Interoperation Between Huawei Switches and Cisco ACS

Created Feb 28, 2019 14:43:23 5 0 0 0

Configuring Authentication for Common Access Users and Switch Administrators on Cisco ACS

This section includes the following content:
Introduction to Network Admission Control

Network Admission Control (NAC) implements authentication, authorization, and accounting on device administrators and access users, ensuring the device and network security. Access authentication devices and AAA servers use RADIUS or HWTACACS to communicate. Both RADIUS and HWTACACS use the client/server model to implement communication between access authentication devices and AAA servers. Table 2-84 lists the differences between HWTACACS and RADIUS.

Table 2-84  Comparison between HWTACACS and RADIUS

HWTACACS

RADIUS

Transmits data using TCP, which is more reliable.

Transmits data using UDP, which is more efficient.

Encrypts the entire packet except for the standard HWTACACS header.

Encrypts only the password field in the authentication packet.

Separates authentication from authorization so that authentication and authorization can be implemented on different security servers. For example, one HWTACACS server can perform authentication and another HWTACACS server can perform authorization.

Combines authentication and authorization.

Supports command line authorization. The commands that a user can use depend on the command level and AAA. When a user enters a command, the command is executed only after being authorized by the HWTACACS server.

Does not support command line authorization. The commands that a user can use depend on the user level. A user can only use the commands of the same level as or lower level than the user level.

Applies to security control.

Applies to accounting.

Compared with RADIUS, HWTACACS is more reliable in transmission and encryption, and is more suitable for security control, so it is often used to perform AAA for device administrators.

Networking Requirements

To meet service requirements, an enterprise needs to deploy an identity authentication system to implement access control on users who attempt to access the enterprise network. Only authorized users can access the enterprise network.

The enterprise has the following requirements:
  • For administrators:
    1. Administrators log in to switches using STelnet.
    2. Deploy the ACS as the HWTACACS server to perform AAA for administrators. Configure the user names and passwords of local users on the access switch so that the switch can authenticate the users when the ACS is abnormal.
    3. The ACS delivers TACACS attributes to assign different levels to administrators.
    4. The ACS authorizes commands that can be run by administrators at different levels to them.
    5. Commands executed on the switch by administrators must be recorded on the ACS, facilitating maintenance.
  • For common access users:
    1. Install the 802.1X client on wired PCs, perform 802.1X authentication and MAC address authentication for the PCs, and set the 802.1X authentication mode to password authentication.
    2. Perform 802.1X authentication for some IP phones and set the authentication mode to password authentication.
    3. Perform MAC address authentication for APs, IP phones that do not support 802.1X authentication, printers, and fax machines. The following only uses an AP as an example.
    4. Some users and IP phones move frequently. Configure the ACS to dynamically deliver data VLANs and voice VLANs to them respectively.
    5. Directly add fixed users and IP phones to VLANs configured on switch interfaces.
    6. If users fail to pass authentication because the ACS is abnormal, the access switch uses a configured service scheme to deliver data VLANs and voice VLANs to PCs and IP phones. When the ACS recovers, the access switch re-authenticates users.
    7. If users fail to pass authentication, the access switch uses a configured service scheme to add the users to a specified VLAN and restrict network resources they can access.

In this example, the aggregation switch is an S7712 and the access switch is an S5720EI.

Figure 2-52  Enterprise user access networking 
imgDownload?uuid=41fe5c6181764afb9f7a8c2
Configuration Logic
Figure 2-53  Configuration logic of Huawei switch 
imgDownload?uuid=7f4815ce88774c0abe45255Table 2-85  Configuration logic of Cisco ACS
ItemDescription
Adding groups and users-
Adding a switchSet parameters for the switch connected to the ACS.
Creating an authorization profile

Common access users:

  • Data VLAN profile: adds PCs to the data VLAN.
  • Voice VLAN profile: adds IP phones to the voice VLAN to increase the priority of voice packets and improve call quality.

Administrators:

  • User level profile: specifies the user level.
  • CLI profile: specifies commands that can be executed.
Configuring authentication and authorization policiesConfigure the conditions for users to pass the authentication and specify resources that users can access after authentication.
Configuration Notes
  • This configuration example applies to all of the switches running V200R009C00 or a later version, the Cisco ACS in version 5.2.0.26 works as the RADIUS and HWTACACS server. The minimum version required for an ACS is 5.1.0.0. The NAC mode of Huawei switches is unified mode.
  • This example provides only configurations on the wired network, and does not include configurations on the wireless network.
  • The RADIUS and HWTACACS shared keys configured on the switch must be the same as those configured on the servers.
  • By default, the switch allows the packets sent to RADIUS and HWTACACS servers to pass through. You do not need to configure an authentication-free rule for the packets on the switch.
Data Plan
Table 2-86  SwitchA data plan

Interface

ID of the VLAN to Which the Interface Belongs

IP Address

Remarks

GE0/0/1

10

192.168.10.1/24

The group pc_group2 belongs to this VLAN.

20

192.168.20.1/24

The group IP_Phone1 belongs to this VLAN.

GE0/0/2

20

192.168.20.1/24

The group IP_Phone2 belongs to this VLAN.

