1. Overview
Tacacs Plus is a protocols for security with AAA services which are , authentication, authorization, accounting. It is used as a centralized authentication to network devices. It also can provide a specific authorization with centralized access to particular user to work with network devices. With accounting, it gives a mandatory audit logs by logging all actions executed by privileged users.
In this document will show how to configure Tacacs Plus security protocols on Huawei switch model S5700.
2. Prerequisites
In this article how to configure Tacacs+ security protocols on Huawei switch model S5700, it is presumed that:
a. You had already installed a tacacs server. If you don’t please kindly check one of the following links.
1. Configuring Tacacs Plus with Tacacs Plus User Authentication on RHEL/CentOS 7
2. Configuring Tacacs Plus with Linux Systems Users Authentication on RHEL/CentOS 7
3. Configuring Tacacs Plus with Active Directory User Authentication on RHEL/CentOS 7
b. You had already configured SSH remote management on your Huawei switch. You would probably like to check this link SSH Configuration on Huawei Switch S5700.
3. Create Console Login for Backup
Before you start doing Tacacs Plus protocols security configuration on Huawei switch, it is recommended to create a console login first. So, in case that Tacacs Plus centralized access server is not reachable, you still can work with Huawei switch via direct console login.
]user-interface con 0
authentication-mode password
set authentication password cipher 2222
In direct console login, you will be prompted to enter the password as the following.
4. Configure Tacacs Plus Server
The following are the commands to configure Tacacs Plus centralized access server on Huawei switch model S5700. “ts-aaa” is just a name given to HWTacacs template and you can give any name you like.
] hwtacacs-server template ts-aaa
hwtacacs-server authentication 192.168.171.13
hwtacacs-server authorization 192.168.171.13
hwtacacs-server accounting 192.168.171.13
hwtacacs-server shared-key cipher TS@123
5. Configure Authentication
Now it is time to tell the Huawei switch to authenticate user with Tacacs Plus server. “hwtc-tc” is just a name given to authentication scheme of HWTacacs and you can give any name you like.
] aaa
authentication-scheme hwtc-ts
authentication-mode hwtacacs
] ssh authentication-type default password
6. Configure Authorization
When a Huawei switch is applied with the authorization commands, the user who is able to login can only execute the amount of a specific commands that are allowed on Tacacs Plus protocols security server. “hwtc-tc” is just a name given to authorization scheme of HWTacacs and you can give any name you like.
] aaa
authorization-scheme hwtc-tc
authorization-mode hwtacacs
authorization-cmd 15 hwtacacs local
7. Configure Accounting
When we apply accounting command on Huawei switch it will start to log all executed command by a particular user to Tacacs Plus server. So, we can know who doing on our network devices. “hwtc-tc” is just a name given to accounting scheme of HWTacacs and you can give any name you like.
] aaa
accounting-scheme hwtc-tc
accounting-mode hwtacacs
recording-scheme hwtc-tc
recording-mode hwtacacs ts-aaa
cmd recording-scheme hwtc-tc
8. Applying AAA Scheme to Domain
After creating the authentication, authorization, and accounting scheme, we need to apply these AAA to the domain as the following.
] aaa
domain default_admin
authentication-scheme hwtc-tc
accounting-scheme hwtc-tc
authorization-scheme hwtc-tc
hwtacacs-server ts-aaa
9. Testing
It is strongly recommend to test Tacacs Plus configuration. There are three thing to test as the following.
- Test login to your Huawei switch using a full privilege account from Tacacs Plus user databases.
- Test login to your Huawei switch using a limited privilege account from Tacacs Plus user databases and make sure that this account can only execute the commands that are allowed on Tacacs Plus server only.
- Test disconnect your Huawei switch from Tacacs Plus server and make sure that you still be able to work with your switch direct console with the password set in section 3, Create Console Login for Backup, above . This is extremely important because in case Tacacs Plus server is unavailable, we still be able to manage our network devices.
10. Conclusion
You should be able to configure Tacacs Plus on Huawei switch S5700 now. Tacacs+ is the only security protocols used to provide centralized access into networks. Hopefully, you can find this article informative. If you have any questions or suggestions you can always leave your comments below. I will try all of my best to review and reply them.
