Level switching authentication for Telnet users by an HWTACACS server

Network requirements

As shown in Figure 16, configure the switch to:

Figure 16: Network diagram

Configuration considerations

  • Configure the switch to use AAA, particularly, local authentication for Telnet users:

  • On the switch, configure the authentication method for user privilege level switching:

  • On the HWTACACS server, add the username and password for user privilege level switching authentication.

  • Configuration procedure

  • Configure the switch:

  • # Configure the IP address of VLAN-interface 2, through which the Telnet user accesses the switch.

    <Switch> system-view
    [Switch] interface vlan-interface 2
    [Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0
    [Switch-Vlan-interface2] quit
    

    # Configure the IP address of VLAN-interface 3, through which the switch communicates with the server.

    [Switch] interface vlan-interface 3
    [Switch-Vlan-interface3] ip address 10.1.1.2 255.255.255.0
    [Switch-Vlan-interface3] quit
    

    # Enable the switch to provide Telnet service.

    [Switch] telnet server enable
    

    # Configure the switch to use AAA for Telnet users.

    [Switch] user-interface vty 0 15
    [Switch-ui-vty0-15] authentication-mode scheme
    [Switch-ui-vty0-15] quit
    

    # Use HWTACACS authentication for user level switching authentication and, if HWTACACS authentication is not available, use local authentication.

    [Switch] super authentication-mode scheme local
    

    # Create an HWTACACS scheme named hwtac.

    [Switch] hwtacacs scheme hwtac
    

    # Specify the IP address for the primary authentication server as 10.1.1.1 and the port for authentication as 49.

    [Switch-hwtacacs-hwtac] primary authentication 10.1.1.1 49
    

    # Set the shared key for secure authentication communication to expert.

    [Switch-hwtacacs-hwtac] key authentication simple expert
    

    # Remove domain names from the usernames sent to the HWTACACS server.

    [Switch-hwtacacs-hwtac] user-name-format without-domain
    [Switch-hwtacacs-hwtac] quit
    

    # Create ISP domain bbb.

    [Switch] domain bbb
    

    # Configure the ISP domain to use local authentication for Telnet users.

    [Switch-isp-bbb] authentication login local
    

    # Configure the switch to use HWTACACS scheme hwtac for privilege level switching authentication.

    [Switch-isp-bbb] authentication super hwtacacs-scheme hwtac
    [Switch-isp-bbb] quit
    

    # Create a local Telnet user named test.

    [Switch] local-user test
    [Switch-luser-test] service-type telnet
    [Switch-luser-test] password simple aabbcc
    

    # Configure the user level of the Telnet user to 0 after user login.

    [Switch-luser-test] authorization-attribute level 0
    [Switch-luser-test] quit
    

    # Configure the password for local privilege level switching authentication to 654321.

    [Switch] super password simple 654321
    [Switch] quit
    
  • Configure the HWTACACS server:


  • [NOTE: ]

    NOTE:

    The HWTACACS server in this example runs ACSv4.0.


    Add a user named test on the HWTACACS server and configure advanced attributes for the user as shown in Figure 17:

    1. Select Max Privilege for any AAA Client and set the privilege level to level 3. After these configurations, the user needs to use the password enabpass when switching to level 1, level 2, or level 3.

    2. Select Use separate password and specify the password as enabpass.

    Figure 17: Configuring advanced attributes for the Telnet user

  • Verify the configuration:

  • After you complete the configuration, the Telnet user should be able to telnet to the switch and use username test@bbb and password aabbcc to enter the user interface of the switch, and access all level 0 commands.

    <Switch> telnet 192.168.1.70
    Trying 192.168.1.70 ...
    Press CTRL+K to abort
    Connected to 192.168.1.70 ...
    ******************************************************************************
    * Copyright (c) 2010-2015 Hewlett Packard Enterprise Development LP          *
    * Without the owner's prior written consent,                                 *
    * no decompiling or reverse-engineering shall be allowed.                    *
    ******************************************************************************
    
    Login authentication
    
    Username:test@bbb
    Password:
    <Switch> ?
    User view commands:
      cluster  Run cluster command
      display  Display current system information
      ping     Ping function
      quit     Exit from current command view
      ssh2     Establish a secure shell client connection
      super    Set the current user priority level
      telnet   Establish one TELNET connection
      tracert  Trace route function
    

    When switching to user privilege level 3, the Telnet user only needs to enter password enabpass as prompted.

    <Switch> super 3
     Password:
    User privilege level is 3, and only those commands can be used
    whose level is equal or less than this.
    Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE
    

    If the HWTACACS server is not available, the Telnet user needs to enter password 654321 as prompted for local authentication.

    <Switch> super 3
     Password:  Enter the password for HWTACACS privilege level switching authentication. 
     Error: Invalid configuration or no response from the authentication server.
     Info: Change authentication mode to local.
     Password:  Enter the password for local privilege level switching authentication.
    User privilege level is 3, and only those commands can be used
    whose level is equal or less than this.
    Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE