Got it

Configuration assistance required

Created: May 18, 2020 08:33:19Latest reply: Jul 9, 2020 03:26:48 359 3 0 0 0
  Rewarded HiCoins: 0 (problem resolved)

Hello all,

Currently, we can access the S5720 by ssh using the local username and password.

To further hence security, we need aaa login configuration commands to log in to Switch using active directory credentials, if the tacacs server fails then it should use local username and password. We are using Aruba clearpass as NAC/Dot1x as well as for AAA login server.

Please noted that NAC and Dot1x are running on the switches and new commands for aaa login should not impact for dot1x sessions.

As an idea – below commands are worked well on C venture Switches.

aaa new-model

!

!

aaa group server tacacs+ TACACS+-SERVERS

server name TAC1

server name TAC2

server name TAC3

!

tacacs server TAC1

address ipv4 10.xx.xx.252

key 7 (removed)

timeout 5

tacacs server TAC2

address ipv4 10.xx.xx.251

key 7 (removed)

timeout 5

tacacs server TAC3

address ipv4 10.xx.xx.250

key 7 (removed)

timeout 5

!

aaa authentication login default group TACACS+-SERVERS local

aaa authorization exec default group TACACS+-SERVERS local if-authenticated

aaa accounting exec default start-stop group TACACS+-SERVERS

aaa accounting commands 1 default start-stop group TACACS+-SERVERS

aaa accounting commands 15 default start-stop group TACACS+-SERVERS

aaa accounting connection default start-stop group TACACS+-SERVERS

aaa accounting system default start-stop group TACACS+-SERVERS

Thanks in advance.


  • x
  • convention:

Featured Answers
Popeye_Wang
Admin Created May 18, 2020 08:37:24

Hi,

When an HWTACACS authentication server is deployed on a network, users can be authenticated through HWTACACS. User information is created and maintained by the HWTACACS authentication server.

Both HWTACACS authentication and local authentication are configured on a device, when the HWTACACS server does not respond, the device performs local authentication. If only HWTACACS authentication is configured, users fail the authentication when the device cannot connect to the HWTACACS server.

 

HWTACACS is compatible with TACAS+ asper below

 

NOTE:

HWTACACS is compatible with TACACS+ to some degree. HWTACACS and the TACACS+ protocols of other vendors support authentication, authorization, and accounting. HWTACACS and TACACS+ have identical processes and implementation mechanisms for authentication. That is, they are compatible with each other at the protocol layer. For example, a device running HWTACACS can communicate with a Aruba(such as Clearpass). However, HWTACACS may not be compatible with Aruba extended attributes because different vendors define different fields and meanings for extended attributes.

 

And for implementing it, we have to follow the below.

 

1. Enable the Telnet service.

2. Set the authentication method for Telnetlogin users to AAA.

3. Configure AAA local authentication,including creating a local user, setting the user access type to Telnet, andsetting the user level to 15.

4. Configure HWTACACS authentication,including creating an HWTACACS server template, an AAA authentication scheme,and a service scheme, and applying the schemes to a domain.

 

The below is only provides the configurations on the device. Ensure that the required parameters have been set on the Clearpass server, for example, device's IP address, shared key, and user information.


1. Enable the Telnet server.

[Switch] telnet server enable

2. Set the authentication method for the VTY user interface to AAA

[Switch] user-interface maximum-vty 15  //Set the maximum number of VTY login uses to 15 (The value range varies according to product versions and models). By default, the maximum number of Telnet users is 5. (Already configured)

[Switch] user-interface vty 0 14  //Enter the VTY 0-14 user view. (Already configured)

[Switch-ui-vty0-14] authentication-mode aaa  //Set the authentication method for the VTY user view to AAA. (Already configured)

[Switch-ui-vty0-14] protocol inbound ssh  .(Need to be configured) >>>>Command Syntax>>> protocol inbound { all | ssh | telnet }

[Switch-ui-vty0-14] quit

3. Configure AAA local authentication.(Already configured)

4. Configure HWTACACS authentication.

4.1 Configure an HWTACACS server templateto implement communication between the device and the HWTACACS server.

[Switch] hwtacacs-server template x

[Switch-hwtacacs-1] hwtacacs-server authentication x.x.x.x  //Specify the IP address and port number of the HWTACACS authentication server.

[Switch-hwtacacs-1] hwtacacs-server shared-key cipher xxxxx  //Specify the shared key of the HWTACACS authentication server, which must be the same as that configured on the HWTACACS server.

[Switch-hwtacacs-1] quit

4.2 Configure an AAA authentication scheme,set the authentication methods to HWTACACS and local authentication.

[Switch] aaa

[Switch-aaa] authentication-scheme sch1

[Switch-aaa-authen-sch1] authentication-mode hwtacacs local   //  If multiple authentication modes areconfigured in an authentication scheme, the authentication modes are usedaccording to the sequence in which they were configured.