30

192.168.30.1/24

The group pc_group1 belongs to this VLAN.

GE0/0/3

40

192.168.40.1/24

The group ap_group belongs to this VLAN.

GE0/0/4

10

192.168.10.1/24

GE0/0/4 is an uplink interface on SwitchA and allows packets from all user VLANs to pass through.

20

192.168.20.1/24

30

192.168.30.1/24

40

192.168.40.1/24

-

50

-

Users who fail to pass authentication are added to this VLAN. This VLAN restricts resources they can access.

LoopBack 0

-

192.168.50.1/32

This IP address is the management IP address of SwitchA. SwitchA also uses this IP address to communicate with servers.

Table 2-87  Common access user information

User

Password

Group

ID of the VLAN to Which the User Belongs

Remarks

pc1

huawei@123

pc_group1

30

The user belongs to a group containing moving users. The ISE dynamically delivers a data VLAN to the user.

pc2

huawei@234

pc_group2

10

The user belongs to a group containing relatively fixed users, and is directly added to a VLAN configured on the connected interface.

phone1

huawei@345

IP_Phone1

20

The user belongs to a group containing relatively fixed IP phones, and is directly added to a VLAN configured on the connected interface.

phone2

huawei@456

IP_Phone2

20

The user belongs to a group containing moving IP phones. The ISE dynamically delivers a voice VLAN to the user.

3c-97-0e-bd-6a-65 (MAC address of AP1)

-

ap_group

40

The user belongs to a group containing APs, and is directly added to a VLAN configured on the connected interface.

Table 2-88  Administrator information

User

Password

User Level

admin

huawei@567

0

switch

huawei@789

1

configure

huawei@890

2

diagnose

huawei@901

15

Table 2-89  Authentication data plan

Item

Data

ACS

192.168.100.1/24

RADIUS and HWTACACS shared keys

Huawei@2014

Access authentication device SwitchA

192.168.50.1/32

Procedure

  1. Configure SwitchA.

    imgDownload?uuid=918f24171ae941ba9a71f09 NOTE:

    The aggregation switch configuration is not provided here. Configure the switches based on actual network planning.

    1. Configure the management IP address of SwitchA. SwitchA also uses this IP address to communicate with the ACS.

      <HUAWEI> system-view [HUAWEI] sysname SwitchA [SwitchA] interface LoopBack 0 [SwitchA-LoopBack0] ip address 192.168.50.1 32 [SwitchA-LoopBack0] quit

    2. Configure SwitchA as the DHCP server to assign IP addresses to common access users.

      [SwitchA] vlan batch 10 20 30 40 50 [SwitchA] lldp enable   //Enable LLDP globally. [SwitchA] dhcp enable   //Enable DHCP globally. [SwitchA] dhcp snooping enable   //Enable DHCP snooping globally. [SwitchA] interface Vlanif10 [SwitchA-Vlanif10] ip address 192.168.10.1 24   //Configure an IP address for VLANIF 10. [SwitchA-Vlanif10] dhcp select interface   //Enable the DHCP server function on VLANIF 10. [SwitchA-Vlanif10] quit [SwitchA] interface Vlanif20 [SwitchA-Vlanif20] ip address 192.168.20.1 24 [SwitchA-Vlanif20] dhcp select interface [SwitchA-Vlanif20] quit [SwitchA] interface Vlanif30 [SwitchA-Vlanif30] ip address 192.168.30.1 24 [SwitchA-Vlanif30] dhcp select interface [SwitchA-Vlanif30] quit [SwitchA] interface Vlanif40 [SwitchA-Vlanif40] ip address 192.168.40.1 24 [SwitchA-Vlanif40] dhcp select interface [SwitchA-Vlanif40] quit

    3. Assign VLANs to interfaces and configure network connectivity.

      [SwitchA] interface gigabitethernet 0/0/1 [SwitchA-GigabitEthernet0/0/1] port link-type hybrid [SwitchA-GigabitEthernet0/0/1] port hybrid pvid vlan 10 [SwitchA-GigabitEthernet0/0/1] port hybrid untagged vlan 10 [SwitchA-GigabitEthernet0/0/1] undo port hybrid vlan 1 [SwitchA-GigabitEthernet0/0/1] voice-vlan 20 enable   //Configure VLAN 20 as a voice VLAN. [SwitchA-GigabitEthernet0/0/1] port hybrid tagged vlan 20 [SwitchA-GigabitEthernet0/0/1] stp edged-port enable   //Configure the interface as an edge interface. [SwitchA-GigabitEthernet0/0/1] dhcp snooping enable   //Enable DHCP snooping on the interface. [SwitchA-GigabitEthernet0/0/1] poe legacy enable   //Enable the PD compatibility check function on PoE-capable SwitchA so that SwitchA can provide power for non-standard PDs. [SwitchA-GigabitEthernet0/0/1] quit [SwitchA] interface gigabitethernet 0/0/2 [SwitchA-GigabitEthernet0/0/2] port link-type hybrid [SwitchA-GigabitEthernet0/0/2] undo port hybrid vlan 1 [SwitchA-GigabitEthernet0/0/2] voice-vlan 20 enable [SwitchA-GigabitEthernet0/0/2] stp edged-port enable [SwitchA-GigabitEthernet0/0/2] dhcp snooping enable [SwitchA-GigabitEthernet0/0/2] poe legacy enable [SwitchA-GigabitEthernet0/0/2] quit [SwitchA] interface gigabitethernet 0/0/3 [SwitchA-GigabitEthernet0/0/3] port link-type hybrid [SwitchA-GigabitEthernet0/0/3] port hybrid pvid vlan 40 [SwitchA-GigabitEthernet0/0/3] port hybrid untagged vlan 40 [SwitchA-GigabitEthernet0/0/3] stp edged-port enable [SwitchA-GigabitEthernet0/0/3] dhcp snooping enable [SwitchA-GigabitEthernet0/0/3] poe legacy enable [SwitchA-GigabitEthernet0/0/3] quit [SwitchA] interface gigabitethernet 0/0/4 [SwitchA-GigabitEthernet0/0/4] port link-type trunk [SwitchA-GigabitEthernet0/0/4] port trunk allow-pass vlan 10 20 30 40 [SwitchA-GigabitEthernet0/0/4] quit [SwitchA] ip route-static 192.168.100.0 24 192.168.60.1   //Configure a static route from SwitchA to the server area. Assume that the next-hop address is 192.168.60.1.

