RBAC temporary user role authorization configuration example (HWTACACS authentication)
Network requirements
As shown in Figure 17, the switch uses local authentication for login users, including the Telnet user at 192.168.1.58. The user account for the Telnet user is test@bbb and is assigned the user role level-0.
Configure the remote-then-local authentication mode for temporary user role authorization. The switch uses the HWTACACS server to provide authentication for changing the user role among level-0 through level-3 or changing the user role to network-admin. If the AAA configuration is invalid or the HWTACACS server does not respond, the switch performs local authentication.
Figure 17: Network diagram
Configuration procedure
Configure the switch:
# Assign an IP address to VLAN-interface 2, the interface connected to the Telnet user.
<Switch> system-view [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 [Switch-Vlan-interface2] quit
# Assign an IP address to VLAN-interface 3, the interface connected to the HWTACACS server.
[Switch] interface vlan-interface 3 [Switch-Vlan-interface3] ip address 10.1.1.2 255.255.255.0 [Switch-Vlan-interface3] quit
# Enable Telnet server.
[Switch] telnet server enable
# Enable scheme authentication on the user lines for Telnet users.
[Switch] line vty 0 63 [Switch-line-vty0-63] authentication-mode scheme [Switch-line-vty0-63] quit
# Enable remote-then-local authentication for temporary user role authorization.
[Switch] super authentication-mode scheme local
# Create the HWTACACS scheme hwtac and enter HWTACACS scheme view.
[Switch] hwtacacs scheme hwtac
# Specify the primary authentication server address 10.1.1.1 and the service port 49 in the scheme.
[Switch-hwtacacs-hwtac] primary authentication 10.1.1.1 49
# Set the shared key to expert in the scheme for the switch to authenticate to the server.
[Switch-hwtacacs-hwtac] key authentication simple expert
# Exclude the ISP domain name from the username sent to the HWTACACS server.
[Switch-hwtacacs-hwtac] user-name-format without-domain [Switch-hwtacacs-hwtac] quit
# Create ISP domain bbb and enter ISP domain view.
[Switch] domain bbb
# Configure ISP domain bbb to use local authentication for login users.
[Switch-isp-bbb] authentication login local
# Configure ISP domain bbb to use local authorization for login users.
[Switch-isp-bbb] authorization login local
# Apply the HWTACACS scheme hwtac to the ISP domain for user role authentication.
[Switch-isp-bbb] authentication super hwtacacs-scheme hwtac [Switch-isp-bbb] quit
# Create a device management user named test and enter local user view. Set the service type to Telnet, and set the password to aabbcc.
[Switch] local-user test class manage New local user added. [Switch-luser-manage-test] service-type telnet [Switch-luser-manage-test] password simple aabbcc
# Assign level-0 to the user.
[Switch-luser-manage-test] authorization-attribute user-role level-0
# Delete the default user role network-operator.
[Switch-luser-manage-test] undo authorization-attribute user-role network-operator [Switch-luser-manage-test] quit
# Set the local authentication password to 654321 for the user role level-3.
[Switch] super password role level-3 simple 654321
# Set the local authentication password to 654321 for the user role network-admin.
[Switch] super password role network-admin simple 654321 [Switch] quit
Configure the HWTACACS server:
This example uses ACSv4.0.
Access the User Setup page.
Add a user account named test. (Details not shown.)
In the Advanced TACACS+ Settings area, configure the following parameters:
Select Level 3 for the Max Privilege for any AAA Client option.
If the target user role is only network-admin for temporary user role authorization, you can select any level from the Max Privilege for any AAA Client option.
Select the Use separate password option, and specify enabpass as the password.
Figure 18: Configuring advanced TACACS+ settings
Select Shell (exec) and Custom attributes, and enter allowed-roles="network-admin" in the Custom attributes field.
Use a blank space to separate the allowed roles.
Figure 19: Configuring custom attributes for the Telnet user
Verifying the configuration
Telnet to the switch, and enter the username test@bbb and password aabbcc to access the switch. Verify that you have access to diagnostic commands.
<Switch> telnet 192.168.1.70 Trying 192.168.1.70 ... Press CTRL+K to abort Connected to 192.168.1.59 ... ****************************************************************************** * Copyright (c) 2010-2017 Hewlett Packard Enterprise Development LP * * Without the owner's prior written consent, * * no decompiling or reverse-engineering shall be allowed. * ****************************************************************************** login: test@bbb Password: <Switch>? User view commands: ping Ping function quit Exit from current command view ssh2 Establish a secure shell client connection super Switch to a user role system-view Enter the System View telnet Establish a telnet connection tracert Tracert function <Switch>
Verify that you can obtain the level-3 user role:
# Use the super password to obtain the level-3 user role. When the system prompts for a username and password, enter the username test@bbb and password enabpass.
<Switch> super level-3 Username: test@bbb Password:
The following output shows that you have obtained the level-3 user role.
User privilege role is level-3, and only those commands that authorized to the role can be used.
# If the ACS server does not respond, enter the local authentication password 654321 at the prompt.
Invalid configuration or no response from the authentication server. Change authentication mode to local. Password: User privilege role is level-3, and only those commands that authorized to the role can be used.
The output shows that you have obtained the level-3 user role.
Use the method in step 2 to verify that you can obtain the user roles level 0, level 1, level 2, and network-admin. (Details not shown.)