Tacacs Plus is a protocols for security with AAA services which are , authentication, authorization, accounting. It is used as a centralized authentication to network devices. It also can provide a specific authorization with centralized access to particular user to work with network devices. With accounting, it gives a mandatory audit logs by logging all actions executed by privileged users.
In this document will show how to configure Tacacs Plus protocols security on Huawei router model AR2220.
In this article of how to configure Tacacs+ protocols security on Huawei router model AR2220, it is presumed that:
a. You had already installed a tacacs server. If you don’t please kindly check one of the following links.
1. Configuring Tacacs Plus with Tacacs Plus User Authentication on RHEL/CentOS 7
2. Configuring Tacacs Plus with Linux Systems Users Authentication on RHEL/CentOS 7
3. Configuring Tacacs Plus with Active Directory User Authentication on RHEL/CentOS 7
b. You had already configured SSH remote management on your Huawei switch. You would probably like to check this link SSH Configuration on Huawei Router AR2220.
3. Create Console Login for Backup
Before you start doing Tacacs Plus security protocols configuration on Huawei router, it is recommended to create a console login first. So, in case that Tacacs Plus server is not reachable, you still can work with Huawei switch via direct console login.
]user-interface con 0 authentication-mode password Please configure the login password (maximum length 16):2222
In direct console login, you will be prompted to enter the password as the following.
4. Configure Tacacs Plus Server
The following are the commands to configure Tacacs Plus server on Huawei router model AR2220. “ts-aaa” is just a name given to HWTacacs template and you can give any name you like.
] hwtacacs-server template ts-aaa hwtacacs-server authentication 192.168.171.13 hwtacacs-server authorization 192.168.171.13 hwtacacs-server accounting 192.168.171.13 hwtacacs-server shared-key cipher TS@123
5. Configure Authentication
Now it is time to tell the Huawei router to authenticate user with Tacacs Plus centralized access server. “hwtc-tc” is just a name given to authentication scheme of HWTacacs and you can give any name you like.
] aaa authentication-scheme hwtc-ts authentication-mode hwtacacs
6. Configure Authorization
When a Huawei router is applied with the authorization commands, the user who is able to login can only execute the amount of a specific commands that are allowed on Tacacs Plush server. “hwtc-tc” is just a name given to authorization scheme of HWTacacs and you can give any name you like.
] aaa authorization-scheme hwtc-tc authorization-mode hwtacacs authorization-cmd 15 hwtacacs local
7. Configure Accounting
When we apply accounting command on Huawei router it will start to log all executed command by a particular user to Tacacs Plus protocols for security server. So, we can know who doing on our network devices. “hwtc-tc” is just a name given to accounting and recording scheme of HWTacacs and you can give any name you like.
] aaa accounting-scheme hwtc-tc accounting-mode hwtacacs recording-scheme hwtc-tc recording-mode hwtacacs ts-aaa cmd recording-scheme hwtc-tc
8. Applying AAA Scheme to Domain
After creating the authentication, authorization, and accounting scheme, we need to apply these AAA to the domain as the following.
] aaa domain default_admin authentication-scheme hwtc-tc accounting-scheme hwtc-tc authorization-scheme hwtc-tc hwtacacs-server ts-aaa commit
It is strongly recommend to test Tacacs Plus configuration. There are three thing to test as the following.
- Test login to your Huawei router using a full privilege account from Tacacs Plus user databases.
- Test login to your Huawei router using a limited privilege account from Tacacs Plus user databases and make sure that this account can only execute the commands that are allowed on Tacacs Plus server only.
- Test disconnect your Huawei router from Tacacs Plus server and make sure that you still be able to work with your router direct console with the password set in section 3, Create Console Login for Backup, above . This is extremely important because in case Tacacs Plus server is unavailable, we still be able to manage our network devices.
You should be able to configure Tacacs Plus on Huawei router model AR2220 now. Tacacs+ is the only security protocols used to provide centralized access into networks. Hopefully, you can find this article informative. If you have any questions or suggestions you can always leave your comments below. I will try all of my best to review and reply them.