    4. Configure local administrators.

      # Configure the login mode and authentication mode of administrators.
      [SwitchA] user-interface maximum-vty 3   //Set the maximum number of administrators who can remotely log in to the switch to 3. [SwitchA] user-interface vty 0 2   //Enter the three administrator interface views. [SwitchA-ui-vty0-2] authentication-mode aaa   //Set the authentication mode of administrators to AAA. [SwitchA-ui-vty0-2] protocol inbound ssh      //Set the remote login protocol of administrators to SSH, that is, administrators must log in to the switch using STelnet. [SwitchA-ui-vty0-2] quit
      # Configure local SSH users. The user admin is used as an example. The configurations of other users are similar and are not provided here.
      [SwitchA] stelnet server enable   //Enable the STelnet service on the switch. [SwitchA] ssh authentication-type default password   //Set the default authentication mode of SSH users to password authentication. [SwitchA] ssh user admin   //Create a local SSH user admin. [SwitchA] ssh user admin authentication-type password   //Set the authentication mode of the user admin to password authentication. [SwitchA] ssh user admin service-type stelnet   //Set the login mode of the user admin to STelnet. [SwitchA] aaa [SwitchA-aaa] local-user admin password irreversible-cipher huawei@567   //Set the password of the local administrator admin to huawei@567. The switch can authenticate the local administrator admin when the ACS is abnormal. [SwitchA-aaa] local-user admin privilege level 0   //Set the user level of the user admin to 0. [SwitchA-aaa] local-user admin service-type ssh   //Set the login protocol of the user admin to SSH. [SwitchA-aaa] quit

    5. Configure parameters for communication between SwitchA and the ACS during authentication of administrators.

      # Create the HWTACACS server template hw used in administrator authentication.
      [SwitchA] hwtacacs-server template hw [SwitchA-hwtacacs-hw] hwtacacs-server authentication 192.168.100.2   //Configure the ACS as the HWTACACS authentication server. [SwitchA-hwtacacs-hw] hwtacacs-server authorization 192.168.100.2   //Configure the ACS as the HWTACACS authorization server. [SwitchA-hwtacacs-hw] hwtacacs-server accounting 192.168.100.2   //Configure the ACS as the HWTACACS accounting server. [SwitchA-hwtacacs-hw] hwtacacs-server shared-key cipher Huawei@2014   //Set the HWTACACS shared key for SwitchA to communicate with the ACS to Huawei@2014. [SwitchA-hwtacacs-hw] undo hwtacacs-server user-name domain-included   //Configure SwitchA to send packets in which the administrator user name does not contain the domain name to the ACS. [SwitchA-hwtacacs-hw] quit
      # Create the authentication scheme hw.
      [SwitchA] aaa [SwitchA-aaa] authentication-scheme hw [SwitchA-aaa-authen-hw] authentication-mode hwtacacs local   //Set the authentication mode to HWTACACS and configure local authentication as the backup authentication mode. [SwitchA-aaa-authen-hw] quit
      # Create the authorization scheme hw.
      [SwitchA-aaa] authorization-scheme hw [SwitchA-aaa-author-hw] authorization-mode hwtacacs local   //Set the authorization mode to HWTACACS and configure local authorization as the backup authorization mode. [SwitchA-aaa-author-hw] authorization-cmd 0 hwtacacs   //Configure command line authorization for users whose level is 0 and set the authorization mode to HWTACACS. Perform this configuration for users at a specified level based on actual requirements. [SwitchA-aaa-author-hw] quit
      # Create the accounting scheme hw.
      [SwitchA-aaa] accounting-scheme hw [SwitchA-aaa-accounting-hw] accounting-mode hwtacacs   //Set the accounting mode to HWTACACS. [SwitchA-aaa-accounting-hw] accounting start-fail online   //Allow users to log in even if accounting-start fails. [SwitchA-aaa-accounting-hw] quit
      # Create the recording scheme hw.
      [SwitchA-aaa] recording-scheme hw [SwitchA-aaa-recording-hw] recording-mode hwtacacs hw   //Associate the HWTACACS server template hw with the recording scheme so that the switch can send recorded information to the ACS. [SwitchA-aaa-recording-hw] quit [SwitchA-aaa] cmd recording-scheme hw   //Configure the switch to record commands executed by administrators.
      # Create the administrator authentication domain hw.
      [SwitchA-aaa] domain hw [SwitchA-aaa-domain-hw] authentication-scheme hw   //Specify the authentication scheme hw. [SwitchA-aaa-domain-hw] accounting-scheme hw   //Specify the accounting scheme hw. [SwitchA-aaa-domain-hw] authorization-scheme hw   //Specify the authorization scheme hw. [SwitchA-aaa-domain-hw] hwtacacs-server hw   //Specify the HWTACACS server template hw. [SwitchA-aaa-domain-hw] quit [SwitchA-aaa] quit