[Switch-aaa-authen-sch1] quit

4.3 Configure a service scheme and set theuser level to 15.

[Switch-aaa] service-scheme sch1

[Switch-aaa-service-sch1] admin-user privilege level 15

[Switch-aaa-service-sch1] quit

4.4 Apply the AAA authentication scheme, HWTACACS server template, and service scheme to the domain.

[Switch-aaa] domain huawei.com

[Switch-aaa-domain-huawei.com] authentication-scheme sch1

[Switch-aaa-domain-huawei.com] hwtacacs-server 1

[Switch-aaa-domain-huawei.com] service-scheme sch1

[Switch-aaa-domain-huawei.com] quit

[Switch-aaa] quit

 

Refer to:  https://support.huawei.com/hedex/hdx.do?docid=EDOC1000177841&id=dc_s_ccase_aaa_003_2&lang=en


View more
  • x
  • convention:

All Answers
Popeye_Wang
Popeye_Wang Admin Created May 18, 2020 08:37:24

Hi,

When an HWTACACS authentication server is deployed on a network, users can be authenticated through HWTACACS. User information is created and maintained by the HWTACACS authentication server.

Both HWTACACS authentication and local authentication are configured on a device, when the HWTACACS server does not respond, the device performs local authentication. If only HWTACACS authentication is configured, users fail the authentication when the device cannot connect to the HWTACACS server.

 

HWTACACS is compatible with TACAS+ asper below

 

NOTE:

HWTACACS is compatible with TACACS+ to some degree. HWTACACS and the TACACS+ protocols of other vendors support authentication, authorization, and accounting. HWTACACS and TACACS+ have identical processes and implementation mechanisms for authentication. That is, they are compatible with each other at the protocol layer. For example, a device running HWTACACS can communicate with a Aruba(such as Clearpass). However, HWTACACS may not be compatible with Aruba extended attributes because different vendors define different fields and meanings for extended attributes.

 

And for implementing it, we have to follow the below.

 

1. Enable the Telnet service.

2. Set the authentication method for Telnetlogin users to AAA.

3. Configure AAA local authentication,including creating a local user, setting the user access type to Telnet, andsetting the user level to 15.

4. Configure HWTACACS authentication,including creating an HWTACACS server template, an AAA authentication scheme,and a service scheme, and applying the schemes to a domain.

 

The below is only provides the configurations on the device. Ensure that the required parameters have been set on the Clearpass server, for example, device's IP address, shared key, and user information.


1. Enable the Telnet server.

[Switch] telnet server enable

2. Set the authentication method for the VTY user interface to AAA

[Switch] user-interface maximum-vty 15  //Set the maximum number of VTY login uses to 15 (The value range varies according to product versions and models). By default, the maximum number of Telnet users is 5. (Already configured)

[Switch] user-interface vty 0 14  //Enter the VTY 0-14 user view. (Already configured)

[Switch-ui-vty0-14] authentication-mode aaa  //Set the authentication method for the VTY user view to AAA. (Already configured)

[Switch-ui-vty0-14] protocol inbound ssh  .(Need to be configured) >>>>Command Syntax>>> protocol inbound { all | ssh | telnet }

[Switch-ui-vty0-14] quit

3. Configure AAA local authentication.(Already configured)

4. Configure HWTACACS authentication.

4.1 Configure an HWTACACS server templateto implement communication between the device and the HWTACACS server.

[Switch] hwtacacs-server template x

[Switch-hwtacacs-1] hwtacacs-server authentication x.x.x.x  //Specify the IP address and port number of the HWTACACS authentication server.

[Switch-hwtacacs-1] hwtacacs-server shared-key cipher xxxxx  //Specify the shared key of the HWTACACS authentication server, which must be the same as that configured on the HWTACACS server.

[Switch-hwtacacs-1] quit

4.2 Configure an AAA authentication scheme,set the authentication methods to HWTACACS and local authentication.

[Switch] aaa

[Switch-aaa] authentication-scheme sch1

[Switch-aaa-authen-sch1] authentication-mode hwtacacs local   //  If multiple authentication modes areconfigured in an authentication scheme, the authentication modes are usedaccording to the sequence in which they were configured.

[Switch-aaa-authen-sch1] quit

4.3 Configure a service scheme and set theuser level to 15.

[Switch-aaa] service-scheme sch1

[Switch-aaa-service-sch1] admin-user privilege level 15

[Switch-aaa-service-sch1] quit

4.4 Apply the AAA authentication scheme, HWTACACS server template, and service scheme to the domain.

[Switch-aaa] domain huawei.com

[Switch-aaa-domain-huawei.com] authentication-scheme sch1

[Switch-aaa-domain-huawei.com] hwtacacs-server 1

[Switch-aaa-domain-huawei.com] service-scheme sch1

[Switch-aaa-domain-huawei.com] quit

[Switch-aaa] quit

 

Refer to:  https://support.huawei.com/hedex/hdx.do?docid=EDOC1000177841&id=dc_s_ccase_aaa_003_2&lang=en


View more
  • x
  • convention:

Sapte
Sapte Created May 18, 2020 22:48:45

  • x
  • convention:

ethanbrown
ethanbrown Created Jul 9, 2020 03:26:48

great!
View more
  • x
  • convention:

Comment

You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.