACS user name format is configured.

By default, the device sends the user name containing the domain name and delimiter to an

HWTACACS server for authentication.

Step 13 (Optional) Run:hwtacacs server timer response-timeoutinterval

The response timeout interval for the HWTACACS server is set.

By default, the response timeout interval for an HWTACACS server is 5 seconds.

If the device does not receive the response from the HWTACACS server within the timeout

period, the HWTACACS server is faulty. The device then uses other authentication and

authorization methods.

Step 14 (Optional) Run:hwtacacs server timer quietinterval

The interval for the primary HWTACACS server to return to the active state is set.

By default, the interval for the primary HWTACACS server to return to the active state is 5

minutes.

Step 15 Run:commit


Step 16 Run:return

The user view is displayed.

Step 17 (Optional) Run:hwtacacs-user change-password hwtacacs servertemplate-name

The password saved on the HWTACACS server is changed.

----End






19


31/200

Context

The created authentication scheme, authorization scheme, accounting scheme, and

HWTACACS server template take effect only after being applied to a domain.

Procedure



Step 2 Run:aaa



A domain is created, and the corresponding domain view or an existing domain view is displayed.


cannot be deleted.




Step 5 (Optional) Run:authorization-schemeauthorization-scheme-name

An authorization scheme is applied to the domain.

By default, the authorization scheme named defaultis applied to a domain and the default

authorization mode is local authorization.

Step 6 (Optional) Run:accounting-schemeaccounting-scheme-name

An accounting scheme is applied to the domain.

By default, the accounting scheme named defaultis applied to a domain. In this default

accounting scheme, non-accounting is used and the real-time accounting function is disabled.

Step 7 Run:hwtacacs servertemplate-name

An HWTACACS server template is applied to the domain.

By default, no HWTACACS server template is applied to a domain.







20


32/200

When a domain is in blocking state, users in this domain cannot log in. By default, a domain is

in active state after being created.

Step 9 (Optional) Run:access-limitmax-number



Step 10 Run:commit


----End


Procedure




l Run the display aaa authorization-scheme[ authorization-scheme-name] command to

check the authorization scheme configuration.

l Run the display aaa accounting-scheme[ accounting-scheme-name] command to check

the accounting scheme configuration.

l Run the display hwtacacs server template[ template-name[ verbose] ] command to

check the HWTACACS server template configuration.


----End

1.6 Maintaining AAA

AAA maintenance includes clearing AAA statistics.

1.6.1 Clearing AAA Statistics

Context

CAUTION

The AAA statistics cannot be restored after being cleared. Confirm your operation before

clearing the AAA statistics.

Run the following commands to clear the statistics.





21


33/200

Procedure

l Run the reset aaa{ offline-record| online-fail-record} command to clear the offline

records and login failures statistics.

l Run the reset hwtacacs server statistics{ accounting| all| authentication|

authorization} command to clear the HWTACACS statistics.

----End

Documents

CloudEngine 6800&5800 V100R001C00 Configuration Guide - Security 04.pdf