Got it

【Mr Gateway After-sales Service】Example for Configuring Command Line Authorizati

Latest reply: Mar 28, 2016 07:00:37 3885 1 0 0 0

This example applies to all AR models of all versions.


Networking Requirements

As shown in Figure 1, a user accesses the network through the Router. The user belongs to the domain and the user level is 3. The user does not need to use some level-3 commands. To implement refined management and ensure device security, configure the Router to perform command line authorization for the user through HWTACACS and record the commands executed by the user.


The IP address of the HWTACACS server is, authentication port number is 49, and authorization port number is 49.


Figure 1 HWTACACS-based command line authorization

 【Mr Gateway After-sales Service】Example for Configuring Command Line Authorizati-1085165-1



Configure the Router.



 sysname Router                                                          


hwtacacs-server template 1  //Configure an HWTACACS server template.

 hwtacacs-server authentication weight 80  //Configure an HWTACACS authentication server.

 hwtacacs-server authorization weight 80  //Configure an HWTACACS authorization server.

 hwtacacs-server shared-key cipher %^%#z3#CA>MtbD=>A]Ts;au$;&I!<sN~"B!++2S8'--;%^%#  //Set the shared key between router and HWTACACS server to Hello@1234.



 authentication-scheme sch1  //Create the authentication scheme sch1.                                    

  authentication-mode hwtacacs 

 authorization-scheme ht  //Create the authorization scheme ht.

  authorization-mode hwtacacs 

  authorization-cmd 3 hwtacacs  //Configure command line authorization for users at level 3.     

 recording-scheme scheme0  //Create the record scheme scheme0. 

  recording-mode hwtacacs 1  //Associate an HWTACACS server template with the record scheme scheme0.      

 cmd recording-scheme scheme0  //Configure scheme0 to record the commands executed on the device.

 service-scheme sch1  //Create the service scheme sch1.

  admin-user privilege level 15

 domain   //Create the domain                                 

  authentication-scheme sch1  //Specify the HWTACACS authentication scheme for the users in this domain.

  authorization-scheme ht  //Specify the HWTACACS authorization scheme for the users in this domain.

  service-scheme sch1  //Specify the service scheme for the users in this domain.                        

  hwtacacs-server 1  //Specify the HWTACACS server template for the users in this domain.                      


interface GigabitEthernet1/0/1                                                   

 ip address                                        


interface GigabitEthernet1/0/2                                                 

 ip address                                           


 telnet server enable  //Enable the Telnet server.                                 


user-interface maximum-vty 15  //Set the maximum number of login users on the VTY user interface to 15.             

user-interface vty 0 14                                                        

 authentication-mode aaa  //Set the authentication mode for VTY user interface to AAA.                     



Verify the configuration.

# Choose Start > Run on your computer and enter cmd to open the cmd window. Run the telnet command and enter the user name and password Huawei@1234 to log in to the device through Telnet.


C:\Documents and Settings\Administrator> telnet


<Router>//The administrator successfully logs in to the device.

# Run the display authorization-scheme ht command. The command output shows that command line authorization is configured for level-3 users.


<Huawei> display authorization-scheme ht


 Authorization-scheme-name               : ht                                               

 Authorization-method                    : HWTACACS                                        

 Authorization-cmd level  0              : Disabled                                       

 Authorization-cmd level  1              : Disabled                                        

 Authorization-cmd level  2              : Disabled                                       

 Authorization-cmd level  3              : Enabled  ( HWTACACS  )                   

 Authorization-cmd level  4              : Disabled                                       

 Authorization-cmd level  5              : Disabled                                       

 Authorization-cmd level  6              : Disabled                                       

 Authorization-cmd level  7              : Disabled                                       

 Authorization-cmd level  8              : Disabled                                       

 Authorization-cmd level  9              : Disabled                                       

 Authorization-cmd level 10              : Disabled                                       

 Authorization-cmd level 11              : Disabled                                       

 Authorization-cmd level 12              : Disabled                                        

 Authorization-cmd level 13              : Disabled                                       

 Authorization-cmd level 14              : Disabled                                       

 Authorization-cmd level 15              : Disabled                                       

 Authorization-cmd no-response-policy    : Online                              



Configuration Notes

The Router and HWTACACS server must use the same authentication port number.


The Router and HWTACACS server must use the same shared key.


There must be a reachable route between the Router and HWTACACS server.

  • x
  • convention:

Created Mar 28, 2016 07:00:37

Thank you.

View more
  • x
  • convention:


You need to log in to comment to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits


Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Please bind your phone number to obtain invitation bonus.
Information Protection Guide
Thanks for using Huawei Enterprise Support Community! We will help you learn how we collect, use, store and share your personal information and the rights you have in accordance with Privacy Policy and User Agreement.