RBAC temporary user role authorization configuration example (HWTACACS authentication)

Network requirements

As shown in Figure 17, the switch uses local authentication for login users, including the Telnet user at 192.168.1.58. The user account for the Telnet user is test@bbb and is assigned the user role level-0.

Configure the remote-then-local authentication mode for temporary user role authorization. The switch uses the HWTACACS server to provide authentication for changing the user role among level-0 through level-3 or changing the user role to network-admin. If the AAA configuration is invalid or the HWTACACS server does not respond, the switch performs local authentication.

Figure 17: Network diagram

Configuration procedure

  1. Configure the switch:

    # Assign an IP address to VLAN-interface 2, the interface connected to the Telnet user.

    <Switch> system-view
    [Switch] interface vlan-interface 2
    [Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0
    [Switch-Vlan-interface2] quit
    

    # Assign an IP address to VLAN-interface 3, the interface connected to the HWTACACS server.

    [Switch] interface vlan-interface 3
    [Switch-Vlan-interface3] ip address 10.1.1.2 255.255.255.0
    [Switch-Vlan-interface3] quit
    

    # Enable Telnet server.

    [Switch] telnet server enable
    

    # Enable scheme authentication on the user lines for Telnet users.

    [Switch] line vty 0 63
    [Switch-line-vty0-63] authentication-mode scheme
    [Switch-line-vty0-63] quit
    

    # Enable remote-then-local authentication for temporary user role authorization.

    [Switch] super authentication-mode scheme local
    

    # Create the HWTACACS scheme hwtac and enter HWTACACS scheme view.

    [Switch] hwtacacs scheme hwtac
    

    # Specify the primary authentication server address 10.1.1.1 and the service port 49 in the scheme.

    [Switch-hwtacacs-hwtac] primary authentication 10.1.1.1 49
    

    # Set the shared key to expert in the scheme for the switch to authenticate to the server.

    [Switch-hwtacacs-hwtac] key authentication simple expert
    

    # Exclude the ISP domain name from the username sent to the HWTACACS server.

    [Switch-hwtacacs-hwtac] user-name-format without-domain
    [Switch-hwtacacs-hwtac] quit
    

    # Create ISP domain bbb and enter ISP domain view.

    [Switch] domain bbb
    

    # Configure ISP domain bbb to use local authentication for login users.

    [Switch-isp-bbb] authentication login local
    

    # Configure ISP domain bbb to use local authorization for login users.

    [Switch-isp-bbb] authorization login local
    

    # Apply the HWTACACS scheme hwtac to the ISP domain for user role authentication.

    [Switch-isp-bbb] authentication super hwtacacs-scheme hwtac
    [Switch-isp-bbb] quit
    

    # Create a device management user named test and enter local user view. Set the service type to Telnet, and set the password to aabbcc.

    [Switch] local-user test class manage
    New local user added.
    [Switch-luser-manage-test] service-type telnet
    [Switch-luser-manage-test] password simple aabbcc
    

    # Assign level-0 to the user.

    [Switch-luser-manage-test] authorization-attribute user-role level-0
    

    # Delete the default user role network-operator.

    [Switch-luser-manage-test] undo authorization-attribute user-role network-operator
    [Switch-luser-manage-test] quit
    

    # Set the local authentication password to 654321 for the user role level-3.

    [Switch] super password role level-3 simple 654321
    

    # Set the local authentication password to 654321 for the user role network-admin.

    [Switch] super password role network-admin simple 654321
    [Switch] quit
    
  2. Configure the HWTACACS server:

    This example uses ACSv4.0.

    1. Access the User Setup page.

    2. Add a user account named test. (Details not shown.)

    3. In the Advanced TACACS+ Settings area, configure the following parameters:

      • Select Level 3 for the Max Privilege for any AAA Client option.

        If the target user role is only network-admin for temporary user role authorization, you can select any level from the Max Privilege for any AAA Client option.

      • Select the Use separate password option, and specify enabpass as the password.

      Figure 18: Configuring advanced TACACS+ settings

    4. Select Shell (exec) and Custom attributes, and enter allowed-roles="network-admin" in the Custom attributes field.

      Use a blank space to separate the allowed roles.

      Figure 19: Configuring custom attributes for the Telnet user

Verifying the configuration

  1. Telnet to the switch, and enter the username test@bbb and password aabbcc to access the switch. Verify that you have access to diagnostic commands.

    <Switch> telnet 192.168.1.70
    Trying 192.168.1.70 ...
    Press CTRL+K to abort
    Connected to 192.168.1.59 ...
    ******************************************************************************  
    * Copyright (c) 2010-2017 Hewlett Packard Enterprise Development LP          *  
    * Without the owner's prior written consent,                                 *  
    * no decompiling or reverse-engineering shall be allowed.                    *  
    ******************************************************************************
    
    login: test@bbb
    Password:
    <Switch>?
    User view commands:
      ping         Ping function
      quit         Exit from current command view
      ssh2         Establish a secure shell client connection
      super        Switch to a user role
      system-view  Enter the System View
      telnet       Establish a telnet connection
      tracert      Tracert function
    
    <Switch>
    
  2. Verify that you can obtain the level-3 user role:

    # Use the super password to obtain the level-3 user role. When the system prompts for a username and password, enter the username test@bbb and password enabpass.

    <Switch> super level-3
    Username: test@bbb
    Password:
    

    The following output shows that you have obtained the level-3 user role.

    User privilege role is level-3, and only those commands that authorized to the role can be used.
    

    # If the ACS server does not respond, enter the local authentication password 654321 at the prompt.

    Invalid configuration or no response from the authentication server.
    Change authentication mode to local.
    Password: 
    User privilege role is level-3, and only those commands that authorized to the role can be used.
    

    The output shows that you have obtained the level-3 user role.

  3. Use the method in step 2 to verify that you can obtain the user roles level 0, level 1, level 2, and network-admin. (Details not shown.)