Tacacs Configuration on Huawei Switch S5700

1. Overview

 

Tacacs Plus is a  protocols for security with AAA services which are , authentication, authorization, accounting. It is used as a centralized authentication to network devices. It also can provide a specific authorization with centralized access to particular user to work with network devices. With accounting, it gives a mandatory audit logs by logging all actions executed by privileged users.

In this document will show how to configure Tacacs Plus security protocols on Huawei switch model S5700.

2. Prerequisites

 

In this article how to configure Tacacs+ security protocols on Huawei switch model S5700, it is presumed that:

a. You had already installed a tacacs server. If you don’t please kindly check one of the following links.

1. Configuring Tacacs Plus with Tacacs Plus User Authentication on RHEL/CentOS 7
2. Configuring Tacacs Plus with Linux Systems Users Authentication on RHEL/CentOS 7
3. Configuring Tacacs Plus with Active Directory User Authentication on RHEL/CentOS 7

b. You had already configured SSH remote management on your Huawei switch. You would probably like to check this link SSH Configuration on Huawei Switch S5700.

3. Create Console Login for Backup

 

Before you start doing Tacacs Plus protocols security configuration on Huawei switch, it is recommended to create a console login first. So, in case that Tacacs Plus centralized access server is not reachable, you still can work with Huawei switch via direct console login.

]user-interface con 0
  authentication-mode password
  set authentication password cipher 2222

In direct console login, you will be prompted to enter the password as the following.

4. Configure Tacacs Plus Server

 

The following are the commands to configure Tacacs Plus centralized access server on Huawei switch model S5700. “ts-aaa” is just a name given to HWTacacs template and you can give any name you like.

] hwtacacs-server template ts-aaa
   hwtacacs-server authentication 192.168.171.13
   hwtacacs-server authorization 192.168.171.13
   hwtacacs-server accounting 192.168.171.13
   hwtacacs-server shared-key cipher TS@123

5. Configure Authentication

 

Now it is time to tell the Huawei switch to authenticate user with  Tacacs Plus server. “hwtc-tc” is just a name given to authentication scheme of HWTacacs and you can give any name you like.

] aaa
   authentication-scheme hwtc-ts
     authentication-mode hwtacacs
] ssh authentication-type default password

6. Configure Authorization

 

When a Huawei switch is applied with the authorization commands, the user who is able to login can only execute the amount of a specific commands that are allowed on Tacacs Plus protocols security server. “hwtc-tc” is just a name given to authorization scheme of HWTacacs and you can give any name you like.

] aaa
    authorization-scheme hwtc-tc
      authorization-mode hwtacacs
      authorization-cmd 15 hwtacacs local

7. Configure Accounting

 

When we apply accounting command on Huawei switch it will start to log all executed command by a particular user to Tacacs Plus server. So, we can know who doing on our network devices. “hwtc-tc” is just a name given to accounting scheme of HWTacacs and you can give any name you like.

] aaa
    accounting-scheme hwtc-tc
       accounting-mode hwtacacs
    recording-scheme hwtc-tc
       recording-mode hwtacacs ts-aaa
    cmd recording-scheme hwtc-tc  

8. Applying AAA Scheme to Domain

 

After creating the authentication, authorization, and accounting scheme, we need to apply these AAA to the domain as the following.

] aaa
    domain default_admin  
      authentication-scheme hwtc-tc
      accounting-scheme hwtc-tc
      authorization-scheme hwtc-tc
      hwtacacs-server ts-aaa

9. Testing

 

It is strongly recommend to test Tacacs Plus configuration. There are three thing to test as the following.

  1. Test login to your Huawei switch using a full privilege account from Tacacs Plus user databases.
  2. Test login to your Huawei switch using a limited privilege account from Tacacs Plus user databases and make sure that this account can only execute the commands that are allowed on Tacacs Plus server only.
  3. Test disconnect your Huawei switch from Tacacs Plus server and make sure that you still be able to work with your switch direct console with the password set in section 3, Create Console Login for Backup, above . This is extremely important because in case Tacacs Plus server is unavailable, we still be able to manage our network devices.

10. Conclusion

 

You should be able to configure Tacacs Plus on Huawei switch S5700 now. Tacacs+ is the only security protocols used to provide centralized access into networks. Hopefully, you can find this article informative. If you have any questions or suggestions you can always leave your comments below. I will try all of my best to review and reply them.

Comments

comments