    6. Configure authentication for administrators.

      [SwitchA] domain hw admin   //Configure the domain hw as the default administrative authentication domain on the switch. All administrators are automatically authenticated in this domain after logging in to the switch.

    7. Configure parameters for communication between SwitchA and the ACS during authentication of common access users.

      # Set the NAC mode to unified.imgDownload?uuid=918f24171ae941ba9a71f09 NOTE:

      By default, the unified mode is enabled. After changing the NAC mode, you must save the configuration and restart the switch to make the configuration take effect.

      [SwitchA] authentication unified-mode
      # Create the RADIUS server template authentication.
      [SwitchA] radius-server template authentication [SwitchA-radius-authentication] radius-server authentication 192.168.100.1 1812 source ip-address 192.168.50.1   //Configure the ISE as the authentication server. [SwitchA-radius-authentication] radius-server accounting 192.168.100.1 1813 source ip-address 192.168.50.1   //Configure the ISE as the accounting server. [SwitchA-radius-authentication] radius-server shared-key cipher Huawei@2014   //Set the RADIUS shared key to Huawei@2014. [SwitchA-radius-authentication] undo radius-server user-name domain-included   //Configure the switch not to modify the original user name in the packets sent to the ISE. [SwitchA-radius-authentication] calling-station-id mac-format hyphen-split mode2 uppercase   //Set the encapsulation format of the MAC address in the calling-station-id attribute of RADIUS packets to xx-xx-xx-xx-xx-xx, in uppercase. [SwitchA-radius-authentication] radius-attribute set Service-Type 10 auth-type mac   //Set the value of the RADIUS attribute Service-Type for MAC address authentication to 10. [SwitchA-radius-authentication] quit
      # Configure a RADIUS authorization server.
      [SwitchA] radius-server authorization 192.168.100.1 shared-key cipher Huawei@2014
      # Create the authentication scheme auth.
      [SwitchA] aaa [SwitchA-aaa] authentication-scheme auth [SwitchA-aaa-authen-auth] authentication-mode radius    //Set the authentication mode to RADIUS. [SwitchA-aaa-authen-auth] quit
      # Create the accounting scheme acco. You must set the accounting mode to RADIUS so that the RADIUS server can maintain the account status, such as login, log-off, and forced log-off.
      [SwitchA-aaa] accounting-scheme acco [SwitchA-aaa-accounting-acco] accounting-mode radius    //Set the accounting mode to RADIUS. [SwitchA-aaa-accounting-acco] accounting realtime 3    //Set the real-time accounting interval to 3 minutes. [SwitchA-aaa-accounting-acco] quit
      # Create the authentication domain domain.
      [SwitchA-aaa] domain domain [SwitchA-aaa-domain-domain] authentication-scheme auth   //Specify the authentication scheme auth. [SwitchA-aaa-domain-domain] accounting-scheme acco   //Specify the accounting scheme acco. [SwitchA-aaa-domain-domain] radius-server authentication   //Specify the RADIUS server template authentication. [SwitchA-aaa-domain-domain] quit
      # Create a service scheme for user authorization when the server is abnormal.
      [SwitchA-aaa] service-scheme down01   //Create the service scheme down01 for authorization of PCs and IP phones. [SwitchA-aaa-service-down01] user-vlan 30   //Configure the switch to authorize VLAN 30 to PCs. [SwitchA-aaa-service-down01] voice-vlan   //Configure the switch to authorize voice VLANs to IP phones. [SwitchA-aaa-service-down01] quit [SwitchA-aaa] service-scheme down02   //Create the service scheme down02 for authorization of APs. [SwitchA-aaa-service-down02] user-vlan 40   //Configure the switch to authorize VLAN 40 to APs. [SwitchA-aaa-service-down02] quit
      # Create the service scheme fail for authorization of users who fail to pass authentication.
      [SwitchA-aaa] service-scheme fail [SwitchA-aaa-service-fail] user-vlan 50   //Configure the switch to delivery VLAN 50 to users who fail to pass authentication to restrict resources they can access. [SwitchA-aaa-service-fail] quit [SwitchA-aaa] quit

    8. Configure authentication for common access users.

      # Create the 802.1X access profile dot1x.imgDownload?uuid=918f24171ae941ba9a71f09 NOTE:

      By default, an 802.1X access profile uses the EAP authentication mode. Ensure that the RADIUS server supports EAP; otherwise, the server cannot process 802.1X authentication request packets.

