Level switching authentication for Telnet users by an HWTACACS server
Network requirements
As shown in Figure 16, configure the switch to:
Use local authentication for the Telnet user and assign the privilege level of 0 to the user after the user passes authentication.
Use the HWTACACS server for level switching authentication of the Telnet user, and use local authentication as the backup.
Figure 16: Network diagram
Configuration considerations
Configure the switch to use AAA, particularly, local authentication for Telnet users:
Create ISP domain bbb and configure it to use local authentication for Telnet users.
Create a local user account, configure the password, and assign the privilege level for the user to enjoy after login.
Specify the switch to use HWTACACS authentication and, if HWTACACS authentication is not available, use local authentication for user level switching authentication.
Configure HWTACACS scheme hwtac and assign an IP address to the HWTACACS server. Set the shared keys for secure HWTACACS communication and specify that usernames sent to the HWTACACS server carry no domain name. Configure the domain to use the HWTACACS scheme hwtac for user privilege level switching authentication.
Configure the password for local privilege level switching authentication.
On the switch, configure the authentication method for user privilege level switching:
Specify the switch to use HWTACACS authentication and, if HWTACACS authentication is not available, use local authentication for user level switching authentication.
Configure HWTACACS scheme hwtac and assign an IP address to the HWTACACS server. Set the shared keys for secure HWTACACS communication and specify that usernames sent to the HWTACACS server carry no domain name. Configure the domain to use the HWTACACS scheme hwtac for user privilege level switching authentication.
Configure the password for local privilege level switching authentication.
On the HWTACACS server, add the username and password for user privilege level switching authentication.
Configuration procedure
Configure the switch:
# Configure the IP address of VLAN-interface 2, through which the Telnet user accesses the switch.
<Switch> system-view [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 [Switch-Vlan-interface2] quit
# Configure the IP address of VLAN-interface 3, through which the switch communicates with the server.
[Switch] interface vlan-interface 3 [Switch-Vlan-interface3] ip address 10.1.1.2 255.255.255.0 [Switch-Vlan-interface3] quit
# Enable the switch to provide Telnet service.
[Switch] telnet server enable
# Configure the switch to use AAA for Telnet users.
[Switch] user-interface vty 0 15 [Switch-ui-vty0-15] authentication-mode scheme [Switch-ui-vty0-15] quit
# Use HWTACACS authentication for user level switching authentication and, if HWTACACS authentication is not available, use local authentication.
[Switch] super authentication-mode scheme local
# Create an HWTACACS scheme named hwtac.
[Switch] hwtacacs scheme hwtac
# Specify the IP address for the primary authentication server as 10.1.1.1 and the port for authentication as 49.
[Switch-hwtacacs-hwtac] primary authentication 10.1.1.1 49
# Set the shared key for secure authentication communication to expert.
[Switch-hwtacacs-hwtac] key authentication simple expert
# Remove domain names from the usernames sent to the HWTACACS server.
[Switch-hwtacacs-hwtac] user-name-format without-domain [Switch-hwtacacs-hwtac] quit
# Create ISP domain bbb.
[Switch] domain bbb
# Configure the ISP domain to use local authentication for Telnet users.
[Switch-isp-bbb] authentication login local
# Configure the switch to use HWTACACS scheme hwtac for privilege level switching authentication.
[Switch-isp-bbb] authentication super hwtacacs-scheme hwtac [Switch-isp-bbb] quit
# Create a local Telnet user named test.
[Switch] local-user test [Switch-luser-test] service-type telnet [Switch-luser-test] password simple aabbcc
# Configure the user level of the Telnet user to 0 after user login.
[Switch-luser-test] authorization-attribute level 0 [Switch-luser-test] quit
# Configure the password for local privilege level switching authentication to 654321.
[Switch] super password simple 654321 [Switch] quit
Configure the HWTACACS server:
NOTE: The HWTACACS server in this example runs ACSv4.0. | ||
Add a user named test on the HWTACACS server and configure advanced attributes for the user as shown in Figure 17:
Select Max Privilege for any AAA Client and set the privilege level to level 3. After these configurations, the user needs to use the password enabpass when switching to level 1, level 2, or level 3.
Select Use separate password and specify the password as enabpass.
Figure 17: Configuring advanced attributes for the Telnet user
Verify the configuration:
After you complete the configuration, the Telnet user should be able to telnet to the switch and use username test@bbb and password aabbcc to enter the user interface of the switch, and access all level 0 commands.
<Switch> telnet 192.168.1.70 Trying 192.168.1.70 ... Press CTRL+K to abort Connected to 192.168.1.70 ... ****************************************************************************** * Copyright (c) 2010-2015 Hewlett Packard Enterprise Development LP * * Without the owner's prior written consent, * * no decompiling or reverse-engineering shall be allowed. * ****************************************************************************** Login authentication Username:test@bbb Password: <Switch> ? User view commands: cluster Run cluster command display Display current system information ping Ping function quit Exit from current command view ssh2 Establish a secure shell client connection super Set the current user priority level telnet Establish one TELNET connection tracert Trace route function
When switching to user privilege level 3, the Telnet user only needs to enter password enabpass as prompted.
<Switch> super 3 Password: User privilege level is 3, and only those commands can be used whose level is equal or less than this. Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE
If the HWTACACS server is not available, the Telnet user needs to enter password 654321 as prompted for local authentication.
<Switch> super 3 Password: Enter the password for HWTACACS privilege level switching authentication. Error: Invalid configuration or no response from the authentication server. Info: Change authentication mode to local. Password: Enter the password for local privilege level switching authentication. User privilege level is 3, and only those commands can be used whose level is equal or less than this. Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE