This example applies to all AR models of all versions.
Networking Requirements
As shown in Figure 1, a user accesses the network through the Router. The user belongs to the domain huawei.com and the user level is 3. The user does not need to use some level-3 commands. To implement refined management and ensure device security, configure the Router to perform command line authorization for the user through HWTACACS and record the commands executed by the user.
The IP address of the HWTACACS server is 10.1.6.6/24, authentication port number is 49, and authorization port number is 49.
Figure 1 HWTACACS-based command line authorization
Procedure
Configure the Router.
#
sysname Router
#
hwtacacs-server template 1 //Configure an HWTACACS server template.
hwtacacs-server authentication 10.1.6.6 weight 80 //Configure an HWTACACS authentication server.
hwtacacs-server authorization 10.1.6.6 weight 80 //Configure an HWTACACS authorization server.
hwtacacs-server shared-key cipher %^%#z3#CA>MtbD=>A]Ts;au$;&I!<sN~"B!++2S8'--;%^%# //Set the shared key between router and HWTACACS server to Hello@1234.
#
aaa
authentication-scheme sch1 //Create the authentication scheme sch1.
authentication-mode hwtacacs
authorization-scheme ht //Create the authorization scheme ht.
authorization-mode hwtacacs
authorization-cmd 3 hwtacacs //Configure command line authorization for users at level 3.
recording-scheme scheme0 //Create the record scheme scheme0.
recording-mode hwtacacs 1 //Associate an HWTACACS server template with the record scheme scheme0.
cmd recording-scheme scheme0 //Configure scheme0 to record the commands executed on the device.
service-scheme sch1 //Create the service scheme sch1.
admin-user privilege level 15
domain huawei.com //Create the domain huawei.com.
authentication-scheme sch1 //Specify the HWTACACS authentication scheme for the users in this domain.
authorization-scheme ht //Specify the HWTACACS authorization scheme for the users in this domain.
service-scheme sch1 //Specify the service scheme for the users in this domain.
hwtacacs-server 1 //Specify the HWTACACS server template for the users in this domain.
#
interface GigabitEthernet1/0/1
ip address 10.1.2.10 255.255.255.0
#
interface GigabitEthernet1/0/2
ip address 10.1.6.10 255.255.255.0
#
telnet server enable //Enable the Telnet server.
#
user-interface maximum-vty 15 //Set the maximum number of login users on the VTY user interface to 15.
user-interface vty 0 14
authentication-mode aaa //Set the authentication mode for VTY user interface to AAA.
#
return
Verify the configuration.
# Choose Start > Run on your computer and enter cmd to open the cmd window. Run the telnet command and enter the user name user1@huawei.com and password Huawei@1234 to log in to the device through Telnet.
C:\Documents and Settings\Administrator> telnet 10.1.2.10
Username:user1@huawei.com
Password:***********
<Router>//The administrator successfully logs in to the device.
# Run the display authorization-scheme ht command. The command output shows that command line authorization is configured for level-3 users.
<Huawei> display authorization-scheme ht
---------------------------------------------------------------------------
Authorization-scheme-name : ht
Authorization-method : HWTACACS
Authorization-cmd level 0 : Disabled
Authorization-cmd level 1 : Disabled
Authorization-cmd level 2 : Disabled
Authorization-cmd level 3 : Enabled ( HWTACACS )
Authorization-cmd level 4 : Disabled
Authorization-cmd level 5 : Disabled
Authorization-cmd level 6 : Disabled
Authorization-cmd level 7 : Disabled
Authorization-cmd level 8 : Disabled
Authorization-cmd level 9 : Disabled
Authorization-cmd level 10 : Disabled
Authorization-cmd level 11 : Disabled
Authorization-cmd level 12 : Disabled
Authorization-cmd level 13 : Disabled
Authorization-cmd level 14 : Disabled
Authorization-cmd level 15 : Disabled
Authorization-cmd no-response-policy : Online
---------------------------------------------------------------------------
Configuration Notes
The Router and HWTACACS server must use the same authentication port number.
The Router and HWTACACS server must use the same shared key.
There must be a reachable route between the Router and HWTACACS server.