      [SwitchA] dot1x-access-profile name dot1x [SwitchA-dot1x-access-profile-dot1x] dot1x reauthenticate   //Configure periodic re-authentication for online 802.1X authentication users. [SwitchA-dot1x-access-profile-dot1x] dot1x timer reauthenticate-period 120   //Set the re-authentication interval for online 802.1X authentication users to 120 seconds. [SwitchA-dot1x-access-profile-dot1x] authentication event client-no-response action authorize vlan 50   //Configure the switch to add users to VLAN 50 when the 802.1X client does not respond. [SwitchA-dot1x-access-profile-dot1x] quit
      # Create the MAC access profile mac for dumb terminals such as IP phones and printers.
      [SwitchA] mac-access-profile name mac [SwitchA-mac-access-profile-mac] mac-authen reauthenticate   //Configure periodic re-authentication for online MAC address authentication users. [SwitchA-mac-access-profile-mac] mac-authen timer reauthenticate-period 120   //Set the re-authentication interval for online MAC address authentication users to 120 seconds. [SwitchA-mac-access-profile-mac] quit
      # Create the MAC access profile ap_mac for APs.
      [SwitchA] mac-access-profile name ap_mac [SwitchA-mac-access-profile-ap_mac] mac-authen username macaddress format without-hyphen   //Set user names of APs to MAC addresses without hyphens for MAC address authentication. [SwitchA-mac-access-profile-ap_mac] quit
      # Configure the authentication profile dot1x&mac for PCs and IP phones.
      [SwitchA] authentication-profile name dot1x&mac [SwitchA-authen-profile-dot1x&mac] dot1x-access-profile dot1x   //Specify the 802.1X access profile dot1x. [SwitchA-authen-profile-dot1x&mac] mac-access-profile mac   //Specify the MAC access profile mac. [SwitchA-authen-profile-dot1x&mac] access-domain domain force   //Configure the forcible authentication domain domain. [SwitchA-authen-profile-dot1x&mac] authentication event authen-fail action authorize service-scheme fail   //Configure the switch to add users who fail to pass authentication to VLAN 50. [SwitchA-authen-profile-dot1x&mac] authentication event authen-server-down action authorize service-scheme down01      //Configure the switch to use the service scheme down01 to perform authorization for PCs and IP phones when the ISE is Down. [SwitchA-authen-profile-dot1x&mac] authentication event authen-server-up action re-authen   //Configure ISE to re-authenticate users when the ISE recovers. [SwitchA-authen-profile-dot1x&mac] authentication dot1x-mac-bypass   //Configure MAC address bypass authentication. [SwitchA-authen-profile-dot1x&mac] quit
      # Configure the authentication profile ap_auth for APs.
      [SwitchA] authentication-profile name ap_auth [SwitchA-authen-profile-ap_auth] mac-access-profile ap_mac   //Specify the MAC access profile ap_mac. [SwitchA-authen-profile-ap_auth] access-domain domain force   //Configure the forcible authentication domain domain. [SwitchA-authen-profile-ap_auth] authentication event authen-fail action authorize service-scheme fail   //Configure the switch to add users who fail to pass authentication to VLAN 50. [SwitchA-authen-profile-ap_auth] authentication event authen-server-down action authorize service-scheme down02      //Configure the switch to use the service scheme down02 to perform authorization for APs when the ISE is Down. [SwitchA-authen-profile-ap_auth] authentication event authen-server-up action re-authen   //Configure ISE to re-authenticate users when the ISE recovers. [SwitchA-authen-profile-ap_auth] undo authentication handshake   //Disable the handshake with pre-connection users and authorized users. [SwitchA-authen-profile-ap_auth] authentication mode multi-share   //Set the user access mode to multi-share on the switch interface connecting to APs. [SwitchA-authen-profile-ap_auth] quit
      imgDownload?uuid=918f24171ae941ba9a71f09 NOTE:

      If the AP packet forwarding mode is direct forwarding, you must set the user access authentication mode to multi-share on the switch interface connecting to APs.

      # Bind the authentication profile dot1x&mac to GE0/0/1 and GE0/0/2, and enable MAC address bypass authentication. Bind the authentication profile ap_mac to GE0/0/3 and enable MAC address authentication.
      [SwitchA] interface gigabitethernet 0/0/1 [SwitchA-GigabitEthernet0/0/1] authentication-profile dot1x&mac [SwitchA-GigabitEthernet0/0/1] quit [SwitchA] interface gigabitethernet 0/0/2 [SwitchA-GigabitEthernet0/0/2] authentication-profile dot1x&mac [SwitchA-GigabitEthernet0/0/2] quit [SwitchA] interface gigabitethernet 0/0/3 [SwitchA-GigabitEthernet0/0/3] authentication-profile ap_auth [SwitchA-GigabitEthernet0/0/3] quit 

  2. Configure the ACS.
    1. Log in to the ACS.

      1. Open the Internet Explorer, enter the ACS access address in the address bar, and press Enter.

      2. Enter the ACS administrator user name and password to log in to the ACS.

    2. Configure common access users. In this example, AP1, the group ap_group to which AP1 belongs, PC1, and the group pc_group1 to which PC1 belongs are configured. The configurations of other users and groups are similar, and are not provided here.

