RBAC temporary user role authorization configuration example (HWTACACS authentication)
Network requirements
As shown in Figure 4, the switch uses local authentication for login users, including the Telnet user. The user account for the Telnet user is test@bbb and is assigned user role level-0.
Configure the remote-then-local authentication mode for temporary user role authorization. The switch uses the HWTACACS server to provide authentication for changing the user role among level-0 through level-3 or changing the user role to network-admin. If the AAA configuration is invalid or the HWTACACS server does not respond, the switch performs local authentication.
Figure 4: Network diagram
Configuration procedure
Configure the switch:
# Assign an IP address to VLAN-interface 2 (the interface connected to the Telnet user).
<Switch> system-view [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 [Switch-Vlan-interface2] quit
# Assign an IP address to VLAN-interface 3 (the interface connected to the HWTACACS server).
[Switch] interface vlan-interface 3 [Switch-Vlan-interface3] ip address 10.1.1.2 255.255.255.0 [Switch-Vlan-interface3] quit
# Enable Telnet server.
[Switch] telnet server enable
# Enable scheme authentication on the user lines for Telnet users.
[Switch] line vty 0 63 [Switch-line-vty0-63] authentication-mode scheme [Switch-line-vty0-63] quit
# Enable remote-then-local authentication for temporary user role authorization.
[Switch] super authentication-mode scheme local
# Create HWTACACS scheme hwtac and enter HWTACACS scheme view.
[Switch] hwtacacs scheme hwtac
# Specify the primary authentication server address and the service port in the scheme.
[Switch-hwtacacs-hwtac] primary authentication 10.1.1.1 49
# Set the shared key to expert in the scheme for the switch to authenticate to the server.
[Switch-hwtacacs-hwtac] key authentication simple expert
# Exclude ISP domain names from the usernames sent to the HWTACACS server.
[Switch-hwtacacs-hwtac] user-name-format without-domain [Switch-hwtacacs-hwtac] quit
# Create ISP domain bbb and enter ISP domain view.
[Switch] domain bbb
# Configure ISP domain bbb to use local authentication for login users.
[Switch-isp-bbb] authentication login local
# Configure ISP domain bbb to use local authorization for login users.
[Switch-isp-bbb] authorization login local
# Apply HWTACACS scheme hwtac to the ISP domain for user role authentication.
[Switch-isp-bbb] authentication super hwtacacs-scheme hwtac [Switch-isp-bbb] quit
# Create a device management user named test and enter local user view.
[Switch] local-user test class manage
# Set the user service type to Telnet.
[Switch-luser-manage-test] service-type telnet
# Set the user password to aabbcc.
[Switch-luser-manage-test] password simple aabbcc
# Assign level-0 to the user.
[Switch-luser-manage-test] authorization-attribute user-role level-0
# Remove the default user role (network-operator).
[Switch-luser-manage-test] undo authorization-attribute user-role network-operator [Switch-luser-manage-test] quit
# Set the local authentication password to 654321 for user role level-3.
[Switch] super password role level-3 simple 654321 [Switch] quit
# Set the local authentication password to 654321 for user role network-admin.
[Switch] super password role network-admin simple 654321 [Switch] quit
Configure the HWTACACS server:
This example uses ACSv4.0.
Access the User Setup page.
Add a user account named test. (Details not shown.)
In the Advanced TACACS+ Settings area, configure the following parameters:
Select Level 3 for the Max Privilege for any AAA Client option.
If the target user role is only network-admin for temporary user role authorization, you can select any level for the option.
Select the Use separate password option, and specify enabpass as the password.
Figure 5: Configuring advanced TACACS+ settings
Select Shell (exec) and Custom attributes, and enter allowed-roles="network-admin" in the Custom attributes field.
Use a blank space to separate the allowed roles.
Figure 6: Configuring custom attributes for the Telnet user
Verifying the configuration
Telnet to the switch, and enter username test@bbb and password aabbcc to access the switch. Verify that you have access to diagnostic commands.
<Switch> telnet 192.168.1.70 Trying 192.168.1.70 ... Press CTRL+K to abort Connected to 192.168.1.59 ... ****************************************************************************** * Copyright (c) 2010-2017 Hewlett Packard Enterprise Development LP * * Without the owner's prior written consent, * * no decompiling or reverse-engineering shall be allowed. * ****************************************************************************** login: test@bbb Password: <Switch>? User view commands: ping Ping function quit Exit from current command view ssh2 Establish a secure shell client connection super Switch to a user role system-view Enter the System View telnet Establish a telnet connection tracert Tracert function <Switch>
Verify that you can obtain the level-3 user role:
# Use the super password to obtain the level-3 user role. When the system prompts for a username and password, enter username test@bbb and password enabpass.
<Switch> super level-3 Username: test@bbb Password:
The following output shows that you have obtained the level-3 user role.
User privilege role is level-3, and only those commands that authorized to the role can be used.
# If the ACS server does not respond, enter local authentication password 654321 at the prompt.
Invalid configuration or no response from the authentication server. Change authentication mode to local. Password: User privilege role is level-3, and only those commands that authorized to the role can be used.
The output shows that you have obtained the level-3 user role.
Use the method in step 2 to verify that you can obtain the level 0, level 1, level 2, and network-admin user roles. (Details not shown.)