Tacacs Plus is a protocols for security with AAA services which are , authentication, authorization, accounting. It is used as a centralized authentication to network devices. It also can provide a specific authorization with centralized access to particular user to work with network devices. With accounting, it gives a mandatory audit logs by logging all actions executed by privileged users.
In this document will show how to configure Tacacs Plus protocols for security on Huawei switch model CE6800.
In this article of how to configure Tacacs+ protocols for security on Huawei switch model CE6800, it is presumed that:
a. You had already installed a tacacs server. If you don’t please kindly check one of the following links.
1. Configuring Tacacs Plus with Tacacs Plus User Authentication on RHEL/CentOS 7
2. Configuring Tacacs Plus with Linux Systems Users Authentication on RHEL/CentOS 7
3. Configuring Tacacs Plus with Active Directory User Authentication on RHEL/CentOS 7
b. You had already configured SSH remote management on your Huawei switch. You would probably like to check this link SSH Configuration on Huawei Switch S5700.
3. Create Console Login for Backup
Before you start doing Tacacs Plus protocols security configuration on Huawei switch, it is recommended to create a console login first. So, in case that Tacacs Plus centralized access server is not reachable, you still can work with Huawei switch via direct console login.
]user-interface con 0 authentication-mode password set authentication password cipher P@ssw0rd commit
In direct console login, you will be prompted to enter the password as the following.
4. Configure Tacacs Plus Server
The following are the commands to configure Tacacs Plus centralized access server on Huawei switch model S5700. “ts-aaa” is just a name given to HWTacacs template and you can give any name you like.
] hwtacacs server template ts-aaa hwtacacs server authentication 192.168.171.13 hwtacacs server authorization 192.168.171.13 hwtacacs server accounting 192.168.171.13 hwtacacs server shared-key cipher TS@123 hwtacacs server user-name domain-excluded commit
5. Configure Authentication
Now it is time to tell the Huawei switch to authenticate user with Tacacs Plus server. “hwtc-tc” is just a name given to authentication scheme of HWTacacs and you can give any name you like.
] aaa authentication-scheme hwtc-ts authentication-mode hwtacacs commit ] ssh authentication-type default password ] commit
6. Configure Authorization
When a Huawei switch is applied with the authorization commands, the user who is able to login can only execute the amount of a specific commands that are allowed on Tacacs Plush security protocols server. “hwtc-tc” is just a name given to authorization scheme of HWTacacs and you can give any name you like.
] aaa authorization-scheme hwtc-tc authorization-mode hwtacacs authorization-cmd 15 hwtacacs local commit
7. Configure Accounting
When we apply accounting command on Huawei switch it will start to log all executed command by a particular user to Tacacs Plus server. So, we can know who doing on our network devices. “hwtc-tc” is just a name given to accounting and recording scheme of HWTacacs and you can give any name you like.
] aaa accounting-scheme hwtc-tc accounting-mode hwtacacs recording-scheme hwtc-tc recording-mode hwtacacs ts-aaa cmd recording-scheme hwtc-tc commit
8. Applying AAA Scheme to Domain
After creating the authentication, authorization, and accounting scheme, we need to apply these AAA to the domain as the following.
] aaa domain default_admin authentication-scheme hwtc-tc accounting-scheme hwtc-tc authorization-scheme hwtc-tc hwtacacs-server ts-aaa commit
It is strongly recommend to test Tacacs Plus configuration. There are three thing to test as the following.
- Test login to your Huawei switch using a full privilege account from Tacacs Plus user databases.
- Test login to your Huawei switch using a limited privilege account from Tacacs Plus user databases and make sure that this account can only execute the commands that are allowed on Tacacs Plus server only.
- Test disconnect your Huawei switch from Tacacs Plus server and make sure that you still be able to work with your switch direct console with the password set in section 3, Create Console Login for Backup, above . This is extremely important because in case Tacacs Plus server is unavailable, we still be able to manage our network devices.
You should be able to configure Tacacs Plus on Huawei switch CE6800 now. Tacacs+ is the only security protocols used to provide centralized access into networks. Hopefully, you can find this article informative. If you have any questions or suggestions you can always leave your comments below. I will try all of my best to review and reply them.