      1. In the navigation area on the left, choose Users and Identity Stores > Identity Groups. Click Create in the operation area on the right and create the group ap_group to which AP1 belongs and the group pc_group1 to which PC1 belongs respectively. After completing the configuration, click Submit.

        imgDownload?uuid=4748bac73e454d34853456f

        imgDownload?uuid=c0fd8fe6117d4b1aaa70b7d

      2. In the navigation area on the left, choose Users and Identity Stores > Internal Identity Stores > Users. Click Create in the operation area on the right, create the user pc1, add the user to the group pc_group1, and click Submit.

        imgDownload?uuid=c7701ddf7a78454a8c2186b

      3. In the navigation area on the left, choose Users and Identity Stores > Internal Identity Stores > Hosts. Click Create in the operation area on the right, create the terminal AP1, add the terminal to the group ap_group, and click Submit.

        imgDownload?uuid=b0f8429eb9f24539a974560

    3. Configure switch administrators.

      1. In the navigation area on the left, choose Users and Identity Stores > Identity Groups. Click Create in the operation area on the right and create the administrator group admin. After completing the configuration, click Submit.

        imgDownload?uuid=1b2c700db2fd4fe1a4bdb08

      2. In the navigation area on the left, choose Users and Identity Stores > Internal Identity Stores > Users. Click Create in the operation area on the right, create the administrator admin, and bind the administrator to the group admin. After completing the configuration, click Submit.

        imgDownload?uuid=11792394eb2b4ee5a400e85

    4. Add the access authentication device.

      1. In the navigation area on the left, choose Network Resources > Network Devices and AAA Clients. Click Create in the operation area on the right, add the access authentication device SwitchA, set the protocol for communication between the ACS and SwitchA to RADIUS and TACACS, and configure parameters of SwitchA according to the following table. After completing the configuration, click Submit.

        Parameter

        Value

        Description

        Access authentication device

        SwitchA

        -

        IP address

        192.168.50.1

        -

        RADIUS and HWTACACS shared keys

        Huawei@2014

        The RADIUS and HWTACACS shared keys must be the same as those configured on SwitchA.

        imgDownload?uuid=5c2d6274c20e4d6b96c99b1

    5. Configure an authorization profile for common access users.

      # In the navigation area on the left, choose Policy Elements > Authorization and Permissions > Network Access > Authorization Profiles. Click Create in the operation area on the right, create the authorization results data_vlan and voice_vlan for the groups pc_group1 and IP_Phone2 respectively, set the VLANs to data VLAN 30 and voice VLAN 20 respectively, and click Submit.

      imgDownload?uuid=36bfada5d14f471f9ec73ee

      imgDownload?uuid=62e1b3ac9d1e411298b809f

      imgDownload?uuid=068ce8b76d9747518da6673

      imgDownload?uuid=84711a3993c143218623609

    6. Configure an authorization profile for switch administrators.

      1. In the navigation area on the left, choose Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles. Click Create in the operation area on the right, create Shell Profiles PRIVILEGE_LEVEL_0 and PRIVILEGE_LEVEL_15, and set the user level to 0 and 15 respectively. After completing the configuration, click Submit.

        imgDownload?uuid=918f24171ae941ba9a71f09 NOTE:

        If the level specified in a Shell Profile is x and the Shell Profile is assigned to an administrator, the administrator can only run commands at level x and lower levels. Set a proper level for device administrators based on actual requirements.

        imgDownload?uuid=1f35107ff92b42a69e5ac5d

        imgDownload?uuid=429a212ff0374c099109ea3

        imgDownload?uuid=a2b457f84f14470a8c08745

        imgDownload?uuid=4682c08e3a2741959f9b312

      2. In the navigation area on the left, choose Policy Elements > Authorization and Permissions > Device Administration > Command Sets. Click Create in the operation area on the right, create Command Set PRIVILEGE_LEVEL_0, and add commands that can be run by the administrator admin. After completing the configuration, click Submit.

        imgDownload?uuid=918f24171ae941ba9a71f09 NOTE:

        In the Command Set PRIVILEGE_LEVEL_0, users can run the display versiondisplay devicedisplay cpu-usage, and display memory-usage commands.

        imgDownload?uuid=0993a59a5a6c46d68f90f44

      3. Similarly, create Command Set All and select Permit any command that is not in the table below to allow the administrator diagnose to run all commands on the switch.

        imgDownload?uuid=bb511ef7ce18437ebcf0482

    7. Configure authentication and authorization policies for common access users.

      1. In the navigation area on the left, choose Access Policies > Access Services. Click Create in the operation area on the right, and create the access service profile ACS. After performing step 1, click Next to go to step 2, and configure authentication protocols for users. After completing the configuration, click Finish.

        imgDownload?uuid=918f24171ae941ba9a71f09 NOTE:

        Select proper authentication protocols based on actual requirements.

