Got it
Huawei Enterprise Support Community
Community Forums Security
HWTACACS authentication

HWTACACS authentication

Created: Aug 31, 2020 02:34:27Latest reply: Aug 31, 2021 02:26:30 348 3 0 0 0
  Rewarded HiCoins: 0 (problem resolved)
View the author 1#

Hi,

Configure HWTACACS authentication on the firewall. Most accounts can be authenticated using HWTACACS. After login, account priorities are controlled by the HWTACACS server. However, when the user admin logs in to the system, HWTACACS authentication is not performed. Instead, local authentication is performed and the user priority level is 15. This does not meet the expectation. Why does the user admin skip HWTACACS authentication?

Here is the configuration:

#

hwtacacs-server template aaa

hwtacacs-server authentication x.x.x.x 

hwtacacs-server authentication x.x.x.x secondary

hwtacacs-server authorization x.x.x.x

hwtacacs-server authorization x.x.x.x secondary

hwtacacs-server accounting x.x.x.x

hwtacacs-server accounting x.x.x.x secondary

hwtacacs-server source-ip x.x.x.x

hwtacacs-server shared-key cipher %^%#on(\GR>ov#dwIO'Z^xc:UU"

undo hwtacacs-server user-name domain-included

#

aaa

authentication-scheme default

authentication-scheme admin_local

authentication-scheme admin_radius_local

authentication-scheme admin_hwtacacs_local

authentication-scheme admin_ad_local

authentication-scheme admin_ldap_local

authentication-scheme admin_radius

authentication-scheme admin_hwtacacs

authentication-scheme admin_ad

authentication-scheme admin_ldap

authentication-scheme aaa

  authentication-mode hwtacacs local

authorization-scheme default

authorization-scheme aaa

  authorization-mode hwtacacs local

  authorization-cmd 0 hwtacacs local

  authorization-cmd 1 hwtacacs local

  authorization-cmd 3 hwtacacs local

  authorization-cmd 15 hwtacacs local

accounting-scheme default

accounting-scheme aaa

  accounting-mode hwtacacs

  accounting start-fail online

domain default

  authentication-scheme aaa

  accounting-scheme aaa

  authorization-scheme aaa

  hwtacacs-server aaa

manager-user admin

  password cipher @%@%

  service-type web terminal ssh

  level 15


Like (0) Dislike (0) Favorite(0) Share Report
Previous: 2 times NAT
Next: The cloud cannot allow to choose other bindinginfo than "UDP" on the cloud
Featured Answers

Best answer

Recommended answer

(0) (0)
Popeye_Wang
Admin Created Aug 31, 2020 02:41:01

Hi,

Administrator Authentication Method

The FW authenticates an administrator account in one of the following modes before allowing the administrator to log in:

  • Local authentication

    Both the administrator account and password are stored on the FW.

  • Server authentication:

    • If the administrator does not use domain authentication, the administrator account must be created on the FW, and the password is saved on the authentication server. Currently, the FW supports server authentication modes: AD, LDAP, RADIUS, and HWTACACS.

    • If the administrator uses domain authentication, the administrator account and password must be created and saved on the domain authentication server. No administrator information needs to be configured on the FW. Currently, the FW supports server authentication modes: AD, LDAP, RADIUS, and HWTACACS.

  • Server and local authentication

    The FW performs server authentication first. The FW performs local authentication only if it fails to connect to the authentication server.

After the administrator account is created, the virtual system or authentication domain of a user name must be obtained to log in to the device. For example, user username on virtual system vsys with domain (domainname) authentication uses user name username@domainname@@vsys to log in to and manage the FW.

The FW determines the authentication and authorization modes based on the authentication scheme, authorization scheme, or third-party server template bound to the administrator account or authentication domain. The logins of the admin and admin@test accounts are used as examples to describe the FW processing:

  • Login using the admin account:

    Check whether the FW has the admin account. If yes, use the authentication scheme, authorization scheme, and third-party server template bound to the admin account. If no, use the authentication scheme, authorization scheme, or third-party server template bound to the default authentication domain.

    By default, the local administrator is bound to the default authentication scheme and default authorization scheme. The authentication domain (the default domain or a new authentication domain) is bound to the default authentication scheme and default authorization scheme.

  • Login using the admin@test account:

    The FW directly uses the authentication scheme, authorization scheme, or third-party server template bound to the test authentication domain.

    By default, the authentication domain (the default domain or a new authentication domain) is bound to the default authentication scheme and default authorization scheme.


Refer to: https://support.huawei.com/hedex/hdx.do?docid=EDOC1100068394&id=sec_admin_admin_0002&lang=en


Therefore, to enable the admin account to perform HWTACACS authentication preferentially, you need to change the authentication scheme bound to the account.

[HUWEI-aaa] manager-user localadmin

[HUWEI-aaa-manager-user-abc] authentication-scheme aaa

View more
  • x
  • convention:

smileymind
smileymind Created Aug 31, 2021 02:24:40 (0) (0)
 
All Answers
(0) (0)
2#
Popeye_Wang
Popeye_Wang Admin Created Aug 31, 2020 02:41:01

Hi,

Administrator Authentication Method

The FW authenticates an administrator account in one of the following modes before allowing the administrator to log in:

  • Local authentication

    Both the administrator account and password are stored on the FW.

  • Server authentication:

    • If the administrator does not use domain authentication, the administrator account must be created on the FW, and the password is saved on the authentication server. Currently, the FW supports server authentication modes: AD, LDAP, RADIUS, and HWTACACS.

    • If the administrator uses domain authentication, the administrator account and password must be created and saved on the domain authentication server. No administrator information needs to be configured on the FW. Currently, the FW supports server authentication modes: AD, LDAP, RADIUS, and HWTACACS.

  • Server and local authentication

    The FW performs server authentication first. The FW performs local authentication only if it fails to connect to the authentication server.

After the administrator account is created, the virtual system or authentication domain of a user name must be obtained to log in to the device. For example, user username on virtual system vsys with domain (domainname) authentication uses user name username@domainname@@vsys to log in to and manage the FW.

The FW determines the authentication and authorization modes based on the authentication scheme, authorization scheme, or third-party server template bound to the administrator account or authentication domain. The logins of the admin and admin@test accounts are used as examples to describe the FW processing:

  • Login using the admin account:

    Check whether the FW has the admin account. If yes, use the authentication scheme, authorization scheme, and third-party server template bound to the admin account. If no, use the authentication scheme, authorization scheme, or third-party server template bound to the default authentication domain.

    By default, the local administrator is bound to the default authentication scheme and default authorization scheme. The authentication domain (the default domain or a new authentication domain) is bound to the default authentication scheme and default authorization scheme.

  • Login using the admin@test account:

    The FW directly uses the authentication scheme, authorization scheme, or third-party server template bound to the test authentication domain.

    By default, the authentication domain (the default domain or a new authentication domain) is bound to the default authentication scheme and default authorization scheme.


Refer to: https://support.huawei.com/hedex/hdx.do?docid=EDOC1100068394&id=sec_admin_admin_0002&lang=en


Therefore, to enable the admin account to perform HWTACACS authentication preferentially, you need to change the authentication scheme bound to the account.

[HUWEI-aaa] manager-user localadmin

[HUWEI-aaa-manager-user-abc] authentication-scheme aaa

View more
  • x
  • convention:

smileymind
smileymind Created Aug 31, 2021 02:24:40 (0) (0)
 
(0) (0)
3#
PanchakS
PanchakS Created Aug 31, 2021 02:26:30

Nice
View more
  • x
  • convention:
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.