        imgDownload?uuid=656dd7c9a7f24c699134fdf

        imgDownload?uuid=dd18363adcd94c4c91f77bb

      2. In the displayed dialog box, click Yes to access the Access Policies > Access Services > Service Selection Rules page. Choose Rule based result selection and click Create. In the displayed dialog box, create the access service rule RADIUS, set Conditions to Protocol match Radius, and set Results to Services: ACS. After completing the configuration, click OK. Click ^ to adjust this access service rule as the first rule so that this rule is matched preferentially during authentication. Click Save Changes.

        imgDownload?uuid=e6570b60dab44c8aba4bb46

      3. In the navigation area on the left, choose Access Policies > Access Services > ACS > Identity. Choose Rule based result selection in the operation area on the right and click Customize. Configure the filtering condition for user authentication. In this example, choose Device IP Address. After completing the configuration, click OK.

        imgDownload?uuid=50ee0f035ddd4da6b4537a2

      4. Click Create and configure the authentication rules 802.1x and MAC for 802.1X authentication users and MAC address authentication users respectively. Under Conditions, set Device IP Address to 192.168.50.1. Under Results, set Identity Source to Users. After completing the configuration, click OK, and click Save Changes.

        imgDownload?uuid=c3f32418143f4e92a0c6490

        imgDownload?uuid=52206962186d462c9bf4800

      5. In the navigation area on the left, choose Access Policies > Access Services > ACS > Authorization. Similar to configuring authentication conditions, click Customize to configure authorization conditions. In this example, choose Identity Group. After completing the configuration, click OK, and click Save Changes.

        imgDownload?uuid=44c04af114ae4bf8bcd9c86

      6. Click Create and create the authorization policy pc_group1_result for the group pc_group1. Under Conditions, set Identity Group to pc_group1. Under Results, set Authorization Profiles to data_vlan. Click OK and then click Save Changes.

        imgDownload?uuid=9cfe0f198ed3421f98ad7fb

      7. Similarly, create the authorization policy IP_Phone2_result for the group IP_Phone2. Under Conditions, set Identity Group to IP_Phone2. Under Results, set Authorization Profiles to voice_vlan. Click OK and then click Save Changes.

        imgDownload?uuid=b76335462ceb4bd382503e7

    8. Configure authentication and authorization policies for switch administrators.

      1. In the navigation area on the left, choose Access Policies > Access Services. Click Create in the operation area on the right, and create access service HWTACACS. After performing step 1, click Next to go to step 2, and configure authentication protocols for users. After completing the configuration, click Finish.

        imgDownload?uuid=3d38a27d91c043a781da24d

        imgDownload?uuid=dd18363adcd94c4c91f77bb

      2. In the displayed dialog box, click Yes to access the Access Policies > Access Services > Service Selection Rules page. Choose Rule based result selection and click Create. In the displayed dialog box, create the access service rule HWTACACS, set Conditions to Protocol match Tacacs, and set Results to Service: HWTACACS. After completing the configuration, click OK. Click imgDownload?uuid=35c8bc412537446782862b3 to adjust this access service rule as the first rule so that this rule is matched preferentially during authentication. Click Save Changes.

        imgDownload?uuid=1fabe5c6ec4046b79954745

        imgDownload?uuid=cc95b811abc9423fb2efd5d

      3. In the navigation area on the left, choose Access Policies > Access Services > HWTACACS > Identity. Choose Rule based result selection in the operation area on the right and click Customize. Configure the filtering condition for user authentication. In this example, choose Device IP Address. After completing the configuration, click OK.

        imgDownload?uuid=50ee0f035ddd4da6b4537a2

      4. Click Create, create the administrator authentication rule admin, set Conditions to Device IP Address = 192.168.50.1, and set Results to Identity Source: Users. After completing the configuration, click OK, and click Save Changes.

        imgDownload?uuid=5426464ade0d4dfeac562be

      5. In the navigation area on the left, choose Access Policies > Access Services > HWTACACS > Authorization. Click Customize and configure filtering conditions for user authorization. Under Customize Conditions, select Identity Group and System:UserName. Under Customize Results, select Shell Profiles and Command Sets. After completing the configuration, click OK, and click Save Changes.

        imgDownload?uuid=37c6f66a35c348eb8e75b35

      6. Click Create and create the authorization policy admin_policy for the administrator admin. Under Conditions, set Identity Group in All Groups:admin and System:UserName equals admin. Under Results, set Shell Profile: PRIVILEGE_LEVEL_0 and Command Sets: PRIVILEGE_LEVEL_0. Click OK and click Save Changes.

        imgDownload?uuid=c852b317090e4515836fae6

      7. Click Create and create the authorization policy diagnose_policy for the administrator diagnose. Under Conditions, set Identity Group in All Groups:admin and System:UserName equals diagnose. Under Results, set Shell Profile: PRIVILEGE_LEVEL_15 and Command Sets: All. Click OK and click Save Changes.

        imgDownload?uuid=e3a23290a6594aca9ef0134

  3. Verify the configuration.

    Run the display access-user command on SwitchA. The command output displays detailed information about online users, including common access users and switch administrators.

Configuration File
# sysname SwitchA # vlan batch 10 20 30 40 50 # authentication-profile name dot1x&mac  dot1x-access-profile dot1x  mac-access-profile mac  access-domain domain force  authentication event authen-fail action authorize service-scheme fail  authentication event authen-server-down action authorize service-scheme down01  authentication event authen-server-up action re-authen  authentication dot1x-mac-bypass authentication-profile name ap_auth  mac-access-profile ap_mac  undo authentication handshake  authentication mode multi-share  access-domain domain force  authentication event authen-fail action authorize service-scheme fail  authentication event authen-server-down action authorize service-scheme down02  authentication event authen-server-up action re-authen # domain hw admin # lldp enable # dhcp enable # dhcp snooping enable # radius-server template authentication  radius-server shared-key cipher %^%#X:4qI:ZF^/hFx{B&3t+'nT;m@o.XZ<7m}BJW<Bj$%^%#  radius-server authentication 192.168.100.1 1812 source ip-address 192.168.50.1 weight 80  radius-server accounting 192.168.100.1 1813 source ip-address 192.168.50.1 weight 80  undo radius-server user-name domain-included  calling-station-id mac-format hyphen-split mode2 uppercase  radius-attribute set Service-Type 10 auth-type mac radius-server authorization 192.168.100.1 shared-key cipher %^%#pzdO:3q'(HSX}o2.=%J3`)6;-.BI2Y}/OYFD{iu-%^%#  # hwtacacs-server template hw  hwtacacs-server authentication 192.168.100.2  hwtacacs-server authorization 192.168.100.2  hwtacacs-server accounting 192.168.100.2  hwtacacs-server shared-key cipher %^%#xT<M7&Xr'VWRJJ%.-f_*zf1}FU|LmHCcbAXXf6}P%^%#  undo hwtacacs-server user-name domain-included # aaa  authentication-scheme hw   authentication-mode hwtacacs local  authentication-scheme auth   authentication-mode radius  authorization-scheme hw   authorization-mode hwtacacs local   authorization-cmd 0 hwtacacs  accounting-scheme hw   accounting-mode hwtacacs   accounting start-fail online  accounting-scheme acco   accounting-mode radius   accounting realtime 3  recording-scheme hw   recording-mode hwtacacs hw  cmd recording-scheme hw  service-scheme down01   user-vlan 30   voice-vlan  service-scheme down02   user-vlan 40  service-scheme fail   user-vlan 50  domain hw   authentication-scheme hw   accounting-scheme hw   authorization-scheme hw   radius-server default   hwtacacs-server hw  domain domain   authentication-scheme auth   accounting-scheme acco   radius-server authentication  local-user admin password irreversible-cipher %^%#-T4MG_wij3r]t(VVrv%:2<X7S\AsmIG:R}8#)eY&aS@A'}%9)gR!k1_Z,5:%^%#  local-user admin privilege level 0  local-user admin service-type ssh # interface Vlanif10  ip address 192.168.10.1 255.255.255.0  dhcp select interface # interface Vlanif20  ip address 192.168.20.1 255.255.255.0  dhcp select interface # interface Vlanif30  ip address 192.168.30.1 255.255.255.0  dhcp select interface # interface Vlanif40  ip address 192.168.40.1 255.255.255.0  dhcp select interface # interface GigabitEthernet0/0/1  port link-type hybrid  voice-vlan 20 enable  port hybrid pvid vlan 10  undo port hybrid vlan 1  port hybrid tagged vlan 20  port hybrid untagged vlan 10  stp edged-port enable  authentication-profile dot1x&mac  poe legacy enable  dhcp snooping enable # interface GigabitEthernet0/0/2  port link-type hybrid  voice-vlan 20 enable  undo port hybrid vlan 1  stp edged-port enable  authentication-profile dot1x&mac  poe legacy enable  dhcp snooping enable # interface GigabitEthernet0/0/3  port link-type hybrid  port hybrid pvid vlan 40  port hybrid untagged vlan 40  stp edged-port enable  authentication-profile ap_auth  poe legacy enable  dhcp snooping enable # interface GigabitEthernet0/0/4  port link-type trunk  port trunk allow-pass vlan 10 20 30 40 # interface LoopBack0  ip address 192.168.50.1 255.255.255.255 # ip route-static 192.168.100.0 255.255.255.0 192.168.60.1 # stelnet server enable ssh authentication-type default password ssh user admin ssh user admin authentication-type password ssh user admin service-type stelnet # user-interface maximum-vty 3 user-interface vty 0 2  authentication-mode aaa # dot1x-access-profile name dot1x  authentication event client-no-response action authorize vlan 50  dot1x timer reauthenticate-period 120  dot1x reauthenticate # mac-access-profile name mac  mac-authen reauthenticate  mac-authen timer reauthenticate-period 120 mac-access-profile name ap_mac # return

See more please click 

https://support.huawei.com/enterprise/en/doc/EDOC1000069520/9aadccc0/comprehensive-configuration-examples


  • x
  • convention:

Responses

Reply
You need to log in to reply to the post Login | Register

Notice:To ensure the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but not limited to politically sensitive content, content concerning pornography, gambling, drug abuse and trafficking, content that may disclose or infringe upon others' intellectual properties, including commercial secrets, trade marks, copyrights, and patents, and personal privacy. Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see“ Privacy Policy.”
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Fast reply Scroll to top